Re: [Samba] Samba 4.6.0 - Domain admin can't list nor access shares on file server
- Date: Wed, 10 May 2017 18:04:16 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Samba 4.6.0 - Domain admin can't list nor access shares on file server
On Wed, 10 May 2017 18:44:33 +0200
Olaf Frączyk via samba <samba@xxxxxxxxxxxxxxx> wrote:
> On 5/10/2017 6:06 PM, Rowland Penny via samba wrote:
> > On Wed, 10 May 2017 17:47:37 +0200
> > Olaf Frączyk via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >> Hello,
> >> I have domain NAVIDOM.
> >> There is also a fileserver that has joined the domain (both file
> >> server and DC are samba 4.6.0).
> >> If I try to connect as NAVIDOM\Administrator, I cannot access the
> >> file server (from Linux and Windows):
> >> [root@dc var]# smbclient -U Administrator -L fileserv
> >> Enter NAVIDOM\Administrator's password:
> >> session setup failed: NT_STATUS_ACCESS_DENIED
> >> I can do it as a regular user:
> >> [root@fileserv samba]# smbclient -U olaf -L fileserv
> >> Enter NAVIDOM\olaf's password:
> >> Sharename Type Comment
> >> --------- ---- -------
> >> .......
> >> Is this normal or do I have a problem with my setup?
> > Possibly normal, but it depends on your smb.conf on the Unix domain
> > member, so can you post the smb.conf from the Unix domain member
> > (the thing you call a fileserver)
> > Rowland
> security = ADS
> workgroup = NAVIDOM
> realm = NAVIDOM.OFFICE.NAVI.PL
> log file = /var/log/samba/%m.log
> log level = 1
> idmap config * : backend = tdb
> idmap config * : range = 20000-20999
> idmap config NAVIDOM:backend = ad
> idmap config NAVIDOM:schema_mode = rfc2307
> idmap config NAVIDOM:range = 1000-9999
> idmap config NAVIDOM:unix_nss_info = yes
> idmap config NAVIDOM:unix_primary_group = yes
> winbind use default domain = yes
> winbind nss info = rfc2307
> winbind refresh tickets = yes
> template shell = /bin/bash
> template homedir = /home/%U
> create mask = 0666
> directory mask= 0777
> store dos attributes = yes
> Is this because of NAVIDOM:range = 1000-9999, so it doesn't include
> uid 0?
No, it is because your Unix OS has no idea who the Windows user
'Administrator' is ;-)
You need to map it to the 'root' user by adding this line to smb.conf:
username map = /etc/samba/user.map
and then create the user.map containing this:
!root = NAVIDOM\Administrator NAVIDOM\administrator Administrator
Restart Samba, you will then be able connect from a windows machine to
your Unix machine and do maintenance.
You will still find that the OS still doesn't know who 'Administrator'
is, but this doesn't really matter.
To unsubscribe from this list go to the following URL and read the