samba - Nov 2023 - Mapping the Domain Administrator Account to the Local root User

Hello,

recently I've "updated" an AD member file server to an up-to-date
Debian
12, following the wiki page Setting_up_Samba_as_a_Domain_Member. Some
years ago I did the same with a Debian 10 VM, of which I used the data
disks in the new fileserver. It uses the "rid" backend, acl and is
configured via RSAT tools.

Either I didn't follow the wiki page in the "Mapping the Domain
Administrator Account to the Local root User" part or it was not yet
existent years ago when I've configured the Debian 10 Samba.

Anyways, in the actual configuration I used the username map as it's
part of the wiki. But then, I wasn't able to access the Samba member
fileserver with the computer management to check/change the permissions of my
shares, as the computer management didn't get access to the fileserver.
And, ironically, the Administrator user was also not able to access
their home files ("normal" users on the contrary were able to do
this).
While the login process itself worked and the "gpresult /r"
signalised,
that the process worked for users and administrators.

After commenting out the "username map" parameter I've gained
access to the
fileserver via "computer management" again and the administrator can
access their (redirected) folders and files again.

While it's nice that it's working again, I wonder why and in which cases
the mapping is necessary?

All the best
Sinni

Looks like your root mapping isn?t working.

Did you add "min domain uid = 0? to smb.conf ?

See 'Mapping the AD Administrator user to ?root?' :

http://samba.bigbird.es/doku.php?id=samba:file-server

On Nov 27, 2023 at 18:58 +0100, mail--- via samba <samba at
lists.samba.org>, wrote:
> Hello,
>
> recently I've "updated" an AD member file server to an
up-to-date Debian
> 12, following the wiki page Setting_up_Samba_as_a_Domain_Member. Some
> years ago I did the same with a Debian 10 VM, of which I used the data
> disks in the new fileserver. It uses the "rid" backend, acl and
is
> configured via RSAT tools.
>
> Either I didn't follow the wiki page in the "Mapping the Domain
> Administrator Account to the Local root User" part or it was not yet
> existent years ago when I've configured the Debian 10 Samba.
>
> Anyways, in the actual configuration I used the username map as it's
> part of the wiki. But then, I wasn't able to access the Samba member
> fileserver with the computer management to check/change the permissions of
my
> shares, as the computer management didn't get access to the fileserver.
> And, ironically, the Administrator user was also not able to access
> their home files ("normal" users on the contrary were able to do
this).
> While the login process itself worked and the "gpresult /r"
signalised,
> that the process worked for users and administrators.
>
> After commenting out the "username map" parameter I've gained
access to the
> fileserver via "computer management" again and the administrator
can
> access their (redirected) folders and files again.
>
> While it's nice that it's working again, I wonder why and in which
cases
> the mapping is necessary?
>
> All the best
> Sinni
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba