samba - Jun 2019 - How to fix mapping Administrator to root

Hi Rowland,

I have checked that Adinistrator is a member of "Domain Admins" in
ADUC.
Base Permission of the share folder is 0770 and  own is root  and the groups is
"domain admins" in linux.
since "smbstatus -b" show that administrator's group is root. Is
this related to my previous configuration? I once give a uidNumber to
administrator.

here's full contant in my smb.conf
[global]
        security = ADS
        workgroup = NTBAOBEI
        realm = NTBAOBEI.COM

        log file = /var/log/samba/%m.log
        log level = 3 passdb:5 auth:5 winbind:5

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        idmap config NTBAOBEI:backend = ad
        idmap config NTBAOBEI:schema_mode = rfc2307
        idmap config NTBAOBEI:range = 10000-999999
        idmap config NTBAOBEI:unix_nss_info = yes

        winbind use default domain = Yes
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind offline logon = yes
        winbind refresh tickets = yes
        access based share enum = yes
        hide unreadable = yes

        username map = /etc/samba/user.map

        load printers = no
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
[IT]
        path = /srv/samba/IT/
        read only = no


cat /etc/samba/user.map
!root = NTBAOBEI\Administrator

Best,


徐星亚
天演药业（苏州）有限公司
苏州工业园区星湖街218号生物纳米园C14幢4楼
邮编:  215123
电话:  86-512-8777-3585
 
From: Rowland penny via samba
Date: 2019-06-03 22:14
To: sambalist
Subject: Re: [Samba] How to fix mapping Administrator to root
On 03/06/2019 15:06, adam_xu at adagene.com.cn wrote:
> Hi Rowland,
>
> here's what in my  idmap.ldb
> # record 39
> dn: CN=S-1-5-21-214324388-144513417-3129160214-500
> cn: S-1-5-21-214324388-144513417-3129160214-500
> objectClass: sidMap
> objectSid: S-1-5-21-214324388-144513417-3129160214-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=S-1-5-21-214324388-144513417-3129160214-500
>the> It seems my administrator's group is root. that's the
reaseon I can't
> see any share since I  only give the share permission to "Domain 
> Admins" with full control and "Domain users" with RW.
> I don't know why  my 'Administrator'  is not a member of
'Domain
> Admins' . any more suggestion, Rowland ?
>
Double check that Administrator isn't a member of 'Domain Admins'
(it
should be) and if it isn't, add Administrator to 'Domain Admins'
 
You should set the base permissions as shown on the wikipage: '0770'
&
root:<whatever group>, this should enable Administrator to see and/or 
connect to the share.
 
Rowland
 
 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 03/06/2019 15:29, adam_xu at adagene.com.cn wrote:
> Hi Rowland,
>
> I have checked that Adinistrator is a member of "Domain Admins"
in ADUC.
> Base Permission of the share folder is 0770 and  own is root  and the 
> groups is "domain admins" in linux.
> since "smbstatus -b" show that administrator's group is root.
Is this
> related to my previous configuration? I once give a uidNumber to 
> administrator.
I wouldn't think so, whilst Administrator is mapped to the user
'root'
in idmap.ldb and in your user.map on the Unix domain member, its primary 
group is (like every other AD user) is Domain Users
>
> here's full contant in my smb.conf
> [global]
>         security = ADS
>         workgroup = NTBAOBEI
>         realm = NTBAOBEI.COM
>
>         log file = /var/log/samba/%m.log
>         log level = 3 passdb:5 auth:5 winbind:5
>
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-7999
>         idmap config NTBAOBEI:backend = ad
>         idmap config NTBAOBEI:schema_mode = rfc2307
>         idmap config NTBAOBEI:range = 10000-999999
>         idmap config NTBAOBEI:unix_nss_info = yes
>
>         winbind use default domain = Yes
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind offline logon = yes
>         winbind refresh tickets = yes
>         access based share enum = yes
>         hide unreadable = yes
>
>         username map = /etc/samba/user.map
>
>         load printers = no
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
> [IT]
>         path = /srv/samba/IT/
>         read only = no
>
>
> cat /etc/samba/user.map
> !root = NTBAOBEI\Administrator
>
There doesn't seem to be anything wrong there, are you sure that you 
have followed this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Does 'Domain Admins' have a gidNumber ?

Rowland

Hi Rowland,

 Yes. all users primary group is "domain users". 

my "domain admins" has a gidNumber.

Best,


yours Adam
 
From: Rowland penny via samba
Date: 2019-06-03 22:44
To: sambalist
Subject: Re: [Samba] How to fix mapping Administrator to root
On 03/06/2019 15:29, adam_xu at adagene.com.cn wrote:
> Hi Rowland,
>
> I have checked that Adinistrator is a member of "Domain Admins"
in ADUC.
> Base Permission of the share folder is 0770 and  own is root  and the 
> groups is "domain admins" in linux.
> since "smbstatus -b" show that administrator's group is root.
Is this
> related to my previous configuration? I once give a uidNumber to 
> administrator.
I wouldn't think so, whilst Administrator is mapped to the user
'root'
in idmap.ldb and in your user.map on the Unix domain member, its primary 
group is (like every other AD user) is Domain Users
>
> here's full contant in my smb.conf
> [global]
>         security = ADS
>         workgroup = NTBAOBEI
>         realm = NTBAOBEI.COM
>
>         log file = /var/log/samba/%m.log
>         log level = 3 passdb:5 auth:5 winbind:5
>
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-7999
>         idmap config NTBAOBEI:backend = ad
>         idmap config NTBAOBEI:schema_mode = rfc2307
>         idmap config NTBAOBEI:range = 10000-999999
>         idmap config NTBAOBEI:unix_nss_info = yes
>
>         winbind use default domain = Yes
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind offline logon = yes
>         winbind refresh tickets = yes
>         access based share enum = yes
>         hide unreadable = yes
>
>         username map = /etc/samba/user.map
>
>         load printers = no
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
> [IT]
>         path = /srv/samba/IT/
>         read only = no
>
>
> cat /etc/samba/user.map
> !root = NTBAOBEI\Administrator
>
There doesn't seem to be anything wrong there, are you sure that you 
have followed this:
 
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
 
Does 'Domain Admins' have a gidNumber ?
 
Rowland
 
 
 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba