Web lists-archives.com

[Samba] Domain Administrator and shares problems




Hi folks,

Hardware/OS
===========

- Samba AD DC ver. 4.9.1 (compiled using standard CentOS tools and libraries) functions only as AD server (authentication, AD services), migrated from old Samba NT PDC through classicupgrade, OS CentOS 7.5, kernel 4.9.40 (elrepo-lt), VM under Xen 4.9.0

- Samba AD member server ver. 4.7.1 (from distribution) with different shares for different user groups,  OS CentOS 7.5, kernel 3.10.0 (latest CentOS 7 kernel), winbind works, authentication to the AD DC works, SeDiskOperatorPrivilege is set for the Domain Admins group, a username map entry exists in smb.conf, and pointing to the correct map file, testparm does not complain about anything, the member server is successfully joined to the domain.

- Windows PCs of different origin with Windows 10 Professional (1803), connect to the shares on the Samba member server above. One of the PCs has got the RSAT tool installed for management of the domain AD. The Computer Management snap-in is also used for managing the shares on the Samba member server above.

The smb.conf for the AD DC and the member server are last in this post.


Problem
=======
Setting up and managing the shares on the Samba member server differs significantly from the Samba Wiki documentation. It seems that the domain Administrator account, and the Domain Admins group haven't got any elevated privileges whatsoever. On the contrary, it seems the privileges are even lower than for the Anyone group. This resulted in a very quirky and non standard way of share setup and management.

The different steps I have gone through are described below.

I follow the step-by-step description in the Wiki (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs)

- The folder for the share is created
- The Linux ownership and permissions of the folder are set (root:"Domain Admins" and 0770)
- The share is defined in smb.conf on the member server
- Restarting the daemons (nmbd winbindd smbd)
- Logging in as domain Administrator on a Windows PC
- Opening up Computer Management in Windows
- Connecting to the samba member server
- Clicking on Shared folders, a long error message about DCOM is displayed, but the shares on the member server is displayed anyway. - Selecting the share, right click and selecting Properties, and Share Permissions tab - Setting Domain Users having Read & Change permissions, and Domain Admins Full Control, removing Everyone from the list - Switching to the Security tab, which is blank, which effectively means that anything that deals with security is not available to the accounts Domain Users and Domain Admins. Which in turn implies that none of those groups can do anything with the share (i.e. lacking administrative permissions).
- It could stop here. But...

- Going back to the Share Permissions tab and adding Everyone with full share permissions - Once again going to the Security tab, which now displays all the default permissions. One of the users in the list is for example Unix root - Now it is possible to add different security objects and set permissions. But adding the domain Administrator to the security objects list is almost a guarantee to get into trouble, no matter what permissions the Administrator is given.

I succeeded to setup working shares on the Samba member server this way, but it feels wrong, and it's definitely not the standard way to do things.

Besides, on the Samba member server also, the domain Administrator account behaves like a normal user account, not like the root account, like this on the folder grulf:

(using root)  drwxrwx---   2 root domain admins 4096 Oct  8 18:19 grulf

(using adminstrator) drwxrwx---   2 administrator domain admins 4096 Oct  8 18:19 grulf

AFAIK, the Administrator account, or Domain Admins group do not seem to have any special privileges on the Samba member server:
#getent group "Domain Admins"
domain admins:x:10512:administrator,miles
#getent passwd Administrator
administrator:*:10500:10513::/home/administrator:/sbin/nologin

which at least shows that assigning homeDirectory in the ADUC tool works...

the implication here is, that neither the "Domain Admins" group, nor the Administrator user have got any special privileges in the Samba box. And that's the case under Windows also.


Solutions?
========
I have tried different ideas ad nauseam and is quite stuck at present. It does work, sort of, but I am not really happy about it, as the steps differ significantly from standard behavior. I would be really grateful for any ideas what is wrong here, and what steps are possible to correct it.

Best regards,

Peter


smb.conf AD DC
=============
[global]
        netbios name = KONADC
        realm = SAMDOM.LOCAL
        server role = active directory domain controller
        workgroup = SAMDOM
        idmap_ldb:use rfc2307 = yes
        username map = /etc/samba/user.map
        dns forwarder = 192.168.0.221

[netlogon]
        path = /var/lib/samba/sysvol/samdom.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No


smb.conf member server (with example share)
====================
[global]
   workgroup = SAMDOM
   realm = SAMDOM.LOCAL
   security = ads
   netbios name = KONSRV
   server string = Samdom member server %h

   username map = /etc/samba/user.map

#   template homedir = /dev/null
   template homedir = /home/%U
   template shell = /sbin/nologin
#   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = true
#   winbind normalize names = Yes

   idmap config * : backend = tdb
   idmap config * : range = 3000-9999
   idmap config SAMDOM:backend = rid
   idmap config SAMDOM:range = 10000-99999

   local master = no
   domain master = no
   preferred master = no
   os level = 20
   map to guest = bad user
   host msdfs = no


   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   winbind refresh tickets = Yes
   client signing = mandatory

   winbind enum users = yes
   winbind enum groups = yes
   winbind expand groups = 4

   printing = bsd
   printcap name = /dev/null
   load printers = no
   disable spoolss = yes

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes
   inherit acls = yes
   acl group control = yes

   hide unreadable = yes
   veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
   unix extensions = yes
   reset on zero vc = yes

[Profiles$]
        readonly = no
        path = /data/samba/profiles

[Users$]
        readonly = no
        path = /home

[Docs]
        readonly = no
        path = /data/samba/common_docs


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba