adam_xu at adagene.com.cn
2018-Apr-20 09:18 UTC
[Samba] administrator's unix attributes is missing
Hello, Rowland. what I set in RSAT is: nis domain "ntbaobei" uid "10000" login shell "/sbin/nologin" home dir "/home/Administrator" primary group "domain admins" I never used user map beacuse everything worked ok before. I knew the "root" user can granting the SeDiskOperatorPrivilege Privilege. Is there any changelog in samba 4.7.7 that disallow setting the administrator's unix attributes ? just curious, everything works ok in my production env. yours Adam From: Rowland Penny via samba Date: 2018-04-20 17:03 To: samba Subject: Re: [Samba] administrator's unix attributes is missing On Fri, 20 Apr 2018 15:48:43 +0800 adam_xu--- via samba <samba at lists.samba.org> wrote:> Hello, everyone. I have set up a new samba AD DC in my experimental > environment. Version 4.7.7 of sernet samba. Everything is Ok. and I > set some user's unix attributes in a windows client wia RSAT. every > user can be got in a linux domain member via "getent passwd", but the > user administrator who has been set unix attributes can not be got in > that linux domain member. here is the smb.conf file of the domain > member. domain member's samba version is 4.6.2 in centos7.4. [global] > security = ADS workgroup = NTBAOBEI realm = NTBAOBEI.com >What did you set in Administrators Unix attributes ? Never mind, whatever you added, remove them, then add this to smb.conf: username map = /etc/samba/user.map Now create '/etc/samba/user.map', with this line: !root = NTBAOBEI\Administrator NTBAOBEI\administrator Administrator administrator Restart Samba, Administrator will now get mapped to 'root' You will be able to login to the Unix domain member as 'Administrator', but from windows you will be able to manage the shares. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Fri, 20 Apr 2018 17:18:52 +0800 "adam_xu at adagene.com.cn" <adam_xu at adagene.com.cn> wrote:> Hello, Rowland. what I set in RSAT is: > nis domain "ntbaobei" > uid "10000" > login shell "/sbin/nologin" > home dir "/home/Administrator" > primary group "domain admins" >Congratulations, you just turned 'Administrator' into a normal user as far as Unix is concerned. Also you have changed Administrators primary group from Domain Users> I never used user map beacuse everything worked ok before. I knew the > "root" user can granting the SeDiskOperatorPrivilege Privilege. Is > there any changelog in samba 4.7.7 that disallow setting the > administrator's unix attributes ?There are no changes that I know of> > just curious, everything works ok in my production env.If it works for, it is just that I wouldn't do it. ;-) Rowland
adam_xu at adagene.com.cn
2018-Apr-20 12:34 UTC
[Samba] administrator's unix attributes is missing
Hi,Rowland. I have do the testing again in another test env. this time I got the "administrator" in the linux domain member using “getent passwd". maybe I made some mistake in previous test. And after that I excute the command: net rpc rights grant "NTBAOBEI\Domain Admins" SeDiskOperatorPrivilege -U "NTBAOBEI\administrator" it showed: Enter NTBAOBEI\administrator's password: Successfully granted rights. I didn't set the unix primary group in smb.conf, so whatever I set the primary group in RSAT doesn't affect anything, right? I can manage the shares using administrator account in my windows client. everything works OK. I think when we meet "SeDiskOperatorPrivilege can't be set", maybe no need to create a user map like the wiki below? https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting This is only my personal opinion. yours Adam From: Rowland Penny via samba Date: 2018-04-20 17:48 To: samba at lists.samba.org Subject: Re: [Samba] administrator's unix attributes is missing On Fri, 20 Apr 2018 17:18:52 +0800 "adam_xu at adagene.com.cn" <adam_xu at adagene.com.cn> wrote:> Hello, Rowland. what I set in RSAT is: > nis domain "ntbaobei" > uid "10000" > login shell "/sbin/nologin" > home dir "/home/Administrator" > primary group "domain admins" >Congratulations, you just turned 'Administrator' into a normal user as far as Unix is concerned. Also you have changed Administrators primary group from Domain Users> I never used user map beacuse everything worked ok before. I knew the > "root" user can granting the SeDiskOperatorPrivilege Privilege. Is > there any changelog in samba 4.7.7 that disallow setting the > administrator's unix attributes ?There are no changes that I know of> > just curious, everything works ok in my production env.If it works for, it is just that I wouldn't do it. ;-) Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba