Discussion:
[Samba] Samba4: Setting up share/security permissions for shares on member server
(too old to reply)
?icro MEGAS
2014-10-21 17:50:04 UTC
Permalink
Hello,

I am running Samba 4.1.12/Sernet on Debian Wheezy 64bit and I am about to setup my member server. The DC was provisioned with rfc2307 and extended attributes. I have assigned to the domain group called "Domain Users" the GID=10000. My member server was prepared with ACL+user_xattr and winbind support. My /etc/nsswitch.conf is using "winbind" for passwd+group, and "getent passwd" on the member server is returning the AD user accounts, which I assigned a UID to with the ADUC tool at tab UNIX Attribute. I was told *NEVER EVER* to assign a UID through the "UNIX Attribute" tab in ADUC tool for the "Administrator" user. Here begins the problem:

When the user "Administrator" doesn't have UID assigned as UNIX Attribute, he never will be listed in "getent passwd" on my member server and thus never will be usable as a user itself on the member server. Here I am stuck: I wanted to configure the [home] and [profiles] share on my member server according the wiki (https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#Setup_share_permissions) The wiki says I should grant "SeDiskOperatorPrivilege" to the "Domain Admins" group. I did execute that on the DC and ensured also on the DC with the command "net rpc rights list accounts -Uadministrator" that it was applied successfully. On the member server I created with "mkdir -p /srv/samba4_data/home" the path for the [home] share.

Then I login to a Windows XP machine that is joined to my Samba4/AD domain with a user that is member of the domain group "Domain Admins". I do it exactly as described in (https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#Setup_share_permissions). Through "Computer Management" I connect to my member server and I see the [home] share. I can change and apply the settings as described on the Wiki. But as soon as I click the tab, everything is greyed out, I cannot change anyting there. In my understanding that is what I would expect, because there are no rights for "MYDOM\johndoe" on the path "membersrv1:/srv/samba4_data/home".

[***@membersrv1:/srv/samba4_data$ ls -ld home
drwxr-xr-x 2 root root 4096 Okt 21 19:11 home

[***@membersrv1:/srv/samba4_data$ getfacl home
# file: home
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

How should I be able to edit the security settings as explained on the wiki? What did I miss here? Any help appreciated.

Mirco
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2014-10-21 18:00:03 UTC
Permalink
Post by ?icro MEGAS
Hello,
When the user "Administrator" doesn't have UID assigned as UNIX Attribute, he never will be listed in "getent passwd" on my member server and thus never will be usable as a user itself on the member server. Here I am stuck: I wanted to configure the [home] and [profiles] share on my member server according the wiki (https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#Setup_share_permissions) The wiki says I should grant "SeDiskOperatorPrivilege" to the "Domain Admins" group. I did execute that on the DC and ensured also on the DC with the command "net rpc rights list accounts -Uadministrator" that it was applied successfully. On the member server I created with "mkdir -p /srv/samba4_data/home" the path for the [home] share.
Then I login to a Windows XP machine that is joined to my Samba4/AD domain with a user that is member of the domain group "Domain Admins". I do it exactly as described in (https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#Setup_share_permissions). Through "Computer Management" I connect to my member server and I see the [home] share. I can change and apply the settings as described on the Wiki. But as soon as I click the tab, everything is greyed out, I cannot change anyting there. In my understanding that is what I would expect, because there are no rights for "MYDOM\johndoe" on the path "membersrv1:/srv/samba4_data/home".
drwxr-xr-x 2 root root 4096 Okt 21 19:11 home
# file: home
# owner: root
# group: root
user::rwx
group::r-x
other::ra-x
How should I be able to edit the security settings as explained on the wiki? What did I miss here? Any help appreciated.
Mirco
OK, edit smb.conf on the member server, add this line:

username map = /etc/samba/smbmap

Now create the smbmap file:

nano /etc/samba/smbmap

!root = EXAMPLE\Administrator EXAMPLE\administrator Administrator
administrator


Change 'EXAMPLE' for your workgroup name

This will map the windows Administrator to the Unix root user (which is
what you want/need)

