samba - Nov 2023 - Mapping the Domain Administrator Account to the Local root User

Also, did you grant users rights to manage services in Member Servers ?

http://samba.bigbird.es/doku.php?id=samba:server-privileges

LP
On Nov 27, 2023 at 19:02 +0100, Luis Peromarta via samba <samba at
lists.samba.org>, wrote:
> Looks like your root mapping isn?t working.
>
> Did you add "min domain uid = 0? to smb.conf ?
>
> See 'Mapping the AD Administrator user to ?root?' :
>
> http://samba.bigbird.es/doku.php?id=samba:file-server
>
> On Nov 27, 2023 at 18:58 +0100, mail--- via samba <samba at
lists.samba.org>, wrote:
> > Hello,
> >
> > recently I've "updated" an AD member file server to an
up-to-date Debian
> > 12, following the wiki page Setting_up_Samba_as_a_Domain_Member. Some
> > years ago I did the same with a Debian 10 VM, of which I used the data
> > disks in the new fileserver. It uses the "rid" backend, acl
and is
> > configured via RSAT tools.
> >
> > Either I didn't follow the wiki page in the "Mapping the
Domain
> > Administrator Account to the Local root User" part or it was not
yet
> > existent years ago when I've configured the Debian 10 Samba.
> >
> > Anyways, in the actual configuration I used the username map as
it's
> > part of the wiki. But then, I wasn't able to access the Samba
member
> > fileserver with the computer management to check/change the
permissions of my
> > shares, as the computer management didn't get access to the
fileserver.
> > And, ironically, the Administrator user was also not able to access
> > their home files ("normal" users on the contrary were able
to do this).
> > While the login process itself worked and the "gpresult /r"
signalised,
> > that the process worked for users and administrators.
> >
> > After commenting out the "username map" parameter I've
gained access to the
> > fileserver via "computer management" again and the
administrator can
> > access their (redirected) folders and files again.
> >
> > While it's nice that it's working again, I wonder why and in
which cases
> > the mapping is necessary?
> >
> > All the best
> > Sinni
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

The user rights I've granted, but this "min domain uid = 0? parameter
seems to be important and is not documented in the Samba wiki. After
adding it I can access the files and administrate the fileserver as wanted.

Sinni


On 27.11.2023 19:05:29, Luis Peromarta via samba wrote:
> Also, did you grant users rights to manage services in Member Servers ?
> 
> http://samba.bigbird.es/doku.php?id=samba:server-privileges
> 
> LP
> On Nov 27, 2023 at 19:02 +0100, Luis Peromarta via samba <samba at
lists.samba.org>, wrote:
> > Looks like your root mapping isn?t working.
> >
> > Did you add "min domain uid = 0? to smb.conf ?
> >
> > See 'Mapping the AD Administrator user to ?root?' :
> >
> > http://samba.bigbird.es/doku.php?id=samba:file-server
> >
> > On Nov 27, 2023 at 18:58 +0100, mail--- via samba <samba at
lists.samba.org>, wrote:
> > > Hello,
> > >
> > > recently I've "updated" an AD member file server to
an up-to-date Debian
> > > 12, following the wiki page Setting_up_Samba_as_a_Domain_Member.
Some
> > > years ago I did the same with a Debian 10 VM, of which I used the
data
> > > disks in the new fileserver. It uses the "rid" backend,
acl and is
> > > configured via RSAT tools.
> > >
> > > Either I didn't follow the wiki page in the "Mapping the
Domain
> > > Administrator Account to the Local root User" part or it was
not yet
> > > existent years ago when I've configured the Debian 10 Samba.
> > >
> > > Anyways, in the actual configuration I used the username map as
it's
> > > part of the wiki. But then, I wasn't able to access the Samba
member
> > > fileserver with the computer management to check/change the
permissions of my
> > > shares, as the computer management didn't get access to the
fileserver.
> > > And, ironically, the Administrator user was also not able to
access
> > > their home files ("normal" users on the contrary were
able to do this).
> > > While the login process itself worked and the "gpresult
/r" signalised,
> > > that the process worked for users and administrators.
> > >
> > > After commenting out the "username map" parameter
I've gained access to the
> > > fileserver via "computer management" again and the
administrator can
> > > access their (redirected) folders and files again.
> > >
> > > While it's nice that it's working again, I wonder why and
in which cases
> > > the mapping is necessary?
> > >
> > > All the best
> > > Sinni
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba