MMC issue

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

MMC issue

Samba - General mailing list
Hi
I have a strange problem with Shared folders in MMC. While I try to connect
to linux machine and list Open files or Sessions I got a message "You do not
have permission to view the list of sessions from Windows clients".
The problem exists only if I try to connect to linux machines (Windows
Server is ok),
and only for Administrator account. From other accounts with Administrator
priviliges there is no problem at all.

In the logs there is:
../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1274(_srvsvc_NetFileEnum)
  Enumerating files only allowed for administrators

Any advice?

Thanks
Mariusz



--
Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: MMC issue

Samba - General mailing list
On Tue, 5 Dec 2017 10:37:02 -0700 (MST)
Mariusz80 via samba <[hidden email]> wrote:

> Hi
> I have a strange problem with Shared folders in MMC. While I try to
> connect to linux machine and list Open files or Sessions I got a
> message "You do not have permission to view the list of sessions from
> Windows clients". The problem exists only if I try to connect to
> linux machines (Windows Server is ok),
> and only for Administrator account. From other accounts with
> Administrator priviliges there is no problem at all.
>
> In the logs there is:
> ../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1274(_srvsvc_NetFileEnum)
>   Enumerating files only allowed for administrators
>
> Any advice?
>
> Thanks
> Mariusz
>
>
>
> --
> Sent from:
> http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
>

How is Samba set up on the Linux machine ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: MMC issue

Samba - General mailing list
Samba - General mailing list wrote
> On Tue, 5 Dec 2017 10:37:02 -0700 (MST)
> Mariusz80 via samba &lt;

> samba@.samba

> &gt; wrote:
>
>> Hi
>> I have a strange problem with Shared folders in MMC. While I try to
>> connect to linux machine and list Open files or Sessions I got a
>> message "You do not have permission to view the list of sessions from
>> Windows clients". The problem exists only if I try to connect to
>> linux machines (Windows Server is ok),
>> and only for Administrator account. From other accounts with
>> Administrator priviliges there is no problem at all.
>>
>> In the logs there is:
>> ../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1274(_srvsvc_NetFileEnum)
>>   Enumerating files only allowed for administrators
>>
>> Any advice?
>>
>> Thanks
>> Mariusz
>>
>>
>>
>> --
>> Sent from:
>> http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
>>
>
> How is Samba set up on the Linux machine ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

I did it according to:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
My smb.conf:
[global]
       security = ADS
       workgroup = some
       realm = some.domain.pl
           
                allow trusted domains = Yes
                winbind use default domain = Yes
        winbind nss info = rfc2307
        winbind refresh tickets = Yes

       log file = /var/log/samba/%m.log
       log level = 1
       
       idmap config * : backend = tdb
       idmap config * : range = 3000-7999
       
        idmap config some : backend = rid
        idmap config some: range = 10000-999999

        winbind nss info = template
        template shell = /bin/bash
        template homedir = /home/%U
        username map = /etc/samba/user.map
       
        winbind enum users = yes
        winbind enum groups = yes

        vfs objects = acl_xattr
       map acl inherit = yes
       store dos attributes = yes

Mariusz






--
Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: MMC issue

Samba - General mailing list
On Tue, 5 Dec 2017 11:11:33 -0700 (MST)
Mariusz80 via samba <[hidden email]> wrote:

> Samba - General mailing list wrote
> > On Tue, 5 Dec 2017 10:37:02 -0700 (MST)
> > Mariusz80 via samba &lt;
>
> > samba@.samba
>
> > &gt; wrote:
> >
> >> Hi
> >> I have a strange problem with Shared folders in MMC. While I try to
> >> connect to linux machine and list Open files or Sessions I got a
> >> message "You do not have permission to view the list of sessions
> >> from Windows clients". The problem exists only if I try to connect
> >> to linux machines (Windows Server is ok),
> >> and only for Administrator account. From other accounts with
> >> Administrator priviliges there is no problem at all.
> >>
> >> In the logs there is:
> >> ../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1274(_srvsvc_NetFileEnum)
> >>   Enumerating files only allowed for administrators
> >>
> >> Any advice?
> >>
> >> Thanks
> >> Mariusz
> >>
> >>
> >>
> >> --
> >> Sent from:
> >> http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
> >>
> >
> > How is Samba set up on the Linux machine ?
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
> I did it according to:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> My smb.conf:
> [global]
>        security = ADS
>        workgroup = some
>        realm = some.domain.pl
>  
> allow trusted domains = Yes
> winbind use default domain = Yes
>         winbind nss info = rfc2307
>         winbind refresh tickets = Yes
>
>        log file = /var/log/samba/%m.log
>        log level = 1
>
>        idmap config * : backend = tdb
>        idmap config * : range = 3000-7999
>
> idmap config some : backend = rid
> idmap config some: range = 10000-999999
>
> winbind nss info = template
> template shell = /bin/bash
> template homedir = /home/%U
> username map = /etc/samba/user.map
>
> winbind enum users = yes
> winbind enum groups = yes
>
> vfs objects = acl_xattr
>        map acl inherit = yes
>        store dos attributes = yes
>

Does 'getent passwd Administrator' give any output ?

If it does, try adding this line to smb.conf:

username map = /etc/samba/user.map

Create the user.map:

nano /etc/samba/user.map

it should contain only:

!root = SAMDOM\Administrator SAMDOM\administrator Administrator
administrator

That is all on one line, replace 'SAMDOM' with your workgroup name and,
if required, change the '/etc/samba' path to the path to your smb.conf.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: MMC issue

Samba - General mailing list
Samba - General mailing list wrote
> On Tue, 5 Dec 2017 11:11:33 -0700 (MST)
> Mariusz80 via samba &lt;

> samba@.samba

> &gt; wrote:
>
>> Samba - General mailing list wrote
>> > On Tue, 5 Dec 2017 10:37:02 -0700 (MST)
>> > Mariusz80 via samba &lt;
>>
>> > samba@.samba
>>
>> > &gt; wrote:
>> >
>> >> Hi
>> >> I have a strange problem with Shared folders in MMC. While I try to
>> >> connect to linux machine and list Open files or Sessions I got a
>> >> message "You do not have permission to view the list of sessions
>> >> from Windows clients". The problem exists only if I try to connect
>> >> to linux machines (Windows Server is ok),
>> >> and only for Administrator account. From other accounts with
>> >> Administrator priviliges there is no problem at all.
>> >>
>> >> In the logs there is:
>> >> ../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1274(_srvsvc_NetFileEnum)
>> >>   Enumerating files only allowed for administrators
>> >>
>> >> Any advice?
>> >>
>> >> Thanks
>> >> Mariusz
>> >>
>> >>
>> >>
>> >> --
>> >> Sent from:
>> >> http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
>> >>
>> >
>> > How is Samba set up on the Linux machine ?
>> >
>> > Rowland
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>>
>> I did it according to:
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>> My smb.conf:
>> [global]
>>        security = ADS
>>        workgroup = some
>>        realm = some.domain.pl
>>  
>> allow trusted domains = Yes
>> winbind use default domain = Yes
>>         winbind nss info = rfc2307
>>         winbind refresh tickets = Yes
>>
>>        log file = /var/log/samba/%m.log
>>        log level = 1
>>
>>        idmap config * : backend = tdb
>>        idmap config * : range = 3000-7999
>>
>> idmap config some : backend = rid
>> idmap config some: range = 10000-999999
>>
>> winbind nss info = template
>> template shell = /bin/bash
>> template homedir = /home/%U
>> username map = /etc/samba/user.map
>>
>> winbind enum users = yes
>> winbind enum groups = yes
>>
>> vfs objects = acl_xattr
>>        map acl inherit = yes
>>        store dos attributes = yes
>>
>
> Does 'getent passwd Administrator' give any output ?
>
> If it does, try adding this line to smb.conf:
>
> username map = /etc/samba/user.map
>
> Create the user.map:
>
> nano /etc/samba/user.map
>
> it should contain only:
>
> !root = SAMDOM\Administrator SAMDOM\administrator Administrator
> administrator
>
> That is all on one line, replace 'SAMDOM' with your workgroup name and,
> if required, change the '/etc/samba' path to the path to your smb.conf.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

getent passwd Administrator
administrator:*:10500:10513::/home/administrator:/bin/bash

smb.conf already contains user.map

Mariusz



--
Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: MMC issue

Samba - General mailing list
On Tue, 5 Dec 2017 12:00:55 -0700 (MST)
Mariusz80 via samba <[hidden email]> wrote:

> Samba - General mailing list wrote
> > On Tue, 5 Dec 2017 11:11:33 -0700 (MST)
> > Mariusz80 via samba &lt;
>
> > samba@.samba
>
> > &gt; wrote:
> >
> >> Samba - General mailing list wrote
> >> > On Tue, 5 Dec 2017 10:37:02 -0700 (MST)
> >> > Mariusz80 via samba &lt;
> >>
> >> > samba@.samba
> >>
> >> > &gt; wrote:
> >> >
> >> >> Hi
> >> >> I have a strange problem with Shared folders in MMC. While I
> >> >> try to connect to linux machine and list Open files or Sessions
> >> >> I got a message "You do not have permission to view the list of
> >> >> sessions from Windows clients". The problem exists only if I
> >> >> try to connect to linux machines (Windows Server is ok),
> >> >> and only for Administrator account. From other accounts with
> >> >> Administrator priviliges there is no problem at all.
> >> >>
> >> >> In the logs there is:
> >> >> ../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1274(_srvsvc_NetFileEnum)
> >> >>   Enumerating files only allowed for administrators
> >> >>
> >> >> Any advice?
> >> >>
> >> >> Thanks
> >> >> Mariusz
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Sent from:
> >> >> http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
> >> >>
> >> >
> >> > How is Samba set up on the Linux machine ?
> >> >
> >> > Rowland
> >> >
> >> > --
> >> > To unsubscribe from this list go to the following URL and read
> >> > the instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >> I did it according to:
> >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >> My smb.conf:
> >> [global]
> >>        security = ADS
> >>        workgroup = some
> >>        realm = some.domain.pl
> >>  
> >> allow trusted domains = Yes
> >> winbind use default domain = Yes
> >>         winbind nss info = rfc2307
> >>         winbind refresh tickets = Yes
> >>
> >>        log file = /var/log/samba/%m.log
> >>        log level = 1
> >>
> >>        idmap config * : backend = tdb
> >>        idmap config * : range = 3000-7999
> >>
> >> idmap config some : backend = rid
> >> idmap config some: range = 10000-999999
> >>
> >> winbind nss info = template
> >> template shell = /bin/bash
> >> template homedir = /home/%U
> >> username map = /etc/samba/user.map
> >>
> >> winbind enum users = yes
> >> winbind enum groups = yes
> >>
> >> vfs objects = acl_xattr
> >>        map acl inherit = yes
> >>        store dos attributes = yes
> >>
> >
> > Does 'getent passwd Administrator' give any output ?
> >
> > If it does, try adding this line to smb.conf:
> >
> > username map = /etc/samba/user.map
> >
> > Create the user.map:
> >
> > nano /etc/samba/user.map
> >
> > it should contain only:
> >
> > !root = SAMDOM\Administrator SAMDOM\administrator Administrator
> > administrator
> >
> > That is all on one line, replace 'SAMDOM' with your workgroup name
> > and, if required, change the '/etc/samba' path to the path to your
> > smb.conf.
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
> getent passwd Administrator
> administrator:*:10500:10513::/home/administrator:/bin/bash
>
> smb.conf already contains user.map
>

The fact that 'Administrator' has an ID that isn't '0' means that, to
Linux, Administrator is just another user and can only do what any
normal user can do.

You could try running 'net cache flush'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: MMC issue

Samba - General mailing list
Samba - General mailing list wrote
> On Tue, 5 Dec 2017 12:00:55 -0700 (MST)
> Mariusz80 via samba &lt;

> samba@.samba

> &gt; wrote:
>
>> Samba - General mailing list wrote
>> > On Tue, 5 Dec 2017 11:11:33 -0700 (MST)
>> > Mariusz80 via samba &lt;
>>
>> > samba@.samba
>>
>> > &gt; wrote:
>> >
>> >> Samba - General mailing list wrote
>> >> > On Tue, 5 Dec 2017 10:37:02 -0700 (MST)
>> >> > Mariusz80 via samba &lt;
>> >>
>> >> > samba@.samba
>> >>
>> >> > &gt; wrote:
>> >> >
>> >> >> Hi
>> >> >> I have a strange problem with Shared folders in MMC. While I
>> >> >> try to connect to linux machine and list Open files or Sessions
>> >> >> I got a message "You do not have permission to view the list of
>> >> >> sessions from Windows clients". The problem exists only if I
>> >> >> try to connect to linux machines (Windows Server is ok),
>> >> >> and only for Administrator account. From other accounts with
>> >> >> Administrator priviliges there is no problem at all.
>> >> >>
>> >> >> In the logs there is:
>> >> >>
>> ../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1274(_srvsvc_NetFileEnum)
>> >> >>   Enumerating files only allowed for administrators
>> >> >>
>> >> >> Any advice?
>> >> >>
>> >> >> Thanks
>> >> >> Mariusz
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> Sent from:
>> >> >> http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
>> >> >>
>> >> >
>> >> > How is Samba set up on the Linux machine ?
>> >> >
>> >> > Rowland
>> >> >
>> >> > --
>> >> > To unsubscribe from this list go to the following URL and read
>> >> > the instructions:  https://lists.samba.org/mailman/options/samba
>> >>
>> >> I did it according to:
>> >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>> >> My smb.conf:
>> >> [global]
>> >>        security = ADS
>> >>        workgroup = some
>> >>        realm = some.domain.pl
>> >>  
>> >> allow trusted domains = Yes
>> >> winbind use default domain = Yes
>> >>         winbind nss info = rfc2307
>> >>         winbind refresh tickets = Yes
>> >>
>> >>        log file = /var/log/samba/%m.log
>> >>        log level = 1
>> >>
>> >>        idmap config * : backend = tdb
>> >>        idmap config * : range = 3000-7999
>> >>
>> >> idmap config some : backend = rid
>> >> idmap config some: range = 10000-999999
>> >>
>> >> winbind nss info = template
>> >> template shell = /bin/bash
>> >> template homedir = /home/%U
>> >> username map = /etc/samba/user.map
>> >>
>> >> winbind enum users = yes
>> >> winbind enum groups = yes
>> >>
>> >> vfs objects = acl_xattr
>> >>        map acl inherit = yes
>> >>        store dos attributes = yes
>> >>
>> >
>> > Does 'getent passwd Administrator' give any output ?
>> >
>> > If it does, try adding this line to smb.conf:
>> >
>> > username map = /etc/samba/user.map
>> >
>> > Create the user.map:
>> >
>> > nano /etc/samba/user.map
>> >
>> > it should contain only:
>> >
>> > !root = SAMDOM\Administrator SAMDOM\administrator Administrator
>> > administrator
>> >
>> > That is all on one line, replace 'SAMDOM' with your workgroup name
>> > and, if required, change the '/etc/samba' path to the path to your
>> > smb.conf.
>> >
>> > Rowland
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>>
>> getent passwd Administrator
>> administrator:*:10500:10513::/home/administrator:/bin/bash
>>
>> smb.conf already contains user.map
>>
>
>
> The fact that 'Administrator' has an ID that isn't '0' means that, to
> Linux, Administrator is just another user and can only do what any
> normal user can do.

In fact on my dc Administrator has an id=0 and mmc is working correctly.
How can I solve that ?


> You could try running 'net cache flush'

net chache flush  doesn't give any output and nothing change.


> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Mariusz



--
Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: MMC issue

Samba - General mailing list
On Tue, 5 Dec 2017 12:27:24 -0700 (MST)
Mariusz80 via samba <[hidden email]> wrote:

> Samba - General mailing list wrote
> > On Tue, 5 Dec 2017 12:00:55 -0700 (MST)
> > Mariusz80 via samba &lt;
>
> > samba@.samba
>
> > &gt; wrote:
> >
> >> Samba - General mailing list wrote
> >> > On Tue, 5 Dec 2017 11:11:33 -0700 (MST)
> >> > Mariusz80 via samba &lt;
> >>
> >> > samba@.samba
> >>
> >> > &gt; wrote:
> >> >
> >> >> Samba - General mailing list wrote
> >> >> > On Tue, 5 Dec 2017 10:37:02 -0700 (MST)
> >> >> > Mariusz80 via samba &lt;
> >> >>
> >> >> > samba@.samba
> >> >>
> >> >> > &gt; wrote:
> >> >> >
> >> >> >> Hi
> >> >> >> I have a strange problem with Shared folders in MMC. While I
> >> >> >> try to connect to linux machine and list Open files or
> >> >> >> Sessions I got a message "You do not have permission to view
> >> >> >> the list of sessions from Windows clients". The problem
> >> >> >> exists only if I try to connect to linux machines (Windows
> >> >> >> Server is ok), and only for Administrator account. From
> >> >> >> other accounts with Administrator priviliges there is no
> >> >> >> problem at all.
> >> >> >>
> >> >> >> In the logs there is:
> >> >> >>
> >> ../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1274(_srvsvc_NetFileEnum)
> >> >> >>   Enumerating files only allowed for administrators
> >> >> >>
> >> >> >> Any advice?
> >> >> >>
> >> >> >> Thanks
> >> >> >> Mariusz
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> --
> >> >> >> Sent from:
> >> >> >> http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
> >> >> >>
> >> >> >
> >> >> > How is Samba set up on the Linux machine ?
> >> >> >
> >> >> > Rowland
> >> >> >
> >> >> > --
> >> >> > To unsubscribe from this list go to the following URL and read
> >> >> > the instructions:
> >> >> > https://lists.samba.org/mailman/options/samba
> >> >>
> >> >> I did it according to:
> >> >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >> >> My smb.conf:
> >> >> [global]
> >> >>        security = ADS
> >> >>        workgroup = some
> >> >>        realm = some.domain.pl
> >> >>  
> >> >> allow trusted domains = Yes
> >> >> winbind use default domain = Yes
> >> >>         winbind nss info = rfc2307
> >> >>         winbind refresh tickets = Yes
> >> >>
> >> >>        log file = /var/log/samba/%m.log
> >> >>        log level = 1
> >> >>
> >> >>        idmap config * : backend = tdb
> >> >>        idmap config * : range = 3000-7999
> >> >>
> >> >> idmap config some : backend = rid
> >> >> idmap config some: range = 10000-999999
> >> >>
> >> >> winbind nss info = template
> >> >> template shell = /bin/bash
> >> >> template homedir = /home/%U
> >> >> username map = /etc/samba/user.map
> >> >>
> >> >> winbind enum users = yes
> >> >> winbind enum groups = yes
> >> >>
> >> >> vfs objects = acl_xattr
> >> >>        map acl inherit = yes
> >> >>        store dos attributes = yes
> >> >>
> >> >
> >> > Does 'getent passwd Administrator' give any output ?
> >> >
> >> > If it does, try adding this line to smb.conf:
> >> >
> >> > username map = /etc/samba/user.map
> >> >
> >> > Create the user.map:
> >> >
> >> > nano /etc/samba/user.map
> >> >
> >> > it should contain only:
> >> >
> >> > !root = SAMDOM\Administrator SAMDOM\administrator Administrator
> >> > administrator
> >> >
> >> > That is all on one line, replace 'SAMDOM' with your workgroup
> >> > name and, if required, change the '/etc/samba' path to the path
> >> > to your smb.conf.
> >> >
> >> > Rowland
> >> >
> >> > --
> >> > To unsubscribe from this list go to the following URL and read
> >> > the instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >> getent passwd Administrator
> >> administrator:*:10500:10513::/home/administrator:/bin/bash
> >>
> >> smb.conf already contains user.map
> >>
> >
> >
> > The fact that 'Administrator' has an ID that isn't '0' means that,
> > to Linux, Administrator is just another user and can only do what
> > any normal user can do.
>
> In fact on my dc Administrator has an id=0 and mmc is working
> correctly. How can I solve that ?

