samba - Nov 2023 - Mapping the Domain Administrator Account to the Local root User

Looks like your root mapping isn?t working.

Did you add "min domain uid = 0? to smb.conf ?

See 'Mapping the AD Administrator user to ?root?' :

http://samba.bigbird.es/doku.php?id=samba:file-server

On Nov 27, 2023 at 18:58 +0100, mail--- via samba <samba at
lists.samba.org>, wrote:
> Hello,
>
> recently I've "updated" an AD member file server to an
up-to-date Debian
> 12, following the wiki page Setting_up_Samba_as_a_Domain_Member. Some
> years ago I did the same with a Debian 10 VM, of which I used the data
> disks in the new fileserver. It uses the "rid" backend, acl and
is
> configured via RSAT tools.
>
> Either I didn't follow the wiki page in the "Mapping the Domain
> Administrator Account to the Local root User" part or it was not yet
> existent years ago when I've configured the Debian 10 Samba.
>
> Anyways, in the actual configuration I used the username map as it's
> part of the wiki. But then, I wasn't able to access the Samba member
> fileserver with the computer management to check/change the permissions of
my
> shares, as the computer management didn't get access to the fileserver.
> And, ironically, the Administrator user was also not able to access
> their home files ("normal" users on the contrary were able to do
this).
> While the login process itself worked and the "gpresult /r"
signalised,
> that the process worked for users and administrators.
>
> After commenting out the "username map" parameter I've gained
access to the
> fileserver via "computer management" again and the administrator
can
> access their (redirected) folders and files again.
>
> While it's nice that it's working again, I wonder why and in which
cases
> the mapping is necessary?
>
> All the best
> Sinni
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

Also, did you grant users rights to manage services in Member Servers ?

http://samba.bigbird.es/doku.php?id=samba:server-privileges

LP
On Nov 27, 2023 at 19:02 +0100, Luis Peromarta via samba <samba at
lists.samba.org>, wrote:
> Looks like your root mapping isn?t working.
>
> Did you add "min domain uid = 0? to smb.conf ?
>
> See 'Mapping the AD Administrator user to ?root?' :
>
> http://samba.bigbird.es/doku.php?id=samba:file-server
>
> On Nov 27, 2023 at 18:58 +0100, mail--- via samba <samba at
lists.samba.org>, wrote:
> > Hello,
> >
> > recently I've "updated" an AD member file server to an
up-to-date Debian
> > 12, following the wiki page Setting_up_Samba_as_a_Domain_Member. Some
> > years ago I did the same with a Debian 10 VM, of which I used the data
> > disks in the new fileserver. It uses the "rid" backend, acl
and is
> > configured via RSAT tools.
> >
> > Either I didn't follow the wiki page in the "Mapping the
Domain
> > Administrator Account to the Local root User" part or it was not
yet
> > existent years ago when I've configured the Debian 10 Samba.
> >
> > Anyways, in the actual configuration I used the username map as
it's
> > part of the wiki. But then, I wasn't able to access the Samba
member
> > fileserver with the computer management to check/change the
permissions of my
> > shares, as the computer management didn't get access to the
fileserver.
> > And, ironically, the Administrator user was also not able to access
> > their home files ("normal" users on the contrary were able
to do this).
> > While the login process itself worked and the "gpresult /r"
signalised,
> > that the process worked for users and administrators.
> >
> > After commenting out the "username map" parameter I've
gained access to the
> > fileserver via "computer management" again and the
administrator can
> > access their (redirected) folders and files again.
> >
> > While it's nice that it's working again, I wonder why and in
which cases
> > the mapping is necessary?
> >
> > All the best
> > Sinni
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba