adam_xu at adagene.com.cn
2019-Jun-03 11:38 UTC
[Samba] How to fix mapping Administrator to root
Thanks, Rowland , 'net cache flush' solved my problem. but I found that I can't access any share in \\myshare. some related configurations in my smb,conf .... access based share enum = yes hide unreadable = yes username map = /etc/samba/user.map I can't see any share folder of my fileserver in fsmgmt.msc. and I run "smbstatus -b" PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 5936 root root 192.168.42.144 (ipv4:192.168.42.144:61733) SMB2_10 - - seems that the administor is not in "Domain admins" group. since I have grant "Domain Admins" the "SeDiskOperatorPrivilege" privielges. So I can's acess any share folder useing the Administrator account. so what should I do, could you give me a suggestion, Thanks. Best, yours Adam From: Rowland penny via samba Date: 2019-06-03 17:33 To: samba Subject: Re: [Samba] How to fix mapping Administrator to root On 03/06/2019 10:09, adam_xu--- via samba wrote:> Hi sambalist, > > I'm using samba ad dc for about 2 years. I have 2 DCs and One file server. I didn't map the Administrator to root because the wiki said: > > "Mapping the domain administrator to the local root account is optional. Only configure the mapping if the domain administrator must be able to execute file operations on the domain member using root permissions. You should be aware that mapping Administrator to the root account will not allow you to log onto Unix domain members as Administrator." > > so I give the Administrator user a uidNumber and it seem like a unix user. I can get the user info via "getent passwd administrator"But you have mapped Administrator, just not to root. On a DC, Administrator is automatically mapped to root in idmap.ldb, on a Unix domain member to do the same, you add a user.map. When you gave Administrator a uidNumber, you turned it into a normal Unix user with the lack of authority this entails.> > It seems that everything works fine these years. but I saw some suggestions in the maillist said we "should not give Administrator a uidNumber". > So Is there any disvantage if I give a uidNumber to Administrator? and How could I fix that if I already did that? I tries to set the uidNumber to none. but it didn;t make sense. I still got user info like > getent passwd administrator > administrator:*:10000:10001:.... >If you had tried to do something as Administrator on a Unix domain member, you would have found the disadvantages, but as it seems you haven't, then I would leave things alone, except for removing the uidNumber from Administrator and running 'net cache flush' on every Unix domain member. I will rewrite that wikipage. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On 03/06/2019 12:38, adam_xu at adagene.com.cn wrote:> Thanks, Rowland , 'net cache flush' solved my problem. but I found > that I can't access any share in \\myshare. > some related configurations in my smb,conf > .... > access based share enum = yesHaving the above means your shares will only be accessible to users that have read or write permissions on the shares> hide unreadable = yesThe above requires the user has read permissions on the shares.> > username map = /etc/samba/user.map > > I can't see any share folder of my fileserver in fsmgmt.msc. and I > run "smbstatus -b" > PID Username Group Machine Protocol > Version Encryption Signing > ---------------------------------------------------------------------------------------------------------------------------------------- > 5936 root root 192.168.42.144 > (ipv4:192.168.42.144:61733) SMB2_10 - - > seems that the administor is not in "Domain admins" group. since I > have grant "Domain Admins" the "SeDiskOperatorPrivilege" privielges. > So I can's acess any share folder useing the Administrator account. > so what should I do, could you give me a suggestion,Try checking in idmap.ldb on a DC, you should find something like this: dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 objectClass: sidMap objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 type: ID_TYPE_UID xidNumber: 0 distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 This is what maps 'Administrator' to UID '0' (root) If it isn't there, try restarting the DC. By default, 'Administrator' is a member of 'Domain Admins' Rowland> ------------------------------------------------------------------------
On 03/06/2019 15:06, adam_xu at adagene.com.cn wrote:> Hi Rowland, > > here's what in my idmap.ldb > # record 39 > dn: CN=S-1-5-21-214324388-144513417-3129160214-500 > cn: S-1-5-21-214324388-144513417-3129160214-500 > objectClass: sidMap > objectSid: S-1-5-21-214324388-144513417-3129160214-500 > type: ID_TYPE_UID > xidNumber: 0 > distinguishedName: CN=S-1-5-21-214324388-144513417-3129160214-500 > > It seems my administrator's group is root. that's the reaseon I can't > see any share since I only give the share permission to "Domain > Admins" with full control and "Domain users" with RW. > I don't know why my 'Administrator' is not a member of 'Domain > Admins' . any more suggestion, Rowland ? >Double check that Administrator isn't a member of 'Domain Admins' (it should be) and if it isn't, add Administrator to 'Domain Admins' You should set the base permissions as shown on the wikipage: '0770' & root:<whatever group>, this should enable Administrator to see and/or connect to the share. Rowland
adam_xu at adagene.com.cn
2019-Jun-03 14:29 UTC
[Samba] How to fix mapping Administrator to root
Hi Rowland, I have checked that Adinistrator is a member of "Domain Admins" in ADUC. Base Permission of the share folder is 0770 and own is root and the groups is "domain admins" in linux. since "smbstatus -b" show that administrator's group is root. Is this related to my previous configuration? I once give a uidNumber to administrator. here's full contant in my smb.conf [global] security = ADS workgroup = NTBAOBEI realm = NTBAOBEI.COM log file = /var/log/samba/%m.log log level = 3 passdb:5 auth:5 winbind:5 idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config NTBAOBEI:backend = ad idmap config NTBAOBEI:schema_mode = rfc2307 idmap config NTBAOBEI:range = 10000-999999 idmap config NTBAOBEI:unix_nss_info = yes winbind use default domain = Yes winbind enum users = Yes winbind enum groups = Yes winbind offline logon = yes winbind refresh tickets = yes access based share enum = yes hide unreadable = yes username map = /etc/samba/user.map load printers = no vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes [IT] path = /srv/samba/IT/ read only = no cat /etc/samba/user.map !root = NTBAOBEI\Administrator Best, 徐星亚 天演药业(苏州)有限公司 苏州工业园区星湖街218号生物纳米园C14幢4楼 邮编: 215123 电话: 86-512-8777-3585 From: Rowland penny via samba Date: 2019-06-03 22:14 To: sambalist Subject: Re: [Samba] How to fix mapping Administrator to root On 03/06/2019 15:06, adam_xu at adagene.com.cn wrote:> Hi Rowland, > > here's what in my idmap.ldb > # record 39 > dn: CN=S-1-5-21-214324388-144513417-3129160214-500 > cn: S-1-5-21-214324388-144513417-3129160214-500 > objectClass: sidMap > objectSid: S-1-5-21-214324388-144513417-3129160214-500 > type: ID_TYPE_UID > xidNumber: 0 > distinguishedName: CN=S-1-5-21-214324388-144513417-3129160214-500 >the> It seems my administrator's group is root. that's the reaseon I can't > see any share since I only give the share permission to "Domain > Admins" with full control and "Domain users" with RW. > I don't know why my 'Administrator' is not a member of 'Domain > Admins' . any more suggestion, Rowland ? >Double check that Administrator isn't a member of 'Domain Admins' (it should be) and if it isn't, add Administrator to 'Domain Admins' You should set the base permissions as shown on the wikipage: '0770' & root:<whatever group>, this should enable Administrator to see and/or connect to the share. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba