samba - Oct 2023 - Permissions issue on domain member server (samba as an appliance)

Hey Rowland,

Hmmm. I may have misunderstood. I don't believe it explicitly said to do
that but I took it as that. Should I create a local Administrator account
instead?

Thanks,
Greg

On Fri, Oct 27, 2023 at 3:30?PM Rowland Penny <rpenny at samba.org> wrote:
> On Fri, 27 Oct 2023 15:07:56 -0400
> Greg Dickie via samba <samba at lists.samba.org> wrote:
>
> > Hi,
> >
> >   We have a rat's nest of windows servers all sharing little bits
of
> > storage which I'm trying to consolidate on one biggish linux
server.
> > I've install a fresh Ubuntu 22.04 and samba 4.15 that comes
standard.
> > I've also joined the domain using autorid as the backend and users
> > are getting UID and GIDs correctly as evidenced by wbinfo -i USER and
> > id USER. I've also mapped a domain admin user to root using
username
> > map and the connection shows up as root in smbstatus.
>
> Could you please point out where it says to map a domain admin to root
> instead of mapping Administrator to root ?
>
> Rowland
>
> > Created a
> > share, changed the group of the directory to "Domain Admins"
and did
> > a g+rwx on the share root dir. Everything looks good.
> >
> > But. When I connect to the share as that admin user and try a mkdir
> > tt I get access denied. robocopy from one of the windows servers give
> > me "A required privilege is not help by the client".
> >
> > Level 10 logs are pretty verbose but I did not see a cause.
> >
> > What am I missing? Where should I look next?
> >
> > Thanks,
> > Greg
> >
>
>
-- 


Greg Dickie
just a guy
514-983-5400

On Fri, 27 Oct 2023 16:14:52 -0400
Greg Dickie <greg at justaguy.ca> wrote:
> Hey Rowland,
> 
> Hmmm. I may have misunderstood. I don't believe it explicitly said to
> do that but I took it as that. Should I create a local Administrator
> account instead?
> 
The whole idea behind the user map on a Unix domain member is to map
the Domain Administrator account (RID 500) to the Unix user 'root'.
When you do something on Windows as 'Administrator' is done on Unix as
'root'.

I would never use 'Administrator' directly on Unix and here is why:

I use the 'rid' idmap backend and if I run 'getent passwd
administrator', I get:

administrator:*:10500:10513::/home/administrator:/bin/bash

As you can see 'Administrator' has the ID '10500', which makes
it a
normal Unix user with no special powers. However, from Windows via
Samba, the 'Administrator' ID is set to '0' by the user map and
I hope
you realise what other Unix user has the ID '0'.

If you haven't realised yet, no, do not create a local Administrator,
for one thing, you already have one :-)

Rowland