This is because on a DC, the mapping is done in idmap.ldb, so you don't
need the user.map on a DC
>
>
> > You could try running 'net cache flush'
>
> net chache flush  doesn't give any output and nothing change.

If 'doesn't give any output' means that 'getent passwd Administrator'
doesn't show what it did before, then try again from windows, it should
now work.

If you are still getting output from 'getent passwd Administrator',
please post your smb.conf

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: MMC issue

Samba - General mailing list
Samba - General mailing list wrote
> On Tue, 5 Dec 2017 12:27:24 -0700 (MST)
> Mariusz80 via samba &lt;

> samba@.samba

> &gt; wrote:
>
>> Samba - General mailing list wrote
>> > On Tue, 5 Dec 2017 12:00:55 -0700 (MST)
>> > Mariusz80 via samba &lt;
>>
>> > samba@.samba
>>
>> > &gt; wrote:
>> >
>> >> Samba - General mailing list wrote
>> >> > On Tue, 5 Dec 2017 11:11:33 -0700 (MST)
>> >> > Mariusz80 via samba &lt;
>> >>
>> >> > samba@.samba
>> >>
>> >> > &gt; wrote:
>> >> >
>> >> >> Samba - General mailing list wrote
>> >> >> > On Tue, 5 Dec 2017 10:37:02 -0700 (MST)
>> >> >> > Mariusz80 via samba &lt;
>> >> >>
>> >> >> > samba@.samba
>> >> >>
>> >> >> > &gt; wrote:
>> >> >> >
>> >> >> >> Hi
>> >> >> >> I have a strange problem with Shared folders in MMC. While I
>> >> >> >> try to connect to linux machine and list Open files or
>> >> >> >> Sessions I got a message "You do not have permission to view
>> >> >> >> the list of sessions from Windows clients". The problem
>> >> >> >> exists only if I try to connect to linux machines (Windows
>> >> >> >> Server is ok), and only for Administrator account. From
>> >> >> >> other accounts with Administrator priviliges there is no
>> >> >> >> problem at all.
>> >> >> >>
>> >> >> >> In the logs there is:
>> >> >> >>
>> >> ../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1274(_srvsvc_NetFileEnum)
>> >> >> >>   Enumerating files only allowed for administrators
>> >> >> >>
>> >> >> >> Any advice?
>> >> >> >>
>> >> >> >> Thanks
>> >> >> >> Mariusz
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> --
>> >> >> >> Sent from:
>> >> >> >> http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
>> >> >> >>
>> >> >> >
>> >> >> > How is Samba set up on the Linux machine ?
>> >> >> >
>> >> >> > Rowland
>> >> >> >
>> >> >> > --
>> >> >> > To unsubscribe from this list go to the following URL and read
>> >> >> > the instructions:
>> >> >> > https://lists.samba.org/mailman/options/samba
>> >> >>
>> >> >> I did it according to:
>> >> >>
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>> >> >> My smb.conf:
>> >> >> [global]
>> >> >>        security = ADS
>> >> >>        workgroup = some
>> >> >>        realm = some.domain.pl
>> >> >>  
>> >> >> allow trusted domains = Yes
>> >> >> winbind use default domain = Yes
>> >> >>         winbind nss info = rfc2307
>> >> >>         winbind refresh tickets = Yes
>> >> >>
>> >> >>        log file = /var/log/samba/%m.log
>> >> >>        log level = 1
>> >> >>
>> >> >>        idmap config * : backend = tdb
>> >> >>        idmap config * : range = 3000-7999
>> >> >>
>> >> >> idmap config some : backend = rid
>> >> >> idmap config some: range = 10000-999999
>> >> >>
>> >> >> winbind nss info = template
>> >> >> template shell = /bin/bash
>> >> >> template homedir = /home/%U
>> >> >> username map = /etc/samba/user.map
>> >> >>
>> >> >> winbind enum users = yes
>> >> >> winbind enum groups = yes
>> >> >>
>> >> >> vfs objects = acl_xattr
>> >> >>        map acl inherit = yes
>> >> >>        store dos attributes = yes
>> >> >>
>> >> >
>> >> > Does 'getent passwd Administrator' give any output ?
>> >> >
>> >> > If it does, try adding this line to smb.conf:
>> >> >
>> >> > username map = /etc/samba/user.map
>> >> >
>> >> > Create the user.map:
>> >> >
>> >> > nano /etc/samba/user.map
>> >> >
>> >> > it should contain only:
>> >> >
>> >> > !root = SAMDOM\Administrator SAMDOM\administrator Administrator
>> >> > administrator
>> >> >
>> >> > That is all on one line, replace 'SAMDOM' with your workgroup
>> >> > name and, if required, change the '/etc/samba' path to the path
>> >> > to your smb.conf.
>> >> >
>> >> > Rowland
>> >> >
>> >> > --
>> >> > To unsubscribe from this list go to the following URL and read
>> >> > the instructions:  https://lists.samba.org/mailman/options/samba
>> >>
>> >> getent passwd Administrator
>> >> administrator:*:10500:10513::/home/administrator:/bin/bash
>> >>
>> >> smb.conf already contains user.map
>> >>
>> >
>> >
>> > The fact that 'Administrator' has an ID that isn't '0' means that,
>> > to Linux, Administrator is just another user and can only do what
>> > any normal user can do.
>>
>> In fact on my dc Administrator has an id=0 and mmc is working
>> correctly. How can I solve that ?
>
> This is because on a DC, the mapping is done in idmap.ldb, so you don't
> need the user.map on a DC
>>
>>
>> > You could try running 'net cache flush'
>>
>> net chache flush  doesn't give any output and nothing change.
>
> If 'doesn't give any output' means that 'getent passwd Administrator'
> doesn't show what it did before, then try again from windows, it should
> now work.
>
> If you are still getting output from 'getent passwd Administrator',
> please post your smb.conf
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

getent passwd Administrator still shows:
administrator:*:10500:10513::/home/administrator:/bin/bash

smb.conf:
[global]
       security = ADS
       workgroup = some
       realm = some.domain.pl
           
                allow trusted domains = Yes
                winbind use default domain = Yes
        winbind nss info = rfc2307
        winbind refresh tickets = Yes

       log file = /var/log/samba/%m.log
       log level = 1
       
       idmap config * : backend = tdb
       idmap config * : range = 3000-7999
       
        idmap config some : backend = rid
        idmap config some: range = 10000-999999

        winbind nss info = template
        template shell = /bin/bash
        template homedir = /home/%U


        username map = /etc/samba/user.map
       
        winbind enum users = yes
        winbind enum groups = yes

        vfs objects = acl_xattr
       map acl inherit = yes
       store dos attributes = yes



--
Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: MMC issue

Samba - General mailing list
On Tue, 5 Dec 2017 13:15:53 -0700 (MST)
Mariusz80 via samba <[hidden email]> wrote:

> Samba - General mailing list wrote
> > On Tue, 5 Dec 2017 12:27:24 -0700 (MST)
> > Mariusz80 via samba &lt;
>
> > samba@.samba
>
> > &gt; wrote:
> >
> >> Samba - General mailing list wrote
> >> > On Tue, 5 Dec 2017 12:00:55 -0700 (MST)
> >> > Mariusz80 via samba &lt;
> >>
> >> > samba@.samba
> >>
> >> > &gt; wrote:
> >> >
> >> >> Samba - General mailing list wrote
> >> >> > On Tue, 5 Dec 2017 11:11:33 -0700 (MST)
> >> >> > Mariusz80 via samba &lt;
> >> >>
> >> >> > samba@.samba
> >> >>
> >> >> > &gt; wrote:
> >> >> >
> >> >> >> Samba - General mailing list wrote
> >> >> >> > On Tue, 5 Dec 2017 10:37:02 -0700 (MST)
> >> >> >> > Mariusz80 via samba &lt;
> >> >> >>
> >> >> >> > samba@.samba
> >> >> >>
> >> >> >> > &gt; wrote:
> >> >> >> >
> >> >> >> >> Hi
> >> >> >> >> I have a strange problem with Shared folders in MMC.
> >> >> >> >> While I try to connect to linux machine and list Open
> >> >> >> >> files or Sessions I got a message "You do not have
> >> >> >> >> permission to view the list of sessions from Windows
> >> >> >> >> clients". The problem exists only if I try to connect to
> >> >> >> >> linux machines (Windows Server is ok), and only for
> >> >> >> >> Administrator account. From other accounts with
> >> >> >> >> Administrator priviliges there is no problem at all.
> >> >> >> >>
> >> >> >> >> In the logs there is:
> >> >> >> >>
> >> >> ../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1274(_srvsvc_NetFileEnum)
> >> >> >> >>   Enumerating files only allowed for administrators
> >> >> >> >>
> >> >> >> >> Any advice?
> >> >> >> >>
> >> >> >> >> Thanks
> >> >> >> >> Mariusz
> >> >> >> >>
> >> >> >> >>
> >> >> >> >>
> >> >> >> >> --
> >> >> >> >> Sent from:
> >> >> >> >> http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
> >> >> >> >>
> >> >> >> >
> >> >> >> > How is Samba set up on the Linux machine ?
> >> >> >> >
> >> >> >> > Rowland
> >> >> >> >
> >> >> >> > --
> >> >> >> > To unsubscribe from this list go to the following URL and
> >> >> >> > read the instructions:
> >> >> >> > https://lists.samba.org/mailman/options/samba
> >> >> >>
> >> >> >> I did it according to:
> >> >> >>
> >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >> >> >> My smb.conf:
> >> >> >> [global]
> >> >> >>        security = ADS
> >> >> >>        workgroup = some
> >> >> >>        realm = some.domain.pl
> >> >> >>  
> >> >> >> allow trusted domains = Yes
> >> >> >> winbind use default domain = Yes
> >> >> >>         winbind nss info = rfc2307
> >> >> >>         winbind refresh tickets = Yes
> >> >> >>
> >> >> >>        log file = /var/log/samba/%m.log
> >> >> >>        log level = 1
> >> >> >>
> >> >> >>        idmap config * : backend = tdb
> >> >> >>        idmap config * : range = 3000-7999
> >> >> >>
> >> >> >> idmap config some : backend = rid
> >> >> >> idmap config some: range = 10000-999999
> >> >> >>
> >> >> >> winbind nss info = template
> >> >> >> template shell = /bin/bash
> >> >> >> template homedir = /home/%U
> >> >> >> username map = /etc/samba/user.map
> >> >> >>
> >> >> >> winbind enum users = yes
> >> >> >> winbind enum groups = yes
> >> >> >>
> >> >> >> vfs objects = acl_xattr
> >> >> >>        map acl inherit = yes
> >> >> >>        store dos attributes = yes
> >> >> >>
> >> >> >
> >> >> > Does 'getent passwd Administrator' give any output ?
> >> >> >
> >> >> > If it does, try adding this line to smb.conf:
> >> >> >
> >> >> > username map = /etc/samba/user.map
> >> >> >
> >> >> > Create the user.map:
> >> >> >
> >> >> > nano /etc/samba/user.map
> >> >> >
> >> >> > it should contain only:
> >> >> >
> >> >> > !root = SAMDOM\Administrator SAMDOM\administrator
> >> >> > Administrator administrator
> >> >> >
> >> >> > That is all on one line, replace 'SAMDOM' with your workgroup
> >> >> > name and, if required, change the '/etc/samba' path to the
> >> >> > path to your smb.conf.
> >> >> >
> >> >> > Rowland
> >> >> >
> >> >> > --
> >> >> > To unsubscribe from this list go to the following URL and read
> >> >> > the instructions:
> >> >> > https://lists.samba.org/mailman/options/samba
> >> >>
> >> >> getent passwd Administrator
> >> >> administrator:*:10500:10513::/home/administrator:/bin/bash
> >> >>
> >> >> smb.conf already contains user.map
> >> >>
> >> >
> >> >
> >> > The fact that 'Administrator' has an ID that isn't '0' means
> >> > that, to Linux, Administrator is just another user and can only
> >> > do what any normal user can do.
> >>
> >> In fact on my dc Administrator has an id=0 and mmc is working
> >> correctly. How can I solve that ?
> >
> > This is because on a DC, the mapping is done in idmap.ldb, so you
> > don't need the user.map on a DC
> >>
> >>
> >> > You could try running 'net cache flush'
> >>
> >> net chache flush  doesn't give any output and nothing change.
> >
> > If 'doesn't give any output' means that 'getent passwd
> > Administrator' doesn't show what it did before, then try again from
> > windows, it should now work.
> >
> > If you are still getting output from 'getent passwd Administrator',
> > please post your smb.conf
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
> getent passwd Administrator still shows:
> administrator:*:10500:10513::/home/administrator:/bin/bash
>
> smb.conf:
> [global]
>        security = ADS
>        workgroup = some
>        realm = some.domain.pl
>  
> allow trusted domains = Yes
> winbind use default domain = Yes
>         winbind nss info = rfc2307
>         winbind refresh tickets = Yes
>
>        log file = /var/log/samba/%m.log
>        log level = 1
>
>        idmap config * : backend = tdb
>        idmap config * : range = 3000-7999
>
> idmap config some : backend = rid
> idmap config some: range = 10000-999999
>
> winbind nss info = template
> template shell = /bin/bash
> template homedir = /home/%U
>
>
> username map = /etc/samba/user.map
>
> winbind enum users = yes
> winbind enum groups = yes
>
> vfs objects = acl_xattr
>        map acl inherit = yes
>        store dos attributes = yes

OK, I started a VM running a Unix domain member that uses the 'rid'
backend and it does work in the same way as yours, I get the same
result for 'getent passwd Administrator'.

I then started another VM running Windows 7, logged in as
Administrator, connected to a share on the Unix domain member and via
the security tab for the share, added permissions for another user.

So, whilst I didn't expect it to work, it did.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: MMC issue

Samba - General mailing list
Samba - General mailing list wrote
> On Tue, 5 Dec 2017 13:15:53 -0700 (MST)
> Mariusz80 via samba &lt;

> samba@.samba

> &gt; wrote:
>
>> Samba - General mailing list wrote
>> > On Tue, 5 Dec 2017 12:27:24 -0700 (MST)
>> > Mariusz80 via samba &lt;
>>
>> > samba@.samba
>>
>> > &gt; wrote:
>> >
>> >> Samba - General mailing list wrote
>> >> > On Tue, 5 Dec 2017 12:00:55 -0700 (MST)
>> >> > Mariusz80 via samba &lt;
>> >>
>> >> > samba@.samba
>> >>
>> >> > &gt; wrote:
>> >> >
>> >> >> Samba - General mailing list wrote
>> >> >> > On Tue, 5 Dec 2017 11:11:33 -0700 (MST)
>> >> >> > Mariusz80 via samba &lt;
>> >> >>
>> >> >> > samba@.samba
>> >> >>
>> >> >> > &gt; wrote:
>> >> >> >
>> >> >> >> Samba - General mailing list wrote
>> >> >> >> > On Tue, 5 Dec 2017 10:37:02 -0700 (MST)
>> >> >> >> > Mariusz80 via samba &lt;
>> >> >> >>
>> >> >> >> > samba@.samba
>> >> >> >>
>> >> >> >> > &gt; wrote:
>> >> >> >> >
>> >> >> >> >> Hi
>> >> >> >> >> I have a strange problem with Shared folders in MMC.
>> >> >> >> >> While I try to connect to linux machine and list Open
>> >> >> >> >> files or Sessions I got a message "You do not have
>> >> >> >> >> permission to view the list of sessions from Windows
>> >> >> >> >> clients". The problem exists only if I try to connect to
>> >> >> >> >> linux machines (Windows Server is ok), and only for
>> >> >> >> >> Administrator account. From other accounts with
>> >> >> >> >> Administrator priviliges there is no problem at all.
>> >> >> >> >>
>> >> >> >> >> In the logs there is:
>> >> >> >> >>
>> >> >>
>> ../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1274(_srvsvc_NetFileEnum)
>> >> >> >> >>   Enumerating files only allowed for administrators
>> >> >> >> >>
>> >> >> >> >> Any advice?
>> >> >> >> >>
>> >> >> >> >> Thanks
>> >> >> >> >> Mariusz
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >> --
>> >> >> >> >> Sent from:
>> >> >> >> >>
>> http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
>> >> >> >> >>
>> >> >> >> >
>> >> >> >> > How is Samba set up on the Linux machine ?
>> >> >> >> >
>> >> >> >> > Rowland
>> >> >> >> >
>> >> >> >> > --
>> >> >> >> > To unsubscribe from this list go to the following URL and
>> >> >> >> > read the instructions:
>> >> >> >> > https://lists.samba.org/mailman/options/samba
>> >> >> >>
>> >> >> >> I did it according to:
>> >> >> >>
>> >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>> >> >> >> My smb.conf:
>> >> >> >> [global]
>> >> >> >>        security = ADS
>> >> >> >>        workgroup = some
>> >> >> >>        realm = some.domain.pl
>> >> >> >>  
>> >> >> >> allow trusted domains = Yes
>> >> >> >> winbind use default domain = Yes
>> >> >> >>         winbind nss info = rfc2307
>> >> >> >>         winbind refresh tickets = Yes
>> >> >> >>
>> >> >> >>        log file = /var/log/samba/%m.log
>> >> >> >>        log level = 1
>> >> >> >>
>> >> >> >>        idmap config * : backend = tdb
>> >> >> >>        idmap config * : range = 3000-7999
>> >> >> >>
>> >> >> >> idmap config some : backend = rid
>> >> >> >> idmap config some: range = 10000-999999
>> >> >> >>
>> >> >> >> winbind nss info = template
>> >> >> >> template shell = /bin/bash
>> >> >> >> template homedir = /home/%U
>> >> >> >> username map = /etc/samba/user.map
>> >> >> >>
>> >> >> >> winbind enum users = yes
>> >> >> >> winbind enum groups = yes
>> >> >> >>
>> >> >> >> vfs objects = acl_xattr
>> >> >> >>        map acl inherit = yes
>> >> >> >>        store dos attributes = yes
>> >> >> >>
>> >> >> >
>> >> >> > Does 'getent passwd Administrator' give any output ?
>> >> >> >
>> >> >> > If it does, try adding this line to smb.conf:
>> >> >> >
>> >> >> > username map = /etc/samba/user.map
>> >> >> >
>> >> >> > Create the user.map:
>> >> >> >
>> >> >> > nano /etc/samba/user.map
>> >> >> >
>> >> >> > it should contain only:
>> >> >> >
>> >> >> > !root = SAMDOM\Administrator SAMDOM\administrator