Restart samba daemons and you should now find that everything will work
better ;-)

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
?icro MEGAS
2014-10-21 18:10:01 UTC
Permalink
Post by Rowland Penny
username map = /etc/samba/smbmap
nano /etc/samba/smbmap
!root = EXAMPLE\Administrator EXAMPLE\administrator Administrator
administrator
Change 'EXAMPLE' for your workgroup name
This will map the windows Administrator to the Unix root user (which is
what you want/need)
Restart samba daemons and you should now find that everything will work
better ;-)
Rowland
Hi Rowland and thanks for your feedback. That works now only if I am logged in at the Windows machine with MYDOM\Administrator account. Thanks so far. Is there any way, so that is possible for "MYDOM\Domain Admins", too? Because I don't think we (=the domain admins) want to log out of our windows machines and relogin using the default MYDOM\Administrator account when we need to modify/apply security settings on shares.

And why isn't that documented on the wiki? *confused_looking*

Mirco
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2014-10-21 18:30:02 UTC
Permalink
Post by ?icro MEGAS
Post by Rowland Penny
username map = /etc/samba/smbmap
nano /etc/samba/smbmap
!root = EXAMPLE\Administrator EXAMPLE\administrator Administrator
administrator
Change 'EXAMPLE' for your workgroup name
This will map the windows Administrator to the Unix root user (which is
what you want/need)
Restart samba daemons and you should now find that everything will work
better ;-)
Rowland
Hi Rowland and thanks for your feedback. That works now only if I am logged in at the Windows machine with MYDOM\Administrator account. Thanks so far. Is there any way, so that is possible for "MYDOM\Domain Admins", too? Because I don't think we (=the domain admins) want to log out of our windows machines and relogin using the default MYDOM\Administrator account when we need to modify/apply security settings on shares.
And why isn't that documented on the wiki? *confused_looking*
Mirco
have a look here:

https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs

and here:

https://wiki.samba.org/index.php/Delegating_Administration_Permissions

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
?icro MEGAS
2014-10-21 18:50:01 UTC
Permalink
have a look here: https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
and here: https://wiki.samba.org/index.php/Delegating_Administration_Permissions
Rowland
The first link is known to me, there is no information about "username map" as you explained to me. The second link describes how to assign some "special privileges" to non-DomainAdmin groups, thats nice. But unfortunately I didn't understand how to achieve my goal with that. I don't want to create an extra group "supporters" or similar, I just want to allow all members of 'MYDOM\Domain Admins' to change security settings. The example you gave me before works for one user. I did read the "man smb.conf" for that directive "username map" and I tried various variations for the "smbmap" file:

(1)
!root = '@MYDOM\Domain Admins' '@MYDOM\domain admins' '@Domain Admins' '@domain admins'
'@domain admins'

(2)
!root = @'MYDOM\Domain Admins' @'MYDOM\domain admins' @'Domain Admins' @'domain admins'
@'domain admins'

(3)
!root = @MYDOM\Domain\040Admins @MYDOM\domain\040admins @Domain\040Admins @domain\040admins
@domain\040admins

Unfortunately it didn't work. But following works of course:
(4)
!root = MYDOM\Administrator MYDOM\johndoe MYDOM\foobar MYDOM\admin3 MYDOM\admin4
administrator

Example (4) is doing fine as I realized, but let's say we have 50 admins, it's not comfortable to put each name in here. So I would prefer the more elegant way and define a group name which should be the group "MYDOM\Domain Admins".

Here's the output of...
[***@membersrv1:~$ getent group 'domain admins'
domain admins:x:11000:johndoe,foobar,admin3,admin4,admin5,admin6,...,admin50

Mirco
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
2014-10-21 19:20:02 UTC
Permalink
Post by ?icro MEGAS
Post by ?icro MEGAS
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
https://wiki.samba.org/index.php/Delegating_Administration_Permissions
Rowland
The first link is known to me, there is no information about "username
map" as you explained to me. The second link describes how to assign
some "special privileges" to non-DomainAdmin groups, thats nice. But
unfortunately I didn't understand how to achieve my goal with that. I
don't want to create an extra group "supporters" or similar, I just
want to allow all members of 'MYDOM\Domain Admins' to change security
settings. The example you gave me before works for one user. I did
read the "man smb.conf" for that directive "username map" and I tried
(1)
(2)
@'domain admins'
(3)
@Domain\040Admins @domain\040admins
@domain\040admins
(4)
!root = MYDOM\Administrator MYDOM\johndoe MYDOM\foobar MYDOM\admin3 MYDOM\admin4
administrator
Example (4) is doing fine as I realized, but let's say we have 50
admins, it's not comfortable to put each name in here. So I would
prefer the more elegant way and define a group name which should be
the group "MYDOM\Domain Admins".
Here's the output of...
domain
admins:x:11000:johndoe,foobar,admin3,admin4,admin5,admin6,...,admin50
Mirco
net rpc rights grant EXAMPLE\\"Domain Admins" SeDiskOperatorPrivilege
-UAdministrator
Rowland
He's still then faced with how to map the group members to root. As just
shown, it's a username map, not a groupname map.

On a different note: Having 50 people who could destroy the domain with
the click of a mouse? Dunno, have only one and delegate?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2014-10-21 19:20:03 UTC
Permalink
Post by ?icro MEGAS
have a look here: https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
and here: https://wiki.samba.org/index.php/Delegating_Administration_Permissions
Rowland
(1)
(2)
@'domain admins'
(3)
@domain\040admins
(4)
!root = MYDOM\Administrator MYDOM\johndoe MYDOM\foobar MYDOM\admin3 MYDOM\admin4
administrator
Example (4) is doing fine as I realized, but let's say we have 50 admins, it's not comfortable to put each name in here. So I would prefer the more elegant way and define a group name which should be the group "MYDOM\Domain Admins".
Here's the output of...
domain admins:x:11000:johndoe,foobar,admin3,admin4,admin5,admin6,...,admin50
Mirco
OK, run this on the Samba4 DC:

net rpc rights grant EXAMPLE\\"Domain Admins" SeDiskOperatorPrivilege
-UAdministrator

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
?icro MEGAS
2014-10-21 19:30:02 UTC
Permalink
net rpc rights grant EXAMPLE\\"Domain Admins" SeDiskOperatorPrivilege
-UAdministrator
Hi Rowland,

read my initial posting. I already did that on my DC and checked it was applied. I don't think that's the problem. As Steve said, that still would need to allow the desired group "MYDOM\Domain Admins" for achieving my goal.

@Steve: but when you read "man smb.con" for that directive "username map" it should be possible to map group names on the right side of the = sign

Any further help appreciated. Thanks,
Mirco.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
2014-10-21 19:40:02 UTC
Permalink
Post by ?icro MEGAS
@Steve: but when you read "man smb.con" for that directive "username map" it should be possible to map group names
But as you've found, it doesn't. It only works for users. That last
statement should get a bit of attention and so solve your issue;)
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
?icro MEGAS
2014-10-21 19:50:03 UTC
Permalink
He's still then faced with how to map the group members to root. As just shown, it's a username map, not a groupname map.
Well, as a samba-dev suggested me *NOT* to use "username map" directive in smb.conf -as this is something like a dirty hack- I decided to solve that like that:

1.) In ADUC tool, I opened the security group called "Domain Admins" and in tab [UNIX Attribute] I applied the gid=11000 to it. This results in allowing winbind of my member server to have that group displayed correctly.

2.) I then do a "chmod 0775 /srv/samba4_data/myshare" and "chgrp 'Domain Admins' /srv/samba4_data/myshare" which as result will give full access to the members of the group "MYDOM\Domain Admins".

