On 05/06/2019 03:22, adam_xu--- via samba wrote:> Hi sambalist, > > I set up a new test environment to test the problem. still the same result. It seems that if I didn't give administrator a uidNumber in unix attributes and only map this user to root. it can manage the share folder in fsmgmt.msc, but after I remove everyone's share permission and add share permissions to > domain admins full control > domain users RW > > then, the administrator could not access the share except $IPC. > > I excute "smbstatus -b" in the file server. it shows that > PID Username Group Machine Protocol Version Encryption Signing > ---------------------------------------------------------------------------------------------------------------------------------------- > 7796 root root 192.168.42.144 (ipv4:192.168.42.144:54579) SMB2_10 - - > > seems after administrator mapped to root, it's primary group is root. so it lose the share folder since I have "hide unreadable = yes" in smb.conf. > Does any one knows why the administrator's primary group is not "domain admins" ? is this a bug or i missing something import config? >I suggest you take this up with Microsoft, it is they that set Administrator's primary group to '513', which is the RID for 'Domain Users' I now fully understand your problem, the cause is a defect between your seat and the keyboard ;-) You NEVER use Administrator on a Unix client as a normal user. If you need to log onto a Unix client, use 'root' or sudo. Administrator is the Windows admin, root is the Unix admin user and just as you wouldn't try to directly use root on Windows, you do not try to directly use Administrator on Unix. Rowland
adam_xu at adagene.com.cn
2019-Jun-05 07:37 UTC
[Samba] How to fix mapping Administrator to root
Hi Rowland , I used to manage file or folder permissions using administrator account in Windows Client. So how could I do this task if the administrator can't do this after I mapped it to root in fileserver and remove it's uidNumber in ADUC? should I create another user in Domain Adams"? Best, yours Adam From: Rowland penny via samba Date: 2019-06-05 15:13 To: samba Subject: Re: [Samba] How to fix mapping Administrator to root On 05/06/2019 03:22, adam_xu--- via samba wrote:> Hi sambalist, > > I set up a new test environment to test the problem. still the same result. It seems that if I didn't give administrator a uidNumber in unix attributes and only map this user to root. it can manage the share folder in fsmgmt.msc, but after I remove everyone's share permission and add share permissions to > domain admins full control > domain users RW > > then, the administrator could not access the share except $IPC. > > I excute "smbstatus -b" in the file server. it shows that > PID Username Group Machine Protocol Version Encryption Signing > ---------------------------------------------------------------------------------------------------------------------------------------- > 7796 root root 192.168.42.144 (ipv4:192.168.42.144:54579) SMB2_10 - - > > seems after administrator mapped to root, it's primary group is root. so it lose the share folder since I have "hide unreadable = yes" in smb.conf. > Does any one knows why the administrator's primary group is not "domain admins" ? is this a bug or i missing something import config? >I suggest you take this up with Microsoft, it is they that set Administrator's primary group to '513', which is the RID for 'Domain Users' I now fully understand your problem, the cause is a defect between your seat and the keyboard ;-) You NEVER use Administrator on a Unix client as a normal user. If you need to log onto a Unix client, use 'root' or sudo. Administrator is the Windows admin, root is the Unix admin user and just as you wouldn't try to directly use root on Windows, you do not try to directly use Administrator on Unix. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On 05/06/2019 08:37, adam_xu at adagene.com.cn wrote:> Hi Rowland , > > I used to manage file or folder permissions using administrator > account in Windows Client. So how could I do this task if the > administrator can't do this after I mapped it to root in fileserver > and remove it's uidNumber in ADUC? should I create another user in > Domain Adams"? >You can log into a Windows computer as 'DOMAIN\Administrator' and then set the permissions on a Samba share, but you must create the share correctly, you cannot have any of the old parameters such as 'valid users' etc, see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs This should work, if it doesn't , you probably have something set up incorrectly, so double check everything Rowland