>> >> >> > Administrator administrator
>> >> >> >
>> >> >> > That is all on one line, replace 'SAMDOM' with your workgroup
>> >> >> > name and, if required, change the '/etc/samba' path to the
>> >> >> > path to your smb.conf.
>> >> >> >
>> >> >> > Rowland
>> >> >> >
>> >> >> > --
>> >> >> > To unsubscribe from this list go to the following URL and read
>> >> >> > the instructions:
>> >> >> > https://lists.samba.org/mailman/options/samba
>> >> >>
>> >> >> getent passwd Administrator
>> >> >> administrator:*:10500:10513::/home/administrator:/bin/bash
>> >> >>
>> >> >> smb.conf already contains user.map
>> >> >>
>> >> >
>> >> >
>> >> > The fact that 'Administrator' has an ID that isn't '0' means
>> >> > that, to Linux, Administrator is just another user and can only
>> >> > do what any normal user can do.
>> >>
>> >> In fact on my dc Administrator has an id=0 and mmc is working
>> >> correctly. How can I solve that ?
>> >
>> > This is because on a DC, the mapping is done in idmap.ldb, so you
>> > don't need the user.map on a DC
>> >>
>> >>
>> >> > You could try running 'net cache flush'
>> >>
>> >> net chache flush  doesn't give any output and nothing change.
>> >
>> > If 'doesn't give any output' means that 'getent passwd
>> > Administrator' doesn't show what it did before, then try again from
>> > windows, it should now work.
>> >
>> > If you are still getting output from 'getent passwd Administrator',
>> > please post your smb.conf
>> >
>> > Rowland
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>>
>> getent passwd Administrator still shows:
>> administrator:*:10500:10513::/home/administrator:/bin/bash
>>
>> smb.conf:
>> [global]
>>        security = ADS
>>        workgroup = some
>>        realm = some.domain.pl
>>  
>> allow trusted domains = Yes
>> winbind use default domain = Yes
>>         winbind nss info = rfc2307
>>         winbind refresh tickets = Yes
>>
>>        log file = /var/log/samba/%m.log
>>        log level = 1
>>
>>        idmap config * : backend = tdb
>>        idmap config * : range = 3000-7999
>>
>> idmap config some : backend = rid
>> idmap config some: range = 10000-999999
>>
>> winbind nss info = template
>> template shell = /bin/bash
>> template homedir = /home/%U
>>
>>
>> username map = /etc/samba/user.map
>>
>> winbind enum users = yes
>> winbind enum groups = yes
>>
>> vfs objects = acl_xattr
>>        map acl inherit = yes
>>        store dos attributes = yes
>
> OK, I started a VM running a Unix domain member that uses the 'rid'
> backend and it does work in the same way as yours, I get the same
> result for 'getent passwd Administrator'.
>
> I then started another VM running Windows 7, logged in as
> Administrator, connected to a share on the Unix domain member and via
> the security tab for the share, added permissions for another user.
>
> So, whilst I didn't expect it to work, it did.
>
> Rowland
>  
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Well permisions are working fine but, if i create for example "new folder"
then the owner is root and what about the main problem with mmc.

Mariusz



--
Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: MMC issue

Samba - General mailing list
On Tue, 5 Dec 2017 15:39:25 -0700 (MST)
Mariusz80 via samba <[hidden email]> wrote:

> Well permisions are working fine but, if i create for example "new
> folder" then the owner is root and what about the main problem with
> mmc.
>

New files/directories will be created with 'root' as the owner because
'Administrator' is mapped to 'root'.

If I run mmc.dsc on the win7 PC and connect to the share, everything
works for me.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: MMC issue

Samba - General mailing list
Am 06.12.2017 um 10:14 schrieb Rowland Penny via samba:

> On Tue, 5 Dec 2017 15:39:25 -0700 (MST)
> Mariusz80 via samba <[hidden email]> wrote:
>
>> Well permisions are working fine but, if i create for example "new
>> folder" then the owner is root and what about the main problem with
>> mmc.
>>
>
> New files/directories will be created with 'root' as the owner because
> 'Administrator' is mapped to 'root'.
>
> If I run mmc.dsc on the win7 PC and connect to the share, everything
> works for me.
I actually have the same problem. The Security tab works as expected.
Only "Sessions" and "Open Files" do not work. On an DM but work on a DC.

