Web lists-archives.com

Re: [Samba] administrator does not have permission




On Mon, 20 Nov 2017 12:18:14 -0600
Robert Wooden via samba <samba@xxxxxxxxxxxxxxx> wrote:

> While attempting to check 'profiles' user permissions on my member
> server I discovered that (for some reason) I did not have a krb5.conf
> file (on member.) Resolved that issue. Then find that the keytab file
> is missing. Fixed that.

You usually get a krb5.conf created when you install the kerberos
client packages, it is usually more that what you need though.
You only get the /etc/krb5.keytab created at join if you have these two
lines in smb.conf:

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

> 
> I wanted to check profile user permissions and have discovered that
> the administrator does not have permission to "view or edit this
> object's permission settings." WHAT?? Is there a linux way to correct
> this issue?

Have you mapped Administrator to the Unix user 'root' in a user.map ?

> 
> Further digging and I find that the administrator (the
> DOMAIN\administrator) does have rights to see permissions of anything
> on the member server.
> 
> I am puzzled . . . how could missing krb5.conf and keytab files allow
> access when missing. Clearly replacing the missing files and kerberos
> is blocking something.

Ah, but Samba uses a keytab in memory and whilst I have always created
the krb5.conf myself, it is possible that Samba can use the Realm found
in smb.conf if there is no /etc/krb5.conf.

> 
> So, the question is is there a way to correct this on the linux side?
> 
> I am at a loose as how to proceed?

Please check if you have a user.map and report back.

Rowland
 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba