samba - Apr 2018 - administrator's unix attributes is missing

Hello, everyone. I have set up a new samba AD DC in my experimental environment.
Version 4.7.7 of sernet samba. Everything is Ok. and I set some user's unix
attributes in a windows client wia RSAT. every user can be got in a linux domain
member via "getent passwd", but the user administrator who has been
set unix attributes can not be got in that linux domain member.
        here is the smb.conf file of the domain member. domain member's
samba version is 4.6.2 in centos7.4.
        
[global]
        security = ADS
        workgroup = NTBAOBEI
        realm = NTBAOBEI.com

        log file = /var/log/samba/%m.log
        log level = 3 passdb:5 auth:5 winbind:5

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        idmap config NTBAOBEI:backend = ad
        idmap config NTBAOBEI:schema_mode = rfc2307
        idmap config NTBAOBEI:range = 10000-999999

        idmap config NTBAOBEI : unix_nss_info = yes
        winbind use default domain = Yes
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind offline logon = yes
        winbind refresh tickets = yes
        access based share enum = yes
        hide unreadable = yes

        load printers = no
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

[users]
        path = /srv/samba/users/
        read only = no

[profiles]
        path = /srv/samba/profiles/
        read only = no

        
Has anyone got the same problem like this?

        



yours Adam

On Fri, 20 Apr 2018 15:48:43 +0800
adam_xu--- via samba <samba at lists.samba.org> wrote:
> Hello, everyone. I have set up a new samba AD DC in my experimental
> environment. Version 4.7.7 of sernet samba. Everything is Ok. and I
> set some user's unix attributes in a windows client wia RSAT. every
> user can be got in a linux domain member via "getent passwd", but
the
> user administrator who has been set unix attributes can not be got in
> that linux domain member. here is the smb.conf file of the domain
> member. domain member's samba version is 4.6.2 in centos7.4. [global]
> security = ADS workgroup = NTBAOBEI realm = NTBAOBEI.com
> 
What did you set in Administrators Unix attributes ?

Never mind, whatever you added, remove them, then add this to smb.conf:

    username map = /etc/samba/user.map

Now create '/etc/samba/user.map', with this line:

!root = NTBAOBEI\Administrator NTBAOBEI\administrator
Administrator administrator

Restart Samba, Administrator will now get mapped to 'root'
You will be able to login to the Unix domain member as 'Administrator',
but from windows you will be able to manage the shares.

Rowland

Hello, Rowland. what I set in RSAT is:
nis domain "ntbaobei"
uid "10000"
login shell "/sbin/nologin"
home dir "/home/Administrator"
primary group "domain admins"

I never used user map beacuse everything worked ok before. I knew the
"root" user can granting the SeDiskOperatorPrivilege Privilege.
Is there any changelog in samba 4.7.7 that disallow setting the
administrator's unix attributes ?

just curious, everything works ok in my production env.



yours Adam
 
From: Rowland Penny via samba
Date: 2018-04-20 17:03
To: samba
Subject: Re: [Samba] administrator's unix attributes is missing
On Fri, 20 Apr 2018 15:48:43 +0800
adam_xu--- via samba <samba at lists.samba.org> wrote:
 
> Hello, everyone. I have set up a new samba AD DC in my experimental
> environment. Version 4.7.7 of sernet samba. Everything is Ok. and I
> set some user's unix attributes in a windows client wia RSAT. every
> user can be got in a linux domain member via "getent passwd", but
the
> user administrator who has been set unix attributes can not be got in
> that linux domain member. here is the smb.conf file of the domain
> member. domain member's samba version is 4.6.2 in centos7.4. [global]
> security = ADS workgroup = NTBAOBEI realm = NTBAOBEI.com
> 
 
What did you set in Administrators Unix attributes ?
 
Never mind, whatever you added, remove them, then add this to smb.conf:
 
    username map = /etc/samba/user.map
 
Now create '/etc/samba/user.map', with this line:
 
!root = NTBAOBEI\Administrator NTBAOBEI\administrator
Administrator administrator
 
Restart Samba, Administrator will now get mapped to 'root'
You will be able to login to the Unix domain member as 'Administrator',
but from windows you will be able to manage the shares.
 
Rowland
 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba