While attempting to check 'profiles' user permissions on my member server I discovered that (for some reason) I did not have a krb5.conf file (on member.) Resolved that issue. Then find that the keytab file is missing. Fixed that. I wanted to check profile user permissions and have discovered that the administrator does not have permission to "view or edit this object's permission settings." WHAT?? Is there a linux way to correct this issue? Further digging and I find that the administrator (the DOMAIN\administrator) does have rights to see permissions of anything on the member server. I am puzzled . . . how could missing krb5.conf and keytab files allow access when missing. Clearly replacing the missing files and kerberos is blocking something. So, the question is is there a way to correct this on the linux side? I am at a loose as how to proceed? Bob Wooden
On Mon, 20 Nov 2017 12:18:14 -0600 Robert Wooden via samba <samba at lists.samba.org> wrote:> While attempting to check 'profiles' user permissions on my member > server I discovered that (for some reason) I did not have a krb5.conf > file (on member.) Resolved that issue. Then find that the keytab file > is missing. Fixed that.You usually get a krb5.conf created when you install the kerberos client packages, it is usually more that what you need though. You only get the /etc/krb5.keytab created at join if you have these two lines in smb.conf: dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab> > I wanted to check profile user permissions and have discovered that > the administrator does not have permission to "view or edit this > object's permission settings." WHAT?? Is there a linux way to correct > this issue?Have you mapped Administrator to the Unix user 'root' in a user.map ?> > Further digging and I find that the administrator (the > DOMAIN\administrator) does have rights to see permissions of anything > on the member server. > > I am puzzled . . . how could missing krb5.conf and keytab files allow > access when missing. Clearly replacing the missing files and kerberos > is blocking something.Ah, but Samba uses a keytab in memory and whilst I have always created the krb5.conf myself, it is possible that Samba can use the Realm found in smb.conf if there is no /etc/krb5.conf.> > So, the question is is there a way to correct this on the linux side? > > I am at a loose as how to proceed?Please check if you have a user.map and report back. Rowland
On Mon, 20 Nov 2017 13:14:57 -0600 Robert Wooden <bob at donelsontrophy.com> wrote:> yes, I have user.map, it contains only "!root = DTDOM\Administrator > DTDOM\administrator". > > (That's what my notes show I made it as when setting up.) > > Suggestions?If you haven't done something strange, such as giving Administrator a uidNumber, then my next step would be to make the Unix domain member leave the domain, add the two lines to smb.conf (if you need /etc/krb5.keytab), ensure /etc/krb5.conf exists and is correct, then re-join the domain. Rowland
On Mon, 20 Nov 2017 15:38:28 -0600 Robert Wooden <bob at donelsontrophy.com> wrote:> I have been reading and rereading the wiki and I did "your > suggestions" yesterday when I discovered the missing krb5.conf. > > Have begun looking into acl permissions. > > But, for the life of me, I cannot figure out why the administrator > would not have "builtin" permissions to always be able to look at, > change, or adjust file permissions. How can the administrator > permissions ability just disappear . . . well, I had an issue with > krb5 not working correctly before I made these adjustments and now > kerberos IS working correctly. >Administrator does have these 'builtin' permissions, but only on Windows ;-) On Unix the 'root' user has the same sort of authority, this is why you map 'Administrator' to 'root' in the user.map. This means when you set ACLs from windows to a Unix share as Administrator, it is actually root that sets them. Try running 'getent passwd Administrator' on the Unix domain member, if you get an output, then you need to find out why, because you shouldn't. You can check Administrators privileges with: net rpc rights list -UAdministrator If you run the above on the Unix domain member, you should get something like this: SeMachineAccountPrivilege Add machines to domain SeTakeOwnershipPrivilege Take ownership of files or other objects SeBackupPrivilege Back up files and directories SeRestorePrivilege Restore files and directories SeRemoteShutdownPrivilege Force shutdown from a remote system SePrintOperatorPrivilege Manage printers SeAddUsersPrivilege Add users and groups to the domain SeDiskOperatorPrivilege Manage disk shares SeSecurityPrivilege System security Rowland
In the Windows world side when an "administrator" cannot 'take ownership' of a file share, the docs discuss the "System" account being used as it (System account) has greater permissions than that of the administrator. I remembered reading this page https://wiki.samba.org/index. php/The_SYSTEM_Account and have now re-read said page *carefully*. There I find this message box "For compatibility with Windows, add the SYSTEM account to file system ACLs." How do I add the SYSTEM account to my ACLs on a Samba member server? On Tue, Nov 21, 2017 at 9:01 AM, Robert Wooden <bob at donelsontrophy.com> wrote:> In searching for a similar situation, I found this that most closely > represents the issue I am dealing with. link: > https://community.spiceworks.com/topic/1749382-domain-admin- > has-no-permission-to-folder-despite-administrators-group-present Many > of the images are the "complaints" I am seeing. > > Down within the comments, the discussion is generally about the > administrator "taking ownership" of the directory and re-assigning rights. > Of course this is "on the Windows server side" of things. So, how do I > "take ownership" in our Samba/linux world? > > Anyone . . . . thoughts? > > On Mon, Nov 20, 2017 at 4:41 PM, Robert Wooden <bob at donelsontrophy.com> > wrote: > >> getent passwd Administrator returns no password . . . good. >> >> net rpc rights list -UAdministrator returns the same your example showed >> (last email.) >> >> I still think kerberos was not working properly and allowing me access >> and now "fixed" kerberos is denying access. >> >> More soon (tomorrow) . . . . >> >> On Mon, Nov 20, 2017 at 4:01 PM, Rowland Penny via samba < >> samba at lists.samba.org> wrote: >> >>> On Mon, 20 Nov 2017 15:38:28 -0600 >>> Robert Wooden <bob at donelsontrophy.com> wrote: >>> >>> > I have been reading and rereading the wiki and I did "your >>> > suggestions" yesterday when I discovered the missing krb5.conf. >>> > >>> > Have begun looking into acl permissions. >>> > >>> > But, for the life of me, I cannot figure out why the administrator >>> > would not have "builtin" permissions to always be able to look at, >>> > change, or adjust file permissions. How can the administrator >>> > permissions ability just disappear . . . well, I had an issue with >>> > krb5 not working correctly before I made these adjustments and now >>> > kerberos IS working correctly. >>> > >>> >>> Administrator does have these 'builtin' permissions, but only on >>> Windows ;-) >>> On Unix the 'root' user has the same sort of authority, this is why you >>> map 'Administrator' to 'root' in the user.map. This means when you set >>> ACLs from windows to a Unix share as Administrator, it is actually root >>> that sets them. >>> >>> Try running 'getent passwd Administrator' on the Unix domain member, if >>> you get an output, then you need to find out why, because you shouldn't. >>> >>> You can check Administrators privileges with: >>> >>> net rpc rights list -UAdministrator >>> >>> If you run the above on the Unix domain member, you should get >>> something like this: >>> >>> SeMachineAccountPrivilege Add machines to domain >>> SeTakeOwnershipPrivilege Take ownership of files or other objects >>> SeBackupPrivilege Back up files and directories >>> SeRestorePrivilege Restore files and directories >>> SeRemoteShutdownPrivilege Force shutdown from a remote system >>> SePrintOperatorPrivilege Manage printers >>> SeAddUsersPrivilege Add users and groups to the domain >>> SeDiskOperatorPrivilege Manage disk shares >>> SeSecurityPrivilege System security >>> >>> Rowland >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> >> >> -- >> >> Thank you. >> >> Bob Wooden >> 615.885.2846 <(615)%20885-2846> www.donelsontrophy.com >> "Everyone deserves an award!!" >> >> > > > -- > > Thank you. > > Bob Wooden > 615.885.2846 <(615)%20885-2846> www.donelsontrophy.com > "Everyone deserves an award!!" > >-- Thank you. Bob Wooden 615.885.2846 <(615)%20885-2846> www.donelsontrophy.com "Everyone deserves an award!!"
On Fri, 24 Nov 2017 14:18:40 -0600 Robert Wooden via samba <samba at lists.samba.org> wrote:> In the Windows world side when an "administrator" cannot 'take > ownership' of a file share, the docs discuss the "System" account > being used as it (System account) has greater permissions than that > of the administrator. > > I remembered reading this page https://wiki.samba.org/index. > php/The_SYSTEM_Account and have now re-read said page *carefully*. > > There I find this message box "For compatibility with Windows, add > the SYSTEM account to file system ACLs." > > How do I add the SYSTEM account to my ACLs on a Samba member server?From windows ;-) see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Setting_ACLs_on_a_Folder In the 'Permissions for Folder' box add 'SYSTEM' to the 'Group or user names:' box, with 'Full control' Rowland