Cheers,
Mirco
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
2014-10-21 20:00:04 UTC
Permalink
Post by ?icro MEGAS
a samba-dev suggested me *NOT* to use "username map"
rofl. Then you must *NOT* use it.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2014-10-21 20:40:02 UTC
Permalink
Post by steve
Post by ?icro MEGAS
a samba-dev suggested me *NOT* to use "username map"
rofl. Then you must *NOT* use it.
I would love to know who that dev was, 'username map' is a valid entry,
you can even map every member of Domain Users to the root user!

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
2014-10-22 06:20:01 UTC
Permalink
Post by Rowland Penny
Post by steve
Post by ?icro MEGAS
a samba-dev suggested me *NOT* to use "username map"
rofl. Then you must *NOT* use it.
I would love to know who that dev was, 'username map' is a valid entry,
you can even map every member of Domain Users to the root user!
Rowland
Rowland please. GOD has spoken. Repeat: You must *NOT* use "username
map". Have you got that now?!
Thanks for cheering up our day,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2014-10-22 07:30:01 UTC
Permalink
LOL.

Volker wrote... so why not useing username map
So 2 samba dev-s are saying different things.. :-/
There is also the "username map" parameter, using which you
can for example say
username map = /etc/samba/usermap
and then open a file named /etc/samba/username with a single
line containing
root = *
That looks like just the ticket. But I still need to know
which of the
1) I can rely on Unix authentication and not even bother
with SMB passwords,
if I don't mind telling the clients the local root password.
2) I can use smbpasswd to assign a different client
password, so I can keep
the local root password secret from the clients.
3) I must use smbpasswd and assign the same password as the
local root
password.
2) is correct.
-----Oorspronkelijk bericht-----
Namens steve
Verzonden: woensdag 22 oktober 2014 8:13
Onderwerp: Re: [Samba] Samba­4: Setti­ng u­p share/­se­curity
pe­rmiss­ions
Post by ?icro MEGAS
a samba-dev suggested me *NOT* to use "username map"
rofl. Then you must *NOT* use it.
I would love to know who that dev was, 'username map' is a
valid entry,
you can even map every member of Domain Users to the root user!
Rowland
Rowland please. GOD has spoken. Repeat: You must *NOT* use "username
map". Have you got that now?!
Thanks for cheering up our day,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
?icro MEGAS
2014-10-22 08:00:02 UTC
Permalink
Post by Peter Serbe
You might be better off administering the domain from a Win7 Box. IIRC there
is an issue with the XP version of ADUC. I can't administer my own domain from
XP, but it works from the Win7 box...
And (at least here) it only works when I log in Win7 as domain admin. Maybe You
give it a try.
Best regards
Peter
Hello Peter,

I really appreciate your feedback and the try to help me. But that definitely is not the problem ;) As I already explained, you will recognize that this is a "permission" thing and how I solved it. So there's no more intervention needed, I'm happy at the moment. But thanks for feedback.

Cheers,
Mirco
Post by Peter Serbe
PS: You should stop using XP...
PS2: Don't start using Win7 32 bit. It eats up these max. 3 GB RAM like it was nothing. :-(
:-)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Peter Serbe
2014-10-21 23:20:02 UTC
Permalink
Post by ?icro MEGAS
Then I login to a Windows XP machine that is joined to my Samba4/AD domain with
a user that is member of the domain group "Domain Admins". I do it exactly as
described in
You might be better off administering the domain from a Win7 Box. IIRC there
is an issue with the XP version of ADUC. I can't administer my own domain from
XP, but it works from the Win7 box...

And (at least here) it only works when I log in Win7 as domain admin. Maybe You
give it a try.

Best regards
Peter

PS: You should stop using XP...
PS2: Don't start using Win7 32 bit. It eats up these max. 3 GB RAM like it was nothing. :-(
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...