Re: [Samba] administrator does not have permission
- Date: Mon, 20 Nov 2017 19:07:03 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] administrator does not have permission
On Mon, 20 Nov 2017 12:18:14 -0600
Robert Wooden via samba <samba@xxxxxxxxxxxxxxx> wrote:
> While attempting to check 'profiles' user permissions on my member
> server I discovered that (for some reason) I did not have a krb5.conf
> file (on member.) Resolved that issue. Then find that the keytab file
> is missing. Fixed that.
You usually get a krb5.conf created when you install the kerberos
client packages, it is usually more that what you need though.
You only get the /etc/krb5.keytab created at join if you have these two
lines in smb.conf:
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
> I wanted to check profile user permissions and have discovered that
> the administrator does not have permission to "view or edit this
> object's permission settings." WHAT?? Is there a linux way to correct
> this issue?
Have you mapped Administrator to the Unix user 'root' in a user.map ?
> Further digging and I find that the administrator (the
> DOMAIN\administrator) does have rights to see permissions of anything
> on the member server.
> I am puzzled . . . how could missing krb5.conf and keytab files allow
> access when missing. Clearly replacing the missing files and kerberos
> is blocking something.
Ah, but Samba uses a keytab in memory and whilst I have always created
the krb5.conf myself, it is possible that Samba can use the Realm found
in smb.conf if there is no /etc/krb5.conf.
> So, the question is is there a way to correct this on the linux side?
> I am at a loose as how to proceed?
Please check if you have a user.map and report back.
To unsubscribe from this list go to the following URL and read the