samba - Nov 2022 - Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

On 28/11/2022 15:40, Juan Ignacio wrote:
> I'm on a windows client, logged in with the OURDOMAIN\administrator
account.
> 
> The content of /etc/samba/user.map
> 
> !root = OURDOMAIN\Administrator
> 
> The smb.conf.
> 
> [global]
>  ? ? ? ? log file = /var/log/samba/%m.log
>  ? ? ? ? log level = 1
>  ? ? ? ? realm = OURDOMAIN.ORG <http://OURDOMAIN.ORG>
>  ? ? ? ? security = ADS
>  ? ? ? ? server role = member server
>  ? ? ? ? username map = /etc/samba/user.map
>  ? ? ? ? workgroup = OURDOMAIN
>  ? ? ? ? idmap config * : backend = tdb
>  ? ? ? ? idmap config * : range = 3000-7999
>  ? ? ? ? idmap config kennedy : backend = rid
>  ? ? ? ? idmap config kennedy : range = 10000-9999999
> 
> 
> On unix.
> 
> I checked the shares with smbclient and i got Invalid Token
> 
> root at memberdc:/etc/samba# smbclient -L \\\\10.20.1.55 -U administrator
> Password for [OURDOMAIN\administrator]:
> session setup failed: NT_STATUS_INVALID_TOKEN
> 
> if i do the same with other domain user i got the shares correctly.
> 
>  ?smbclient -L \\\\10.20.1.55 -U pepito
> Password for [OURDOMAIN\pepito]:
> 
>  ? ? ? ? Sharename ? ? ? Type ? ? ?Comment
>  ? ? ? ? --------- ? ? ? ---- ? ? ?-------
>  ? ? ? ? sharetest ? ? ? Disk
>  ? ? ? ? test ? ? ? ? ? ?Disk
>  ? ? ? ? IPC$ ? ? ? ? ? ?IPC ? ? ? IPC Service (Samba 4.17.3-Debian)
> SMB1 disabled -- no workgroup available
> 
NEVER use Administrator on a Unix machine. Administrator is the Windows 
administrator with thr RID '500', so with your DOMAIN low range it will 
have the Unix ID 10500, it is just a normal Unix user.
However that isn't your real problem, try adding this line:

min domain uid = 0

Restart Samba and try again, but only for test purposes, after that 
never use Administrator directly on Unix.

Rowland

I didn't log into unix directly, I logged on a windows machine.
The problem is I needed the administrator account to manage some gpos and
move the files from one member server to another and rewrite the
permissions, timestamp and file ownership on windows.
If I write a file on the member it shows as root what seems correct for me
because I don't want anyone accessing that share right now.
At least until I finish migrating the files.

Administrator is the Windows
> administrator with thr RID '500', so with your DOMAIN low range it
will
> have the Unix ID 10500, it is just a normal Unix user.
>
How can I know that?

We are not mapping administrator to root?

OURDOMAIN\administrator is not equal to root and the uid=0?

Sorry im trying to understand better.


El lun, 28 nov 2022 a las 12:53, Rowland Penny via samba (<
samba at lists.samba.org>) escribi?:
>
>
> On 28/11/2022 15:40, Juan Ignacio wrote:
> > I'm on a windows client, logged in with the
OURDOMAIN\administrator
> account.
> >
> > The content of /etc/samba/user.map
> >
> > !root = OURDOMAIN\Administrator
> >
> > The smb.conf.
> >
> > [global]
> >          log file = /var/log/samba/%m.log
> >          log level = 1
> >          realm = OURDOMAIN.ORG <http://OURDOMAIN.ORG>
> >          security = ADS
> >          server role = member server
> >          username map = /etc/samba/user.map
> >          workgroup = OURDOMAIN
> >          idmap config * : backend = tdb
> >          idmap config * : range = 3000-7999
> >          idmap config kennedy : backend = rid
> >          idmap config kennedy : range = 10000-9999999
> >
> >
> > On unix.
> >
> > I checked the shares with smbclient and i got Invalid Token
> >
> > root at memberdc:/etc/samba# smbclient -L \\\\10.20.1.55 -U
administrator
> > Password for [OURDOMAIN\administrator]:
> > session setup failed: NT_STATUS_INVALID_TOKEN
> >
> > if i do the same with other domain user i got the shares correctly.
> >
> >   smbclient -L \\\\10.20.1.55 -U pepito
> > Password for [OURDOMAIN\pepito]:
> >
> >          Sharename       Type      Comment
> >          ---------       ----      -------
> >          sharetest       Disk
> >          test            Disk
> >          IPC$            IPC       IPC Service (Samba 4.17.3-Debian)
> > SMB1 disabled -- no workgroup available
> >
>
> NEVER use Administrator on a Unix machine. Administrator is the Windows
> administrator with thr RID '500', so with your DOMAIN low range it
will
> have the Unix ID 10500, it is just a normal Unix user.
> However that isn't your real problem, try adding this line:
>
> min domain uid = 0
>
> Restart Samba and try again, but only for test purposes, after that
> never use Administrator directly on Unix.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>