This is with the idamp AD backend not rid and Administrator does not
have an uid assigned.

In the logs I see this:


Successful AuthZ: [srvsvc,ncacn_np] user [BRAIN-02]\[Administrator]
[S-1-22-1-0] at [Mi, 06 Dez 2017 10:00:22.032080 CET] Remote host
[ipv4:x.x.x.x:35170] local host [NULL]
Dec  6 10:00:22 lx-sv-03 smbd_audit: [2017/12/06 10:00:22.035679,  1]
../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1468(_srvsvc_NetSessEnum)
Dec  6 10:00:22 lx-sv-03 smbd_audit:  Enumerating sessions only allowed
for administrators


Samba Version is 4.7.3 on the DM

wbinfo --sid-to-name=S-1-22-1-0

Unix User\root 1

getent passwd Administrator

returns nothing

wbinfo --uid-to-sid=0
S-1-22-1-0

wbinfo -i Administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user Administrator


On the DC Samba version is 4.6.11

wbinfo --sid-to-name=S-1-22-1-0
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-22-1-0

getent passwd Administrator

returns nothing

wbinfo --uid-to-sid=0

S-1-5-21-773202902-494389186-2375354597-500

wbinfo -i Administrator
BRAIN-02\administrator:*:0:10000::/home/BRAIN-02/administrator:/bin/false


Any ideas?

>
> Rowland
>

--
Dr. Christian Naumer
Research Scientist
Plattform-Koordinator Bioprozesstechnik

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail [hidden email], homepage www.brain-biotech.de
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Follow @BRAINbiotech on Twitter: https://twitter.com/BRAINbiotech

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel
Aufsichtsratsvorsitzender: Dr. Ludger Mueller

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: MMC issue

Samba - General mailing list
On Wed, 6 Dec 2017 10:40:14 +0100
Christian Naumer via samba <[hidden email]> wrote:

> Am 06.12.2017 um 10:14 schrieb Rowland Penny via samba:
> > On Tue, 5 Dec 2017 15:39:25 -0700 (MST)
> > Mariusz80 via samba <[hidden email]> wrote:
> >
> >> Well permisions are working fine but, if i create for example "new
> >> folder" then the owner is root and what about the main problem with
> >> mmc.
> >>
> >
> > New files/directories will be created with 'root' as the owner
> > because 'Administrator' is mapped to 'root'.
> >
> > If I run mmc.dsc on the win7 PC and connect to the share, everything
> > works for me.
> I actually have the same problem. The Security tab works as expected.
> Only "Sessions" and "Open Files" do not work. On an DM but work on a
> DC.
>
> This is with the idamp AD backend not rid and Administrator does not
> have an uid assigned.
>
> In the logs I see this:
>
>
> Successful AuthZ: [srvsvc,ncacn_np] user [BRAIN-02]\[Administrator]
> [S-1-22-1-0] at [Mi, 06 Dez 2017 10:00:22.032080 CET] Remote host
> [ipv4:x.x.x.x:35170] local host [NULL]
> Dec  6 10:00:22 lx-sv-03 smbd_audit: [2017/12/06 10:00:22.035679,  1]
> ../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1468(_srvsvc_NetSessEnum)
> Dec  6 10:00:22 lx-sv-03 smbd_audit:  Enumerating sessions only
> allowed for administrators
>
>
> Samba Version is 4.7.3 on the DM
>
> wbinfo --sid-to-name=S-1-22-1-0
>
> Unix User\root 1
>
> getent passwd Administrator
>
> returns nothing
>
> wbinfo --uid-to-sid=0
> S-1-22-1-0

I get:

failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert uid 0 to sid

>
> wbinfo -i Administrator
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user Administrator
>
>
> On the DC Samba version is 4.6.11
>
> wbinfo --sid-to-name=S-1-22-1-0
> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup sid S-1-22-1-0
>
> getent passwd Administrator
>
> returns nothing

I get:

SAMDOM\administrator:*:0:10000::/home/SAMDOM/administrator:/bin/bash

I have libnss_winbind set up on the DC, do you ?

My only thought at this time is, do you have a user in AD called
'root' ?

Rowland





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: MMC issue

Samba - General mailing list
On Wed, 6 Dec 2017 11:59:44 +0100
Christian Naumer <[hidden email]> wrote:

> Am 06.12.2017 um 11:22 schrieb Rowland Penny via samba:
>
> > I have libnss_winbind set up on the DC, do you ?
> >
>
> not on the DCs only on the DMs
>
>
> > My only thought at this time is, do you have a user in AD called
> > 'root' ?
>
> no. definitely not.
>
>
> Is it normal that Administrator maps to different SIDs on DCs and DMs?
>

No, the SID-RID for 'Administrator' should be in the form:

   S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-500

Where 'S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx' is the domain SID
and '500' is the RID. The SID should be the same on all domain
computers: DCs, windows PCs or Unix domain members, if you are getting
different SIDs on some machines then that machine doesn't seem to be a
member of the AD domain.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: MMC issue

Samba - General mailing list
Am 06.12.2017 um 12:17 schrieb Rowland Penny via samba:

>
> Where 'S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx' is the domain SID
> and '500' is the RID. The SID should be the same on all domain
> computers: DCs, windows PCs or Unix domain members, if you are getting
> different SIDs on some machines then that machine doesn't seem to be a
> member of the AD domain.

one of those problems again...The DMs were "normally"  joined to the
domain. And two of them serve about 100 clients without problems. As we
don't use the mmc for much I'll just leave it that way.

Regards


Christian


>
> Rowland
>

--
Dr. Christian Naumer
Research Scientist
Plattform-Koordinator Bioprozesstechnik

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail [hidden email], homepage www.brain-biotech.de
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Follow @BRAINbiotech on Twitter: https://twitter.com/BRAINbiotech

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel
Aufsichtsratsvorsitzender: Dr. Ludger Mueller

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba