Web lists-archives.com

[Samba] smb.conf username map entry does not work




Hi folks,

I have got the following setup:

OS: CentOS 7.5 1804 in a HP DL120 server

Samba AD member server with standard Samba 4.7.1 from the CentOS 7.5 distribution.

I have got a problem that the "username map" entry in smb.conf does not seem to have any effect at all. In the mapping file there is a mapping from Administrator to root. But when I run id Administrator I do not get the mapping to root. The result of the id command looks like:

uid=10500(administrator) gid=10513(domain_users) groups=10513(domain_users), 10500(administrator), 10512(domain_admins), 10572(denied_rodc_password_replication_group), 10518(schema_admins),10519(enterprise_admins), 10520(group_policy_creator_owners), 3001(BUILTIN\users),3000(BUILTIN\administrators)

and getent passwd Administrator gives:

administrator:*:10500:10513::/dev/null:/sbin/nologin

This in turn give problems when setting up a share with the RSAT tools. It is not possible to use the administrator account, as it seems to behave like any user account, and not an Administrator account. Also, for example setting permissions on a file, and using Administrator, sets permission to the user Administrator, and not root.

I wiped all files under /var/lib/samba and /run/samba, and rejoined the server, but it did not change things at all. I also tried to set the uidNumber=0 in the ADUC tool, but that did not help either.

I would be very grateful for any ideas.

Best regards,

Peter


smb.conf
======

[global]
   workgroup = SAMDOM
   realm = SAMDOM.LOCAL
   security = ads
   netbios name = KONSRV
   server string = Samdom server %h

   username map = /etc/samba/user.map

   template homedir = /dev/null
   template shell = /sbin/nologin
   winbind use default domain = true
   winbind offline logon = true
   winbind normalize names = Yes

   idmap config * : backend = tdb
   idmap config * : range = 3000-9999
   idmap config SAMDOM:backend = rid
   idmap config SAMDOM:range = 10000-99999

   local master = no
   domain master = no
   preferred master = no
   os level = 20
   map to guest = bad user
   host msdfs = no

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   winbind refresh tickets = Yes
   client signing = mandatory

   winbind enum users = yes
   winbind enum groups = yes
   winbind expand groups = 4

   printing = bsd
   printcap name = /dev/null
   load printers = no
   disable spoolss = yes

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes
   inherit acls = yes
   acl group control = yes

   hide unreadable = yes
   veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/


user.map
======

!root = administrator Administrator SAMDOM\Administrator SAMDOM\\Administrator SAMDOM\administrator SAMDOM\\administrator


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba