adam_xu at adagene.com.cn
2019-Jun-03 09:09 UTC
[Samba] How to fix mapping Administrator to root
Hi sambalist, I'm using samba ad dc for about 2 years. I have 2 DCs and One file server. I didn't map the Administrator to root because the wiki said: "Mapping the domain administrator to the local root account is optional. Only configure the mapping if the domain administrator must be able to execute file operations on the domain member using root permissions. You should be aware that mapping Administrator to the root account will not allow you to log onto Unix domain members as Administrator." so I give the Administrator user a uidNumber and it seem like a unix user. I can get the user info via "getent passwd administrator" It seems that everything works fine these years. but I saw some suggestions in the maillist said we "should not give Administrator a uidNumber". So Is there any disvantage if I give a uidNumber to Administrator? and How could I fix that if I already did that? I tries to set the uidNumber to none. but it didn;t make sense. I still got user info like getent passwd administrator administrator:*:10000:10001:.... Best, yours Adam
On 03/06/2019 10:09, adam_xu--- via samba wrote:> Hi sambalist, > > I'm using samba ad dc for about 2 years. I have 2 DCs and One file server. I didn't map the Administrator to root because the wiki said: > > "Mapping the domain administrator to the local root account is optional. Only configure the mapping if the domain administrator must be able to execute file operations on the domain member using root permissions. You should be aware that mapping Administrator to the root account will not allow you to log onto Unix domain members as Administrator." > > so I give the Administrator user a uidNumber and it seem like a unix user. I can get the user info via "getent passwd administrator"But you have mapped Administrator, just not to root. On a DC, Administrator is automatically mapped to root in idmap.ldb, on a Unix domain member to do the same, you add a user.map. When you gave Administrator a uidNumber, you turned it into a normal Unix user with the lack of authority this entails.> > It seems that everything works fine these years. but I saw some suggestions in the maillist said we "should not give Administrator a uidNumber". > So Is there any disvantage if I give a uidNumber to Administrator? and How could I fix that if I already did that? I tries to set the uidNumber to none. but it didn;t make sense. I still got user info like > getent passwd administrator > administrator:*:10000:10001:.... >If you had tried to do something as Administrator on a Unix domain member, you would have found the disadvantages, but as it seems you haven't, then I would leave things alone, except for removing the uidNumber from Administrator and running 'net cache flush' on every Unix domain member. I will rewrite that wikipage. Rowland
adam_xu at adagene.com.cn
2019-Jun-03 11:38 UTC
[Samba] How to fix mapping Administrator to root
Thanks, Rowland , 'net cache flush' solved my problem. but I found that I can't access any share in \\myshare. some related configurations in my smb,conf .... access based share enum = yes hide unreadable = yes username map = /etc/samba/user.map I can't see any share folder of my fileserver in fsmgmt.msc. and I run "smbstatus -b" PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 5936 root root 192.168.42.144 (ipv4:192.168.42.144:61733) SMB2_10 - - seems that the administor is not in "Domain admins" group. since I have grant "Domain Admins" the "SeDiskOperatorPrivilege" privielges. So I can's acess any share folder useing the Administrator account. so what should I do, could you give me a suggestion, Thanks. Best, yours Adam From: Rowland penny via samba Date: 2019-06-03 17:33 To: samba Subject: Re: [Samba] How to fix mapping Administrator to root On 03/06/2019 10:09, adam_xu--- via samba wrote:> Hi sambalist, > > I'm using samba ad dc for about 2 years. I have 2 DCs and One file server. I didn't map the Administrator to root because the wiki said: > > "Mapping the domain administrator to the local root account is optional. Only configure the mapping if the domain administrator must be able to execute file operations on the domain member using root permissions. You should be aware that mapping Administrator to the root account will not allow you to log onto Unix domain members as Administrator." > > so I give the Administrator user a uidNumber and it seem like a unix user. I can get the user info via "getent passwd administrator"But you have mapped Administrator, just not to root. On a DC, Administrator is automatically mapped to root in idmap.ldb, on a Unix domain member to do the same, you add a user.map. When you gave Administrator a uidNumber, you turned it into a normal Unix user with the lack of authority this entails.> > It seems that everything works fine these years. but I saw some suggestions in the maillist said we "should not give Administrator a uidNumber". > So Is there any disvantage if I give a uidNumber to Administrator? and How could I fix that if I already did that? I tries to set the uidNumber to none. but it didn;t make sense. I still got user info like > getent passwd administrator > administrator:*:10000:10001:.... >If you had tried to do something as Administrator on a Unix domain member, you would have found the disadvantages, but as it seems you haven't, then I would leave things alone, except for removing the uidNumber from Administrator and running 'net cache flush' on every Unix domain member. I will rewrite that wikipage. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba