samba - Oct 2023 - Permissions issue on domain member server (samba as an appliance)

Administrator is a built in account in the AD. When you provisioned the domain
with a password , that was Administrators password.

LP
On 29 Oct 2023 at 21:36 +0100, Greg Dickie via samba <samba at
lists.samba.org>, wrote:
> Hey Rowland,
>
> Sorry, I'm thick. I understand why you would not want to create a linux
> user called Administrator but then where will the credentials come from? In
> my AD, I do not have a user called Administrator. I guess I must have a
> user with RID 500 though, I'll look for that.
>
> Thanks for your help,
> Greg
>
> On Sat, Oct 28, 2023 at 3:09?AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
> > On Fri, 27 Oct 2023 16:14:52 -0400
> > Greg Dickie <greg at justaguy.ca> wrote:
> >
> > > Hey Rowland,
> > >
> > > Hmmm. I may have misunderstood. I don't believe it explicitly
said to
> > > do that but I took it as that. Should I create a local
Administrator
> > > account instead?
> > >
> >
> > The whole idea behind the user map on a Unix domain member is to map
> > the Domain Administrator account (RID 500) to the Unix user
'root'.
> > When you do something on Windows as 'Administrator' is done on
Unix as
> > 'root'.
> >
> > I would never use 'Administrator' directly on Unix and here is
why:
> >
> > I use the 'rid' idmap backend and if I run 'getent passwd
> > administrator', I get:
> >
> > administrator:*:10500:10513::/home/administrator:/bin/bash
> >
> > As you can see 'Administrator' has the ID '10500',
which makes it a
> > normal Unix user with no special powers. However, from Windows via
> > Samba, the 'Administrator' ID is set to '0' by the
user map and I hope
> > you realise what other Unix user has the ID '0'.
> >
> > If you haven't realised yet, no, do not create a local
Administrator,
> > for one thing, you already have one :-)
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
>
> --
>
>
> Greg Dickie
> just a guy
> 514-983-5400
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

OK I found an account with RID 500 but it has another username. I
inherited this AD from 15+ years ago. Everything looks fine, all the
computer management stuff works and I can manipulate permissions and
security BUT running robocopy still gives "Error 1314 Copying N
TFS Security to destination Directory ********* A required privilege is not
held by the client". I just noticed it does say the user but the client.
Hmmmm.

Thanks,
Greg

On Sun, Oct 29, 2023 at 4:53?PM Luis Peromarta via samba <
samba at lists.samba.org> wrote:
> Administrator is a built in account in the AD. When you provisioned the
> domain with a password , that was Administrators password.
>
> LP
> On 29 Oct 2023 at 21:36 +0100, Greg Dickie via samba <
> samba at lists.samba.org>, wrote:
> > Hey Rowland,
> >
> > Sorry, I'm thick. I understand why you would not want to create a
linux
> > user called Administrator but then where will the credentials come
from?
> In
> > my AD, I do not have a user called Administrator. I guess I must have
a
> > user with RID 500 though, I'll look for that.
> >
> > Thanks for your help,
> > Greg
> >
> > On Sat, Oct 28, 2023 at 3:09?AM Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> >
> > > On Fri, 27 Oct 2023 16:14:52 -0400
> > > Greg Dickie <greg at justaguy.ca> wrote:
> > >
> > > > Hey Rowland,
> > > >
> > > > Hmmm. I may have misunderstood. I don't believe it
explicitly said to
> > > > do that but I took it as that. Should I create a local
Administrator
> > > > account instead?
> > > >
> > >
> > > The whole idea behind the user map on a Unix domain member is to
map
> > > the Domain Administrator account (RID 500) to the Unix user
'root'.
> > > When you do something on Windows as 'Administrator' is
done on Unix as
> > > 'root'.
> > >
> > > I would never use 'Administrator' directly on Unix and
here is why:
> > >
> > > I use the 'rid' idmap backend and if I run 'getent
passwd
> > > administrator', I get:
> > >
> > > administrator:*:10500:10513::/home/administrator:/bin/bash
> > >
> > > As you can see 'Administrator' has the ID
'10500', which makes it a
> > > normal Unix user with no special powers. However, from Windows
via
> > > Samba, the 'Administrator' ID is set to '0' by
the user map and I hope
> > > you realise what other Unix user has the ID '0'.
> > >
> > > If you haven't realised yet, no, do not create a local
Administrator,
> > > for one thing, you already have one :-)
> > >
> > > Rowland
> > >
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > >
> >
> >
> > --
> >
> >
> > Greg Dickie
> > just a guy
> > 514-983-5400
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 


Greg Dickie
just a guy
514-983-5400