samba - Apr 2020 - Expected behaviour of domain\administrator on Linux AD domain member

Dear all,

I have set a small test domain in virtualbox.

1. Samba AD DC on Debian bullseye testing 4.11.6
2. Samba domain member Debian Stretch 4.10.14
3. Windows 10 Enterprise evaluation version 1909

Roaming profiles with folder redirection setup.
PAM working.

The above was setup basically using guides in wiki.samba.org, with nearly
the only thing changed was SAMDOM to SAMBA. "Unix Admins" group added
as
per guide.

Everything works the way I expect apart from:

SAMBA\Administrator account cannot access or modify the shares on the Samba
domain member from the windows 10 machine. If I add share access to
"Everyone, Full control" *, then the administrator account can change
the
share and security properties.

* From Computer Management console connected to the domain member in the
windows 10 machine, logged as SAMBA\Administrator

If I add my test domain user to the "Domain Admins" group, that user
can
modify the shares on the domain member (as  expected).

Domain member smb.conf
[global]
  workgroup = SAMBA
  security = ADS
  realm = SAMBA.RTNET
  netbios name = LAU-FILES

  winbind refresh tickets = Yes
  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

   winbind use default domain = yes

   winbind enum users = yes
   winbind enum groups = yes

   log file = /var/log/samba/%m.log
   log level = 3

   # Default ID mapping configuration for local BUILTIN accounts
   # and groups on a domain member. The default (*) domain:
   # - must not overlap with any domain ID mapping configuration!
   # - must use a read-write-enabled back end, such as tdb.
   idmap config * : backend = tdb
   idmap config * : range = 3000-7999
   # - You must set a DOMAIN backend configuration
   # idmap config for the SAMDOM domain
   idmap config SAMBA:backend = ad
   idmap config SAMBA:schema_mode = rfc2307
   idmap config SAMBA:range = 10000-999999
   idmap config SAMBA:unix_nss_info = yes
   idmap config SAMBA: unix_primary_group = yes


 username map = /etc/samba/user.map


[Profiles]
path=/samba/profiles
read only = no


Window ACL:
Share Permissions
Domain Admins (SAMBA\Domain Admins) -- Full Control
Domain Admins (SAMBA\Domain Users) -- Change

Security
Creator Owner
System
Domain Admins
Domain Users
as per samba wiki

filesystem:

drwxrwx---+ 3 root unix admins 4096 Apr 18 23:38 profiles
 getfattr profiles
# file: profiles
user.SAMBA_PAI

# getfacl profiles
# file: profiles
# owner: root
# group: unix\040admins
user::rwx
user:root:rwx
group::---
group:NT\040Authority\134system:rwx
group:domain\040users:rwx
group:unix\040admins:---
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:NT\040Authority\134system:rwx
default:group:unix\040admins:---
default:mask::rwx
default:other::---


With usermap ! root = SAMBA\Administrator SAMBA\administrator, the
administrator account can list the shares on the domain member, but can't
access them.
Log level 3 shows this:

   Mapped user SAMBA\administrator to root

 check_user_share_access: user root connection to Profiles denied due to
share security descriptor.


With no usermap, the administrator account can't access the domain member
at all.
Logs show this:
 Kerberos ticket principal name is [Administrator at SAMBA.RTNET]
[2020/04/20 22:35:34.532127,  3]
../../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  get_user_from_kerberos_info: Username SAMBA\Administrator is invalid on
this system
[2020/04/20 22:35:34.532154,  3]
../../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac)
  auth3_generate_session_info_pac: Failed to map kerberos principal to
system user (NT_STATUS_LOGON_FAILURE)


Is this the expected behaviour of the domain\administrator acccount?
I would preferably want to do all domain admin from the
domain\administrator account logged into a windows 10 machine if that is
possible.

Many thanks for your help,

RT

Hai, 

Few things. 
The Share Permissions, add SYSTEM Full controll.

Which rights did you set on : /samba ?  ( show getfacl of that one. ) 

And try changing "default:group:unix\040admins:--- "  To
BUILTIN\Administrators

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rob 
> Tho via samba
> Verzonden: maandag 20 april 2020 23:51
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Expected behaviour of domain\administrator 
> on Linux AD domain member
> 
> Dear all,
> 
> I have set a small test domain in virtualbox.
> 
> 1. Samba AD DC on Debian bullseye testing 4.11.6
> 2. Samba domain member Debian Stretch 4.10.14
> 3. Windows 10 Enterprise evaluation version 1909
> 
> Roaming profiles with folder redirection setup.
> PAM working.
> 
> The above was setup basically using guides in wiki.samba.org, 
> with nearly
> the only thing changed was SAMDOM to SAMBA. "Unix Admins" 
> group added as
> per guide.
> 
> Everything works the way I expect apart from:
> 
> SAMBA\Administrator account cannot access or modify the 
> shares on the Samba
> domain member from the windows 10 machine. If I add share access to
> "Everyone, Full control" *, then the administrator account 
> can change the
> share and security properties.
> 
> * From Computer Management console connected to the domain 
> member in the
> windows 10 machine, logged as SAMBA\Administrator
> 
> If I add my test domain user to the "Domain Admins" group, 
> that user can
> modify the shares on the domain member (as  expected).
> 
> Domain member smb.conf
> [global]
>   workgroup = SAMBA
>   security = ADS
>   realm = SAMBA.RTNET
>   netbios name = LAU-FILES
> 
>   winbind refresh tickets = Yes
>   vfs objects = acl_xattr
>   map acl inherit = Yes
>   store dos attributes = Yes
> 
>   dedicated keytab file = /etc/krb5.keytab
>   kerberos method = secrets and keytab
> 
>    winbind use default domain = yes
> 
>    winbind enum users = yes
>    winbind enum groups = yes
> 
>    log file = /var/log/samba/%m.log
>    log level = 3
> 
>    # Default ID mapping configuration for local BUILTIN accounts
>    # and groups on a domain member. The default (*) domain:
>    # - must not overlap with any domain ID mapping configuration!
>    # - must use a read-write-enabled back end, such as tdb.
>    idmap config * : backend = tdb
>    idmap config * : range = 3000-7999
>    # - You must set a DOMAIN backend configuration
>    # idmap config for the SAMDOM domain
>    idmap config SAMBA:backend = ad
>    idmap config SAMBA:schema_mode = rfc2307
>    idmap config SAMBA:range = 10000-999999
>    idmap config SAMBA:unix_nss_info = yes
>    idmap config SAMBA: unix_primary_group = yes
> 
> 
>  username map = /etc/samba/user.map
> 
> 
> [Profiles]
> path=/samba/profiles
> read only = no
> 
> 
> Window ACL:
> Share Permissions
> Domain Admins (SAMBA\Domain Admins) -- Full Control
> Domain Admins (SAMBA\Domain Users) -- Change
> 
> Security
> Creator Owner
> System
> Domain Admins
> Domain Users
> as per samba wiki
> 
> filesystem:
> 
> drwxrwx---+ 3 root unix admins 4096 Apr 18 23:38 profiles
>  getfattr profiles
> # file: profiles
> user.SAMBA_PAI
> 
> # getfacl profiles
> # file: profiles
> # owner: root
> # group: unix\040admins
> user::rwx
> user:root:rwx
> group::---
> group:NT\040Authority\134system:rwx
> group:domain\040users:rwx
> group:unix\040admins:---
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:NT\040Authority\134system:rwx
> default:group:unix\040admins:---
> default:mask::rwx
> default:other::---
> 
> 
> With usermap ! root = SAMBA\Administrator SAMBA\administrator, the
> administrator account can list the shares on the domain 
> member, but can't
> access them.
> Log level 3 shows this:
> 
>    Mapped user SAMBA\administrator to root
> 
>  check_user_share_access: user root connection to Profiles 
> denied due to
> share security descriptor.
> 
> 
> With no usermap, the administrator account can't access the 
> domain member
> at all.
> Logs show this:
>  Kerberos ticket principal name is [Administrator at SAMBA.RTNET]
> [2020/04/20 22:35:34.532127,  3]
> ../../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>   get_user_from_kerberos_info: Username SAMBA\Administrator 
> is invalid on
> this system
> [2020/04/20 22:35:34.532154,  3]
> ../../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac)
>   auth3_generate_session_info_pac: Failed to map kerberos principal to
> system user (NT_STATUS_LOGON_FAILURE)
> 
> 
> Is this the expected behaviour of the domain\administrator acccount?
> I would preferably want to do all domain admin from the
> domain\administrator account logged into a windows 10 machine 
> if that is possible.
Thats what i do also yes. 

Greetz,

Louis

On 20/04/2020 22:50, Rob Tho via samba wrote:
> Dear all,
>
> I have set a small test domain in virtualbox.
>
> 1. Samba AD DC on Debian bullseye testing 4.11.6
> 2. Samba domain member Debian Stretch 4.10.14
> 3. Windows 10 Enterprise evaluation version 1909
>
>
>
> Window ACL:
> Share Permissions
> Domain Admins (SAMBA\Domain Admins) -- Full Control
> Domain Admins (SAMBA\Domain Users) -- Change
No, that is wrong, put it back to 'Everyone', Allow 'Full Control, 
Change, Read'
>
> Security
Does it help if I tell you that a better name for the 'Security' tab 
would be 'NTFS permissions'
> Is this the expected behaviour of the domain\administrator acccount?
No, it works for myself
> I would preferably want to do all domain admin from the
> domain\administrator account logged into a windows 10 machine if that is
> possible.
Yes it is, just as long as you follow the wiki, I have now updated the 
wikipage:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Rowland

>
> Many thanks for your help,
>
> RT

On Tue, 21 Apr 2020 at 09:36, Rowland penny via samba <samba at
lists.samba.org>
wrote:
>
> >
> > Window ACL:
> > Share Permissions
> > Domain Admins (SAMBA\Domain Admins) -- Full Control
> > Domain Admins (SAMBA\Domain Users) -- Change
> No, that is wrong, put it back to 'Everyone', Allow 'Full
Control,
> Change, Read'
> >
> > Security
> Does it help if I tell you that a better name for the 'Security'
tab
> would be 'NTFS permissions'
> > Is this the expected behaviour of the domain\administrator acccount?
> No, it works for myself
> > I would preferably want to do all domain admin from the
> > domain\administrator account logged into a windows 10 machine if that
is
> > possible.
>
> Yes it is, just as long as you follow the wiki, I have now updated the
> wikipage:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> Rowland
>
> Should https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles be
updated as well?

Many thanks for your help guys!

It works as expected with "everyone" added to the share properties.

RT
>
>