Web lists-archives.com

Re: [Samba] Samba 4.6.0 - Domain admin can't list nor access shares on file server




On Wed, 10 May 2017 18:44:33 +0200
Olaf Frączyk via samba <samba@xxxxxxxxxxxxxxx> wrote:

> 
> 
> On 5/10/2017 6:06 PM, Rowland Penny via samba wrote:
> > On Wed, 10 May 2017 17:47:37 +0200
> > Olaf Frączyk via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >
> >> Hello,
> >>
> >> I have domain NAVIDOM.
> >>
> >> There is also a fileserver that has joined the domain (both file
> >> server and DC are samba 4.6.0).
> >>
> >> If I try to connect as NAVIDOM\Administrator, I cannot access the
> >> file server (from Linux and Windows):
> >>
> >> [root@dc var]# smbclient -U Administrator -L fileserv
> >> Enter NAVIDOM\Administrator's password:
> >> session setup failed: NT_STATUS_ACCESS_DENIED
> >>
> >> I can do it as a regular user:
> >>
> >> [root@fileserv samba]# smbclient -U olaf -L fileserv
> >> Enter NAVIDOM\olaf's password:
> >>
> >>       Sharename       Type      Comment
> >>       ---------       ----      -------
> >>
> >> .......
> >>
> >> Is this normal or do I have a problem with my setup?
> >>
> > Possibly normal, but it depends on your smb.conf on the Unix domain
> > member, so can you post the smb.conf from the Unix domain member
> > (the thing you call a fileserver)
> >
> > Rowland
> >
> >
> [global]
>      security = ADS
>      workgroup = NAVIDOM
>      realm = NAVIDOM.OFFICE.NAVI.PL
>      log file = /var/log/samba/%m.log
>      log level = 1
>      idmap config * : backend = tdb
>      idmap config * : range = 20000-20999
>      idmap config NAVIDOM:backend = ad
>      idmap config NAVIDOM:schema_mode = rfc2307
>      idmap config NAVIDOM:range = 1000-9999
>      idmap config NAVIDOM:unix_nss_info = yes
>      idmap config NAVIDOM:unix_primary_group = yes
>      winbind use default domain = yes
>      winbind nss info = rfc2307
>      winbind refresh tickets = yes
>      template shell = /bin/bash
>      template homedir = /home/%U
>      create mask = 0666
>      directory mask= 0777
>      store dos attributes = yes
> 
> Is this because of NAVIDOM:range = 1000-9999, so it doesn't include
> uid 0?
> 
> 

No, it is because your Unix OS has no idea who the Windows user
'Administrator' is ;-)

You need to map it to the 'root' user by adding this line to smb.conf:

username map = /etc/samba/user.map

and then create the user.map containing this:

!root = NAVIDOM\Administrator NAVIDOM\administrator Administrator
administrator

Restart Samba, you will then be able connect from a windows machine to
your Unix machine and do maintenance.

You will still find that the OS still doesn't know who 'Administrator'
is, but this doesn't really matter.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba