Web lists-archives.com

[Samba] Cannot get DOMAIN\administrator mapped to root on domain member

On a domain member, I cannot get DOMAIN\administrator to login mapped to root. On my Samba AD DC, this does work and when I login there, I get a # prompt.

Here is my smb.conf on the domain member

       security = ADS
       workgroup = SUBDOMAIN

       log file = /usr/local/samba/var/%m.log
       log level = 3

       bind interfaces only = yes
       interfaces = lo ens3

       idmap config * : backend = tdb
       idmap config * : range = 3000-7999

       idmap config SUBDOMAIN:backend = ad
       idmap config SUBDOMAIN:schema_mode = rfc2307
       idmap config SUBDOMAIN:range = 10000-999999

       idmap config SUBDOMAIN : unix_nss_info = no

       template shell = /bin/bash
       template homedir = /home/%U

       username map = /usr/local/samba/etc/user.map

And the user.map file

!root = SUBDOMAIN\Administrator SUBDOMAIN\administrator Administrator administrator

My /usr/share/pam-configs/winbind file is

Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
        [success=end default=ignore]    pam_winbind.so use_first_pass
        [success=end default=ignore]    pam_winbind.so cached_login
Account-Type: Primary
        [success=end user_unknown=ignore default=bad] pam_winbind.so
Password-Type: Primary
        [success=end default=ignore]    pam_winbind.so use_authtok
        [success=end default=ignore]    pam_winbind.so
Session-Type: Additional
        optional                        pam_winbind.so

And I've got the PAM & winbind links to libraries

On my Windows desktop ADUC, I have tried blanking <not set> the uidNumber & guidNumber in the "Attribute Editor" tab. I've also tried with just the gidNumber defined and uidNumber blank. Nothing works. I am testing on the console of a Linux Mint desktop. I get a quick flash of an "authentication denied" (I think) and back to login prompt

If I do have uidNumber & gidNumber defined, I can get Administrator to login but it just uses those numbers and I don't get a # prompt.

I'm lost on where to go next. Help?

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba