adam_xu at adagene.com.cn
2019-Jun-04 00:27 UTC
[Samba] How to fix mapping Administrator to root
Hi Rowland , I have followed the wiki's step, the DNS works OK and I have use the fileserver for 2 years. here's a share folder "IT"'s acl getfacl IT/ # file: IT/ # owner: root # group: domain\040admins user::rwx user:root:rwx group::rwx group:domain\040admins:rwx group:it:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:domain\040admins:rwx default:group:it:rwx default:mask::rwx default:other::--- and another user in "domain admins" group work fine. only the administrator maped to root can not access any share folder. Best, 徐星亚 天演药业(苏州)有限公司 苏州工业园区星湖街218号生物纳米园C14幢4楼 邮编: 215123 电话: 86-512-8777-3585 From: Rowland penny via samba Date: 2019-06-03 23:42 To: sambalist Subject: Re: [Samba] How to fix mapping Administrator to root On 03/06/2019 16:09, adam_xu at adagene.com.cn wrote:> Hi Rowland, > > Yes. all users primary group is "domain users". > > my "domain admins" has a gidNumber. >Have you followed this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Is DNS setup correctly ? and is it working ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
adam_xu at adagene.com.cn
2019-Jun-05 02:22 UTC
[Samba] How to fix mapping Administrator to root
Hi sambalist, I set up a new test environment to test the problem. still the same result. It seems that if I didn't give administrator a uidNumber in unix attributes and only map this user to root. it can manage the share folder in fsmgmt.msc, but after I remove everyone's share permission and add share permissions to domain admins full control domain users RW then, the administrator could not access the share except $IPC. I excute "smbstatus -b" in the file server. it shows that PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 7796 root root 192.168.42.144 (ipv4:192.168.42.144:54579) SMB2_10 - - seems after administrator mapped to root, it's primary group is root. so it lose the share folder since I have "hide unreadable = yes" in smb.conf. Does any one knows why the administrator's primary group is not "domain admins" ? is this a bug or i missing something import config? Best, yours Adam From: adam_xu at adagene.com.cn Date: 2019-06-04 08:27 To: Rowland penny; sambalist Subject: Re: Re: [Samba] How to fix mapping Administrator to root Hi Rowland , I have followed the wiki's step, the DNS works OK and I have use the fileserver for 2 years. here's a share folder "IT"'s acl getfacl IT/ # file: IT/ # owner: root # group: domain\040admins user::rwx user:root:rwx group::rwx group:domain\040admins:rwx group:it:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:domain\040admins:rwx default:group:it:rwx default:mask::rwx default:other::--- and another user in "domain admins" group work fine. only the administrator maped to root can not access any share folder. Best, 徐星亚 天演药业(苏州)有限公司 苏州工业园区星湖街218号生物纳米园C14幢4楼 邮编: 215123 电话: 86-512-8777-3585 From: Rowland penny via samba Date: 2019-06-03 23:42 To: sambalist Subject: Re: [Samba] How to fix mapping Administrator to root On 03/06/2019 16:09, adam_xu at adagene.com.cn wrote:> Hi Rowland, > > Yes. all users primary group is "domain users". > > my "domain admins" has a gidNumber. >Have you followed this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Is DNS setup correctly ? and is it working ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On 05/06/2019 03:22, adam_xu--- via samba wrote:> Hi sambalist, > > I set up a new test environment to test the problem. still the same result. It seems that if I didn't give administrator a uidNumber in unix attributes and only map this user to root. it can manage the share folder in fsmgmt.msc, but after I remove everyone's share permission and add share permissions to > domain admins full control > domain users RW > > then, the administrator could not access the share except $IPC. > > I excute "smbstatus -b" in the file server. it shows that > PID Username Group Machine Protocol Version Encryption Signing > ---------------------------------------------------------------------------------------------------------------------------------------- > 7796 root root 192.168.42.144 (ipv4:192.168.42.144:54579) SMB2_10 - - > > seems after administrator mapped to root, it's primary group is root. so it lose the share folder since I have "hide unreadable = yes" in smb.conf. > Does any one knows why the administrator's primary group is not "domain admins" ? is this a bug or i missing something import config? >I suggest you take this up with Microsoft, it is they that set Administrator's primary group to '513', which is the RID for 'Domain Users' I now fully understand your problem, the cause is a defect between your seat and the keyboard ;-) You NEVER use Administrator on a Unix client as a normal user. If you need to log onto a Unix client, use 'root' or sudo. Administrator is the Windows admin, root is the Unix admin user and just as you wouldn't try to directly use root on Windows, you do not try to directly use Administrator on Unix. Rowland