samba - Feb 2018 - Cannot get DOMAIN\administrator mapped to root on domain member

On a domain member, I cannot get DOMAIN\administrator to login mapped to 
root. On my Samba AD DC, this does work and when I login there, I get a 
# prompt.

Here is my smb.conf on the domain member

[global]
        security = ADS
        workgroup = SUBDOMAIN
        realm = SUBDOMAIN.DOMAIN.COM

        log file = /usr/local/samba/var/%m.log
        log level = 3

        bind interfaces only = yes
        interfaces = lo ens3

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

        idmap config SUBDOMAIN:backend = ad
        idmap config SUBDOMAIN:schema_mode = rfc2307
        idmap config SUBDOMAIN:range = 10000-999999

        idmap config SUBDOMAIN : unix_nss_info = no

        template shell = /bin/bash
        template homedir = /home/%U

        username map = /usr/local/samba/etc/user.map


And the user.map file

!root = SUBDOMAIN\Administrator SUBDOMAIN\administrator Administrator 
administrator


My /usr/share/pam-configs/winbind file is

Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
         [success=end default=ignore]    pam_winbind.so use_first_pass
Auth-Initial:
         [success=end default=ignore]    pam_winbind.so cached_login
Account-Type: Primary
Account:
         [success=end user_unknown=ignore default=bad] pam_winbind.so
Password-Type: Primary
Password:
         [success=end default=ignore]    pam_winbind.so use_authtok
Password-Initial:
         [success=end default=ignore]    pam_winbind.so
Session-Type: Additional
Session:
         optional                        pam_winbind.so


And I've got the PAM & winbind links to libraries


On my Windows desktop ADUC, I have tried blanking <not set> the 
uidNumber & guidNumber in the "Attribute Editor" tab. I've
also tried
with just the gidNumber defined and uidNumber blank. Nothing works. I am 
testing on the console of a Linux Mint desktop. I get a quick flash of 
an "authentication denied" (I think) and back to login prompt

If I do have uidNumber & gidNumber defined, I can get Administrator to 
login but it just uses those numbers and I don't get a # prompt.

I'm lost on where to go next. Help?

On Tue, 20 Feb 2018 22:39:50 -0500
Ken McDonald via samba <samba at lists.samba.org> wrote:
> On a domain member, I cannot get DOMAIN\administrator to login mapped
> to root. On my Samba AD DC, this does work and when I login there, I
> get a # prompt.
> 
> Here is my smb.conf on the domain member
> 
> [global]
>         security = ADS
>         workgroup = SUBDOMAIN
>         realm = SUBDOMAIN.DOMAIN.COM
> 
>         log file = /usr/local/samba/var/%m.log
>         log level = 3
> 
>         bind interfaces only = yes
>         interfaces = lo ens3
> 
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-7999
> 
>         idmap config SUBDOMAIN:backend = ad
>         idmap config SUBDOMAIN:schema_mode = rfc2307
>         idmap config SUBDOMAIN:range = 10000-999999
> 
>         idmap config SUBDOMAIN : unix_nss_info = no
> 
>         template shell = /bin/bash
>         template homedir = /home/%U
> 
>         username map = /usr/local/samba/etc/user.map
> 
> 
> And the user.map file
> 
> !root = SUBDOMAIN\Administrator SUBDOMAIN\administrator Administrator 
> administrator
> 
> 
> My /usr/share/pam-configs/winbind file is
> 
> Name: Winbind NT/Active Directory authentication
> Default: yes
> Priority: 192
> Auth-Type: Primary
> Auth:
>          [success=end default=ignore]    pam_winbind.so use_first_pass
> Auth-Initial:
>          [success=end default=ignore]    pam_winbind.so cached_login
> Account-Type: Primary
> Account:
>          [success=end user_unknown=ignore default=bad] pam_winbind.so
> Password-Type: Primary
> Password:
>          [success=end default=ignore]    pam_winbind.so use_authtok
> Password-Initial:
>          [success=end default=ignore]    pam_winbind.so
> Session-Type: Additional
> Session:
>          optional                        pam_winbind.so
> 
> 
> And I've got the PAM & winbind links to libraries
> 
> 
> On my Windows desktop ADUC, I have tried blanking <not set> the 
> uidNumber & guidNumber in the "Attribute Editor" tab.
I've also tried
> with just the gidNumber defined and uidNumber blank. Nothing works. I
> am testing on the console of a Linux Mint desktop. I get a quick
> flash of an "authentication denied" (I think) and back to login
prompt
> 
> If I do have uidNumber & gidNumber defined, I can get Administrator
> to login but it just uses those numbers and I don't get a # prompt.
> 
> I'm lost on where to go next. Help?
> 
You are misunderstanding how mapping Administrator to root works ;-)

If you map Administrator to root, then when you connect from windows, as
Administrator, you can manage share permissions etc as root.

As you have found out, if you do give Administrator a uidNumber, it
just becomes a normal user and you can log into a Unix machine. If you
'map' Administrator, you cannot login, but the fix for this is a bit
obvious, login as root ;-)

Rowland