Luis Peromarta
2023-Oct-29 20:53 UTC
[Samba] Permissions issue on domain member server (samba as an appliance)
Administrator is a built in account in the AD. When you provisioned the domain with a password , that was Administrators password. LP On 29 Oct 2023 at 21:36 +0100, Greg Dickie via samba <samba at lists.samba.org>, wrote:> Hey Rowland, > > Sorry, I'm thick. I understand why you would not want to create a linux > user called Administrator but then where will the credentials come from? In > my AD, I do not have a user called Administrator. I guess I must have a > user with RID 500 though, I'll look for that. > > Thanks for your help, > Greg > > On Sat, Oct 28, 2023 at 3:09?AM Rowland Penny via samba < > samba at lists.samba.org> wrote: > > > On Fri, 27 Oct 2023 16:14:52 -0400 > > Greg Dickie <greg at justaguy.ca> wrote: > > > > > Hey Rowland, > > > > > > Hmmm. I may have misunderstood. I don't believe it explicitly said to > > > do that but I took it as that. Should I create a local Administrator > > > account instead? > > > > > > > The whole idea behind the user map on a Unix domain member is to map > > the Domain Administrator account (RID 500) to the Unix user 'root'. > > When you do something on Windows as 'Administrator' is done on Unix as > > 'root'. > > > > I would never use 'Administrator' directly on Unix and here is why: > > > > I use the 'rid' idmap backend and if I run 'getent passwd > > administrator', I get: > > > > administrator:*:10500:10513::/home/administrator:/bin/bash > > > > As you can see 'Administrator' has the ID '10500', which makes it a > > normal Unix user with no special powers. However, from Windows via > > Samba, the 'Administrator' ID is set to '0' by the user map and I hope > > you realise what other Unix user has the ID '0'. > > > > If you haven't realised yet, no, do not create a local Administrator, > > for one thing, you already have one :-) > > > > Rowland > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > > > Greg Dickie > just a guy > 514-983-5400 > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Greg Dickie
2023-Oct-29 21:08 UTC
[Samba] Permissions issue on domain member server (samba as an appliance)
OK I found an account with RID 500 but it has another username. I inherited this AD from 15+ years ago. Everything looks fine, all the computer management stuff works and I can manipulate permissions and security BUT running robocopy still gives "Error 1314 Copying N TFS Security to destination Directory ********* A required privilege is not held by the client". I just noticed it does say the user but the client. Hmmmm. Thanks, Greg On Sun, Oct 29, 2023 at 4:53?PM Luis Peromarta via samba < samba at lists.samba.org> wrote:> Administrator is a built in account in the AD. When you provisioned the > domain with a password , that was Administrators password. > > LP > On 29 Oct 2023 at 21:36 +0100, Greg Dickie via samba < > samba at lists.samba.org>, wrote: > > Hey Rowland, > > > > Sorry, I'm thick. I understand why you would not want to create a linux > > user called Administrator but then where will the credentials come from? > In > > my AD, I do not have a user called Administrator. I guess I must have a > > user with RID 500 though, I'll look for that. > > > > Thanks for your help, > > Greg > > > > On Sat, Oct 28, 2023 at 3:09?AM Rowland Penny via samba < > > samba at lists.samba.org> wrote: > > > > > On Fri, 27 Oct 2023 16:14:52 -0400 > > > Greg Dickie <greg at justaguy.ca> wrote: > > > > > > > Hey Rowland, > > > > > > > > Hmmm. I may have misunderstood. I don't believe it explicitly said to > > > > do that but I took it as that. Should I create a local Administrator > > > > account instead? > > > > > > > > > > The whole idea behind the user map on a Unix domain member is to map > > > the Domain Administrator account (RID 500) to the Unix user 'root'. > > > When you do something on Windows as 'Administrator' is done on Unix as > > > 'root'. > > > > > > I would never use 'Administrator' directly on Unix and here is why: > > > > > > I use the 'rid' idmap backend and if I run 'getent passwd > > > administrator', I get: > > > > > > administrator:*:10500:10513::/home/administrator:/bin/bash > > > > > > As you can see 'Administrator' has the ID '10500', which makes it a > > > normal Unix user with no special powers. However, from Windows via > > > Samba, the 'Administrator' ID is set to '0' by the user map and I hope > > > you realise what other Unix user has the ID '0'. > > > > > > If you haven't realised yet, no, do not create a local Administrator, > > > for one thing, you already have one :-) > > > > > > Rowland > > > > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > -- > > > > > > Greg Dickie > > just a guy > > 514-983-5400 > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Greg Dickie just a guy 514-983-5400
Apparently Analagous Threads
- Permissions issue on domain member server (samba as an appliance)
- Permissions issue on domain member server (samba as an appliance)
- Permissions issue on domain member server (samba as an appliance)
- Permissions issue on domain member server (samba as an appliance)
- Permissions issue on domain member server (samba as an appliance)