samba - Aug 2015 - Problems with administrator account

I still have the same problem with :
[root at fileserver ~]# more /usr/local/samba/etc/samba_usermapping
!root = DOMAIN\Administrator DOMAIN\\Administrator DOMAIN\administrator
Administrator adm
inistrator

________________________________________
De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny
<rowlandpenny241155 at gmail.com>
Envoyé : jeudi 6 août 2015 16:06
À : samba at lists.samba.org
Objet : Re: [Samba] Problems with administrator account

On 06/08/15 12:57, Aurélien Blachet wrote:
> Hello,
>
>
>
> I just went to migrate my fileserver from samba3 to samba4 but i have
problem with the administrator account.
>
>
>
> The group "domain admins" have the permission to manage all my
shares
>
>
>
> Administrator is member of the group "domain admins" but he
can't manage the security tab of all my shares when i remove "full
control" to share permissions tab.
>
>
>
> While all the member of "Domain admins",except administrator,
didn't have this problem.
>
>
>
> I think the problem appear when we map "administrator" to
"root" in the smb.conf.
>
>
>
> Moreover the "administrator" account didn't appear with a
getent passwd
>
>
>
> [root at fileserver ~]# getent passwd |grep dministrator
>
>
>
> [root at fileserver ~]# wbinfo -u |grep dministrator
> administrator
>
>
> my smb.conf :
> [global]
>
>    netbios name = XXX
>    workgroup = XXX
>    security = ADS
>    realm = XXX.XXX
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>    username map = /usr/local/samba/etc/samba_usermapping
>
>    idmap config *:backend = tdb
>    idmap config *:range = 300000-400000
>    idmap config XXX:backend = ad
>    idmap config XXX:schema_mode = rfc2307
>    idmap config XXX:range = 500-200000
>
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
>    winbind refresh tickets = Yes
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
>    template homedir = /home/%U
> ...
>
> [shareA]
>      path =/xxx/shareA
>      comment >      hosts allow = X.X.X.
>      writable = Yes
>      read only = No
>
> Local permissions
> [root at fileserver]# getfacl /xxx/shareA
> # file: alp-exp
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> group::rwx
> group:root:rwx
> group:domain\040admins:rwx
> group:domain\040users:rwx
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:root:rwx
> default:group::r-x
> default:group:root:r-x
> default:group:domain\040users:rwx
> default:mask::rwx
> default:other::r-x
> And the mapping between root and administrator
> [root@=fileserver ~]# more /usr/local/samba/etc/samba_usermapping
> !root = LAN\Administrator LAN\\Administrator LAN\administrator
Try adding 'Administrator administrator' to the line in
'samba_usermapping'

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 06/08/15 15:32, Aurélien Blachet wrote:
> I still have the same problem with :
> [root at fileserver ~]# more /usr/local/samba/etc/samba_usermapping
> !root = DOMAIN\Administrator DOMAIN\\Administrator DOMAIN\administrator
Administrator adm
> inistrator
>
> ________________________________________
> De : samba <samba-bounces at lists.samba.org> de la part de Rowland
Penny <rowlandpenny241155 at gmail.com>
> Envoyé : jeudi 6 août 2015 16:06
> À : samba at lists.samba.org
> Objet : Re: [Samba] Problems with administrator account
>
> On 06/08/15 12:57, Aurélien Blachet wrote:
>> Hello,
>>
>>
>>
>> I just went to migrate my fileserver from samba3 to samba4 but i have
problem with the administrator account.
>>
>>
>>
>> The group "domain admins" have the permission to manage all
my shares
>>
>>
>>
>> Administrator is member of the group "domain admins" but he
can't manage the security tab of all my shares when i remove "full
control" to share permissions tab.
>>
>>
>>
>> While all the member of "Domain admins",except administrator,
didn't have this problem.
>>
>>
>>
>> I think the problem appear when we map "administrator" to
"root" in the smb.conf.
>>
>>
>>
>> Moreover the "administrator" account didn't appear with a
getent passwd
>>
>>
>>
>> [root at fileserver ~]# getent passwd |grep dministrator
>>
>>
>>
>> [root at fileserver ~]# wbinfo -u |grep dministrator
>> administrator
>>
>>
>> my smb.conf :
>> [global]
>>
>>     netbios name = XXX
>>     workgroup = XXX
>>     security = ADS
>>     realm = XXX.XXX
>>     dedicated keytab file = /etc/krb5.keytab
>>     kerberos method = secrets and keytab
>>     username map = /usr/local/samba/etc/samba_usermapping
>>
>>     idmap config *:backend = tdb
>>     idmap config *:range = 300000-400000
>>     idmap config XXX:backend = ad
>>     idmap config XXX:schema_mode = rfc2307
>>     idmap config XXX:range = 500-200000
>>
>>     winbind nss info = rfc2307
>>     winbind trusted domains only = no
>>     winbind use default domain = yes
>>     winbind enum users  = yes
>>     winbind enum groups = yes
>>     winbind refresh tickets = Yes
>>     vfs objects = acl_xattr
>>     map acl inherit = Yes
>>     store dos attributes = Yes
>>     template homedir = /home/%U
>> ...
>>
>> [shareA]
>>       path =/xxx/shareA
>>       comment >>       hosts allow = X.X.X.
>>       writable = Yes
>>       read only = No
>>
>> Local permissions
>> [root at fileserver]# getfacl /xxx/shareA
>> # file: alp-exp
>> # owner: root
>> # group: root
>> user::rwx
>> user:root:rwx
>> group::rwx
>> group:root:rwx
>> group:domain\040admins:rwx
>> group:domain\040users:rwx
>> mask::rwx
>> other::rwx
>> default:user::rwx
>> default:user:root:rwx
>> default:group::r-x
>> default:group:root:r-x
>> default:group:domain\040users:rwx
>> default:mask::rwx
>> default:other::r-x
>> And the mapping between root and administrator
>> [root@=fileserver ~]# more /usr/local/samba/etc/samba_usermapping
>> !root = LAN\Administrator LAN\\Administrator LAN\administrator
> Try adding 'Administrator administrator'  to the line in
'samba_usermapping'
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
Ah, I think you are mixing up Unix permissions and windows permissions. 
You will only get 'Administrator' to show up with getent if you give the
Administrator user a uidNumber and use the 'ad' backend. As you are 
mapping 'Administrator' to root it will get the UID of '0' which
is also
the UID of 'root'. From windows you will set the permissions of 
'Administrator' , but on the unix side using getfacl it will show as
'root'

Rowland

Oh thank you

Just to be sure to understand :
-getent passwd | grep administrator and id administrator didn't work on
Fileserver because administrator account didn't have uidNumber

-it also why administrator account can't manage filserver with windows
permissions

Just one more thing please :

Why my administrators group is mapped on unix users ?  
[root#fileserver ~]#  net groupmap list
Administrators (S-1-5-32-544) -> users
Users (S-1-5-32-545) -> BUILTIN\users

[root at massy01 ~]#  net groupmap list verbose
Administrators
        SID       : S-1-5-32-544
        Unix gid  : 100
        Unix group: users
        Group type: Local Group
        Comment   :
Users
        SID       : S-1-5-32-545
        Unix gid  : 101
        Unix group: BUILTIN\users
        Group type: Local Group
        Comment   :


________________________________________
De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny
<rowlandpenny241155 at gmail.com>
Envoyé : jeudi 6 août 2015 17:51
À : samba at lists.samba.org
Objet : Re: [Samba] Problems with administrator account

On 06/08/15 15:32, Aurélien Blachet wrote:
> I still have the same problem with :
> [root at fileserver ~]# more /usr/local/samba/etc/samba_usermapping
> !root = DOMAIN\Administrator DOMAIN\\Administrator DOMAIN\administrator
Administrator adm
> inistrator
>
> ________________________________________
> De : samba <samba-bounces at lists.samba.org> de la part de Rowland
Penny <rowlandpenny241155 at gmail.com>
> Envoyé : jeudi 6 août 2015 16:06
> À : samba at lists.samba.org
> Objet : Re: [Samba] Problems with administrator account
>
> On 06/08/15 12:57, Aurélien Blachet wrote:
>> Hello,
>>
>>
>>
>> I just went to migrate my fileserver from samba3 to samba4 but i have
problem with the administrator account.
>>
>>
>>
>> The group "domain admins" have the permission to manage all
my shares
>>
>>
>>
>> Administrator is member of the group "domain admins" but he
can't manage the security tab of all my shares when i remove "full
control" to share permissions tab.
>>
>>
>>
>> While all the member of "Domain admins",except administrator,
didn't have this problem.
>>
>>
>>
>> I think the problem appear when we map "administrator" to
"root" in the smb.conf.
>>
>>
>>
>> Moreover the "administrator" account didn't appear with a
getent passwd
>>
>>
>>
>> [root at fileserver ~]# getent passwd |grep dministrator
>>
>>
>>
>> [root at fileserver ~]# wbinfo -u |grep dministrator
>> administrator
>>
>>
>> my smb.conf :
>> [global]
>>
>>     netbios name = XXX
>>     workgroup = XXX
>>     security = ADS
>>     realm = XXX.XXX
>>     dedicated keytab file = /etc/krb5.keytab
>>     kerberos method = secrets and keytab
>>     username map = /usr/local/samba/etc/samba_usermapping
>>
>>     idmap config *:backend = tdb
>>     idmap config *:range = 300000-400000
>>     idmap config XXX:backend = ad
>>     idmap config XXX:schema_mode = rfc2307
>>     idmap config XXX:range = 500-200000
>>
>>     winbind nss info = rfc2307
>>     winbind trusted domains only = no
>>     winbind use default domain = yes
>>     winbind enum users  = yes
>>     winbind enum groups = yes
>>     winbind refresh tickets = Yes
>>     vfs objects = acl_xattr
>>     map acl inherit = Yes
>>     store dos attributes = Yes
>>     template homedir = /home/%U
>> ...
>>
>> [shareA]
>>       path =/xxx/shareA
>>       comment >>       hosts allow = X.X.X.
>>       writable = Yes
>>       read only = No
>>
>> Local permissions
>> [root at fileserver]# getfacl /xxx/shareA
>> # file: alp-exp
>> # owner: root
>> # group: root
>> user::rwx
>> user:root:rwx
>> group::rwx
>> group:root:rwx
>> group:domain\040admins:rwx
>> group:domain\040users:rwx
>> mask::rwx
>> other::rwx
>> default:user::rwx
>> default:user:root:rwx
>> default:group::r-x
>> default:group:root:r-x
>> default:group:domain\040users:rwx
>> default:mask::rwx
>> default:other::r-x
>> And the mapping between root and administrator
>> [root@=fileserver ~]# more /usr/local/samba/etc/samba_usermapping
>> !root = LAN\Administrator LAN\\Administrator LAN\administrator
> Try adding 'Administrator administrator'  to the line in
'samba_usermapping'
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
Ah, I think you are mixing up Unix permissions and windows permissions.
You will only get 'Administrator' to show up with getent if you give the
Administrator user a uidNumber and use the 'ad' backend. As you are
mapping 'Administrator' to root it will get the UID of '0' which
is also
the UID of 'root'. From windows you will set the permissions of
'Administrator' , but on the unix side using getfacl it will show as
'root'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba