Yes, LAN is the workgroup name.
I made a test, i removed all the ACL with setfacl -b mysharename
[root at fileserv]# getfacl share/
# file: share/
# owner: root
# group: root
user::rwx
group::rwx
other::---
Going to Windows side and Added "Domain Admins" in permission tab to
read/modify/total
Security Tab is denied even for my others account in domain Admins group
looking again with getfacl, the acl didnt get modified....
So i add them manually :
[root at fileserv]# setfacl -R -m g:Domain\ Admins:rwx share
[root at fileserv]# getfacl share
# file: share
# owner: root
# group: root
user::rwx
group::rwx
group:domain\040admins:rwx
mask::rwx
other::---
And now i gain access to the security tab with my Account, i can browse the
share too.
But if i go back with the Administrator Account to the ADUC, security is
denied and he can't access the share "Access denied"
smbstatus |grep myclientipwithadministratorlogin
is giving me a process owned by root
Thanks for help guys, it's been 4days that we are working on this... We can
manage all things with the others accounts from domain admins except
administrator x_x
2015-08-07 17:20 GMT+02:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> On 07/08/15 16:08, dashi fico wrote:
>
>> Hi guys,
>>
>> I am working with Aurelien.
>>
>> On the DC, there is no UID/GID mapping (nsswitch not being modify as
the
>> wiki say that on a DC it's not needed).
>>
>> The primary group of Administrator is 513 (taken from the Attribute
editor
>> on ADUC) primaryGroupID : 513 (Domain Users)
>>
>> If i add Everybody to the Share tab, i can access to the security Tab
and
>> edit permissions. As he said the only user impacted with this is
>> Administrator, we got 3 others accounts in the Domain Admins Group and
>> they
>> can edit all the share freely even when Everybody is removed.
>>
>> Rowland, here is the usermapping file :
>>
>> !root = LAN\Administrator LAN\\Administrator LAN\administrator
>> Administrator administrator
>>
>>
> Is 'LAN' a replacement for your workgroup name? if not, is
'LAN' your
> workgroup name?
>
> The line must be:
>
> !root = EXAMPLE\Administrator Administrator administrator
>
> Where 'EXAMPLE' is your workgroup name in uppercase.
>
> Rowland
>
>
> Here the result of getent group :
>>
>> [root at fileserv]# getent group |grep domain
>> domain computers:x:515:
>> domain admins:x:512:
>> domain guests:x:514:
>> domain users:x:513:
>>
>> The administrator account has never been edited and came from a S3 >
S4
>> migration
>>
>> Thanks
>>
>> 2015-08-07 16:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
>>
>> So id administrator didn't return anything on DC or on Fileserver.
>>>>
>>> ow.. but administrator on a DC should retun id 0 ..
>>> without any mappings.
>>>
>>> try setting or "authenticated users", or put
"everybody" back on the
>>> share
>>> rights and test again.
>>> whats the primary group of the Administrator?
>>> Did you leave it at "domain user" or did you change it to
the "domain
>>> Admins" group.
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>> Aurélien Blachet
>>>> Verzonden: vrijdag 7 augustus 2015 15:59
>>>> Aan: Rowland Penny; samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Problems with administrator account
>>>>
>>>> I have a mapping beetween administrator and root on my
>>>> fileserver, i sent you yesterday. My administrator account
>>>> didn't have uid.
>>>>
>>>> I didnt have mapping or winbindd on my DC. The wiki says
it's
>>>> optional and i have separate my fileserver to my DC.
>>>> So id administrator didn't return anything on DC or on
Fileserver.
>>>>
>>>> My probleme is that :
>>>>
>>>> Administrator is a member of "domain admins".
>>>> When i create a share, I remove everybody to "share
>>>> permission", i give the full access to "domain
admin" but
>>>> "administrator" is the only account of domain admin
who can't
>>>> access to the security tab.
>>>> Give the full access to administrator didn't resolve the
problem.
>>>>
>>>>
>>>> -----Message d'origine-----
>>>> De : samba [mailto:samba-bounces at lists.samba.org] De la part
>>>> de Rowland Penny
>>>> Envoyé : vendredi 7 août 2015 15:31
>>>> À : samba at lists.samba.org
>>>> Objet : Re: [Samba] Problems with administrator account
>>>>
>>>> On 07/08/15 14:07, Aurélien Blachet wrote:
>>>>
>>>>> I guess you want getent group, so i give you both. But
>>>>>
>>>> administrator is the only user of "domain admin"
group with problems.
>>>>
>>>> OOPS, yes 'getent group Domain\ Admins'
>>>>
>>>> [root at fileserver ~]# getent passwd Domain\ Admins
>>>>>
>>>> [root at fileserver ~]#
>>>>
>>>>> getent group Domain\ Admins
>>>>> domain admins:x:512:
>>>>>
>>>>> [root at fileserver ~]# ls -la /partages/share total 181260
>>>>> drwxrwxrwx+ 2 root root 4096 26 mars 2013
.
>>>>> drwxr-xr-x 13 root root 4096 5 août 13:14
..
>>>>> -rwxrwxrw-+ 1 37313 domain users 185597486 26 mars 2013
>>>>>
>>>> fichier.rar
>>>>
>>>>> The user with uid 37313 has been deleted.
>>>>>
>>>>> [root at fileserver ~]# getfacl /partages/share getfacl :
>>>>>
>>>> suppression du
>>>>
>>>>> premier « / » des noms de chemins absolus # file:
partages/share #
>>>>> owner: root # group: root user::rwx user:root:rwx
group::rwx
>>>>> group:root:rwx group:domain\040admins:rwx
group:domain\040users:rwx
>>>>> mask::rwx other::rwx default:user::rwx
default:user:root:rwx
>>>>> default:group::rwx default:group:root:r-x
>>>>> default:group:domain\040admins:rwx
>>>>> default:group:domain\040users:rwx
>>>>> default:mask::rwx
>>>>> default:other::rwx
>>>>>
>>>>> Hmm, there doesn't seem to be anything wrong there,
Domain
>>>> Admins is known to Unix and there is an ACL set to allow
>>>> control, this is strange.
>>>>
>>>> Lets see if I understand what you are trying to do:
>>>> You have a share that has permissions to allow Administrator
>>>> (via root) to control permissions from windows.
>>>> The share can also be controlled from windows with members of
>>>> Domain Admins.
>>>> But if you remove Administrator from controlling the share in
>>>> windows, you would expect Administrator to still be able to
>>>> control via Domain Admins but it cannot.
>>>>
>>>> All I can think of is, does Administrator have a uidNumber?
>>>>
>>> >from the smb.conf you posted earlier, you do not seem to have
>>>
>>>> a usermap mapping Administrator to root.
>>>>
>>>> If Administrator is not known to Unix, either via a uidNumber
>>>> or by being mapped to root, it may be ignored and its group
>>>> membership not searched for.
>>>>
>>>> I map Administrator to root and if I run 'id
Administrator' on
>>>> a member server, I get nothing returned, the same command on a
>>>> DC returns:
>>>> root at dc03:~# id Administrator
>>>> uid=0(root) gid=10000(domain users)
>>>> groups=0(root),10000(domain users),3000009(group policy
>>>> creator owners),3000010(enterprise admins),10002(domain
>>>> admins),3000011(schema admins),3000012(denied rodc password
replication
>>>> group),3000001(BUILTIN\users),3000000(BUILTIN\administrators)
>>>>
>>>> Rowland
>>>>
>>>>
>>>> -----Message d'origine-----
>>>>> De : samba [mailto:samba-bounces at lists.samba.org] De la
part de
>>>>> Rowland Penny Envoyé : vendredi 7 août 2015 14:52 À :
>>>>> samba at lists.samba.org Objet : Re: [Samba] Problems with
>>>>>
>>>> administrator
>>>>
>>>>> account
>>>>>
>>>>> On 07/08/15 13:25, Aurélien Blachet wrote:
>>>>>
>>>>>> Sorry for my mistake.
>>>>>>
>>>>>> It resolve the groupmap problem :
>>>>>> [root at fileserver ~]# net groupmap list
Administrators (S-1-5-32-544)
>>>>>> -> BUILTIN\administrators Users (S-1-5-32-545) ->
BUILTIN\users
>>>>>>
>>>>>> But i still have the administrator problem. I have
follow
>>>>>>
>>>>> the wiki.samba doc and i have set the
SeDiskOperatorPrivilege :
>>>>
>>>>> net rpc rights list accounts
-U'DOMAIN\administrator'
>>>>>> DOMAIN\Domain Admins
>>>>>> SeDiskOperatorPrivilege
>>>>>>
>>>>>> but administrator is still the only user of the group
>>>>>>
>>>>> 'domain admins' who can't manage the security
tab of my shares
>>>> on windows when i remove "everyone" to the
"share permissions" tab.
>>>>
>>>>> Even if i add directly the administrator
"account" in this tab.
>>>>>> ________________________________________
>>>>>> De : samba <samba-bounces at lists.samba.org> de
la part de Rowland
>>>>>> Penny <rowlandpenny241155 at gmail.com> Envoyé :
vendredi 7
>>>>>>
>>>>> août 2015 11:53 À :
>>>>
>>>>> samba at lists.samba.org Objet : Re: [Samba] Problems with
>>>>>>
>>>>> administrator
>>>>
>>>>> account
>>>>>>
>>>>>> On 07/08/15 09:37, Aurélien Blachet wrote:
>>>>>>
>>>>>>> Oh thank you
>>>>>>>
>>>>>>> Just to be sure to understand :
>>>>>>> -getent passwd | grep administrator and id
administrator
>>>>>>>
>>>>>> didn't work
>>>>
>>>>> on Fileserver because administrator account didn't have
uidNumber
>>>>>>>
>>>>>> If Administrator doesn't have a uidNumber, it will
not be known to
>>>>>> the Unix host, this is why you either have to give
Administrator a
>>>>>> uidNumber OR as you are doing, map Administrator to
root.
>>>>>> You should be able to change the settings using
Administrator (as a
>>>>>> member of Domain Admins) from windows, providing you
have set the
>>>>>> required disk operating privileges.
>>>>>> See here for more info:
>>>>>>
>>>>>>
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with
>>>>
>>>>> _
>>>>>> Windows_ACLs
>>>>>>
>>>>>> -it also why administrator account can't manage
filserver with
>>>>>>> windows permissions
>>>>>>>
>>>>>>> Just one more thing please :
>>>>>>>
>>>>>>> Why my administrators group is mapped on unix users
?
>>>>>>> [root#fileserver ~]# net groupmap list
Administrators
>>>>>>> (S-1-5-32-544)
>>>>>>> -> users Users (S-1-5-32-545) ->
BUILTIN\users
>>>>>>>
>>>>>> Er, it shouldn't be:
>>>>>> rowland at ThinkPad ~ $ sudo net groupmap list
Administrators
>>>>>> (S-1-5-32-544) -> BUILTIN\administrators Users
(S-1-5-32-545) ->
>>>>>> BUILTIN\users
>>>>>>
>>>>>> I would change this, try:
>>>>>>
>>>>>> net groupmap modify ntgroup="Administrators"
>>>>>> unixgroup="BUILTIN\administrators"
>>>>>>
>>>>>> One other thing I noticed was your use of
'sanitizing', you use
>>>>>> 'XXX', 'LAN' and 'DOMAIN' . As
long as these are all
>>>>>>
>>>>> replacements for
>>>>
>>>>> your workgroup, this shouldn't be a problem.
>>>>>>
>>>>>> Lastly, this is my usermap, replace 'EXAMPLE'
with your uppercase
>>>>>> workgroup name, this works for me.
>>>>>>
>>>>>> !root = EXAMPLE\Administrator Administrator
administrator
>>>>>>
>>>>>> Note: I also have this line in smb.conf: winbind
>>>>>>
>>>>> normalize names = Yes
>>>>
>>>>> Rowland
>>>>>>
>>>>>>> [root at massy01 ~]# net groupmap list verbose
Administrators
>>>>>>> SID : S-1-5-32-544
>>>>>>> Unix gid : 100
>>>>>>> Unix group: users
>>>>>>> Group type: Local Group
>>>>>>> Comment :
>>>>>>> Users
>>>>>>> SID : S-1-5-32-545
>>>>>>> Unix gid : 101
>>>>>>> Unix group: BUILTIN\users
>>>>>>> Group type: Local Group
>>>>>>> Comment :
>>>>>>>
>>>>>>>
>>>>>>> ________________________________________
>>>>>>> De : samba <samba-bounces at lists.samba.org>
de la part de Rowland
>>>>>>> Penny <rowlandpenny241155 at gmail.com>
Envoyé : jeudi 6 août 2015
>>>>>>> 17:51 À : samba at lists.samba.org Objet : Re:
[Samba] Problems with
>>>>>>> administrator account
>>>>>>>
>>>>>>> On 06/08/15 15:32, Aurélien Blachet wrote:
>>>>>>>
>>>>>>>> I still have the same problem with :
>>>>>>>> [root at fileserver ~]# more
/usr/local/samba/etc/samba_usermapping
>>>>>>>> !root = DOMAIN\Administrator
DOMAIN\\Administrator
>>>>>>>> DOMAIN\administrator Administrator adm
inistrator
>>>>>>>>
>>>>>>>> ________________________________________
>>>>>>>> De : samba <samba-bounces at
lists.samba.org> de la part de Rowland
>>>>>>>> Penny <rowlandpenny241155 at gmail.com>
Envoyé : jeudi 6 août 2015
>>>>>>>> 16:06 À : samba at lists.samba.org Objet : Re:
[Samba] Problems with
>>>>>>>> administrator account
>>>>>>>>
>>>>>>>> On 06/08/15 12:57, Aurélien Blachet wrote:
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I just went to migrate my fileserver from
samba3 to
>>>>>>>>>
>>>>>>>> samba4 but i have problem with the
administrator account.
>>>>
>>>>>
>>>>>>>>>
>>>>>>>>> The group "domain admins" have
the permission to manage all my
>>>>>>>>> shares
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Administrator is member of the group
"domain admins" but
>>>>>>>>>
>>>>>>>> he can't manage the security tab of all my
shares when i
>>>> remove "full control" to share permissions tab.
>>>>
>>>>>
>>>>>>>>>
>>>>>>>>> While all the member of "Domain
admins",except
>>>>>>>>>
>>>>>>>> administrator, didn't have this problem.
>>>>
>>>>>
>>>>>>>>>
>>>>>>>>> I think the problem appear when we map
"administrator"
>>>>>>>>>
>>>>>>>> to "root" in the smb.conf.
>>>>
>>>>>
>>>>>>>>>
>>>>>>>>> Moreover the "administrator"
account didn't appear with a getent
>>>>>>>>> passwd
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> [root at fileserver ~]# getent passwd |grep
dministrator
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> [root at fileserver ~]# wbinfo -u |grep
dministrator administrator
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> my smb.conf :
>>>>>>>>> [global]
>>>>>>>>>
>>>>>>>>> netbios name = XXX
>>>>>>>>> workgroup = XXX
>>>>>>>>> security = ADS
>>>>>>>>> realm = XXX.XXX
>>>>>>>>> dedicated keytab file =
/etc/krb5.keytab
>>>>>>>>> kerberos method = secrets and
keytab
>>>>>>>>> username map =
/usr/local/samba/etc/samba_usermapping
>>>>>>>>>
>>>>>>>>> idmap config *:backend = tdb
>>>>>>>>> idmap config *:range =
300000-400000
>>>>>>>>> idmap config XXX:backend = ad
>>>>>>>>> idmap config XXX:schema_mode =
rfc2307
>>>>>>>>> idmap config XXX:range = 500-200000
>>>>>>>>>
>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>> winbind trusted domains only = no
>>>>>>>>> winbind use default domain = yes
>>>>>>>>> winbind enum users = yes
>>>>>>>>> winbind enum groups = yes
>>>>>>>>> winbind refresh tickets = Yes
>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>> map acl inherit = Yes
>>>>>>>>> store dos attributes = Yes
>>>>>>>>> template homedir = /home/%U
>>>>>>>>> ...
>>>>>>>>>
>>>>>>>>> [shareA]
>>>>>>>>> path =/xxx/shareA
>>>>>>>>> comment
>>>>>>>>> hosts allow = X.X.X.
>>>>>>>>> writable = Yes
>>>>>>>>> read only = No
>>>>>>>>>
>>>>>>>>> Local permissions
>>>>>>>>> [root at fileserver]# getfacl /xxx/shareA
>>>>>>>>> # file: alp-exp
>>>>>>>>> # owner: root
>>>>>>>>> # group: root
>>>>>>>>> user::rwx
>>>>>>>>> user:root:rwx
>>>>>>>>> group::rwx
>>>>>>>>> group:root:rwx
>>>>>>>>> group:domain\040admins:rwx
>>>>>>>>> group:domain\040users:rwx
>>>>>>>>> mask::rwx
>>>>>>>>> other::rwx
>>>>>>>>> default:user::rwx
>>>>>>>>> default:user:root:rwx
>>>>>>>>> default:group::r-x
>>>>>>>>> default:group:root:r-x
>>>>>>>>> default:group:domain\040users:rwx
>>>>>>>>> default:mask::rwx
>>>>>>>>> default:other::r-x
>>>>>>>>> And the mapping between root and
administrator
>>>>>>>>> [root@=fileserver ~]# more
/usr/local/samba/etc/samba_usermapping
>>>>>>>>> !root = LAN\Administrator
LAN\\Administrator LAN\administrator
>>>>>>>>>
>>>>>>>> Try adding 'Administrator
administrator' to the line in
>>>>>>>>
>>>>>>> 'samba_usermapping'
>>>>
>>>>> Rowland
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the
following URL and read the
>>>>>>>> instructions:
https://lists.samba.org/mailman/options/samba
>>>>>>>>
>>>>>>>> Ah, I think you are mixing up Unix permissions
and windows
>>>>>>>
>>>>>> permissions.
>>>>
>>>>> You will only get 'Administrator' to show up with
getent
>>>>>>>
>>>>>> if you give the
>>>>
>>>>> Administrator user a uidNumber and use the 'ad'
backend. As you are
>>>>>>> mapping 'Administrator' to root it will get
the UID of '0'
>>>>>>>
>>>>>> which is also
>>>>
>>>>> the UID of 'root'. From windows you will set the
permissions of
>>>>>>> 'Administrator' , but on the unix side
using getfacl it
>>>>>>>
>>>>>> will show as 'root'
>>>>
>>>>> Rowland
>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following
URL and read the
>>>>>>> instructions:
https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL
and read the
>>>>>> instructions:
https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>> OK, I think you may be having a similar problem to
another
>>>>>
>>>> user on here,
>>>>
>>>>> Domain Admins is unknown to the underlying Unix OS, what
does 'getent
>>>>> passwd Domain\ Admins' produce when run on the Unix
machine?
>>>>>
>>>>> can you also post the outcome of these two commands:
>>>>>
>>>>> ls -la /path/to/shared/directory
>>>>>
>>>>> getfacl /path/to/shared/directory
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>