administrator does not have permission

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

administrator does not have permission

Samba - General mailing list
While attempting to check 'profiles' user permissions on my member server I
discovered that (for some reason) I did not have a krb5.conf file (on
member.) Resolved that issue. Then find that the keytab file is missing.
Fixed that.

I wanted to check profile user permissions and have discovered that the
administrator does not have permission to "view or edit this object's
permission settings." WHAT?? Is there a linux way to correct this issue?

Further digging and I find that the administrator (the
DOMAIN\administrator) does have rights to see permissions of anything on
the member server.

I am puzzled . . . how could missing krb5.conf and keytab files allow
access when missing. Clearly replacing the missing files and kerberos is
blocking something.

So, the question is is there a way to correct this on the linux side?

I am at a loose as how to proceed?


Bob Wooden
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: administrator does not have permission

Samba - General mailing list
On Mon, 20 Nov 2017 12:18:14 -0600
Robert Wooden via samba <[hidden email]> wrote:

> While attempting to check 'profiles' user permissions on my member
> server I discovered that (for some reason) I did not have a krb5.conf
> file (on member.) Resolved that issue. Then find that the keytab file
> is missing. Fixed that.

You usually get a krb5.conf created when you install the kerberos
client packages, it is usually more that what you need though.
You only get the /etc/krb5.keytab created at join if you have these two
lines in smb.conf:

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

>
> I wanted to check profile user permissions and have discovered that
> the administrator does not have permission to "view or edit this
> object's permission settings." WHAT?? Is there a linux way to correct
> this issue?

Have you mapped Administrator to the Unix user 'root' in a user.map ?

>
> Further digging and I find that the administrator (the
> DOMAIN\administrator) does have rights to see permissions of anything
> on the member server.
>
> I am puzzled . . . how could missing krb5.conf and keytab files allow
> access when missing. Clearly replacing the missing files and kerberos
> is blocking something.

Ah, but Samba uses a keytab in memory and whilst I have always created
the krb5.conf myself, it is possible that Samba can use the Realm found
in smb.conf if there is no /etc/krb5.conf.

>
> So, the question is is there a way to correct this on the linux side?
>
> I am at a loose as how to proceed?

Please check if you have a user.map and report back.

Rowland
 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: administrator does not have permission

Samba - General mailing list
On Mon, 20 Nov 2017 13:14:57 -0600
Robert Wooden <[hidden email]> wrote:

> yes, I have user.map, it contains only "!root = DTDOM\Administrator
> DTDOM\administrator".
>
> (That's what my notes show I made it as when setting up.)
>
> Suggestions?

If you haven't done something strange, such as giving Administrator a
uidNumber, then my next step would be to make the Unix domain
member leave the domain, add the two lines to smb.conf (if you
need /etc/krb5.keytab), ensure /etc/krb5.conf exists and is correct,
then re-join the domain.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: administrator does not have permission

Samba - General mailing list
On Mon, 20 Nov 2017 15:38:28 -0600
Robert Wooden <[hidden email]> wrote:

> I have been reading and rereading the wiki and I did "your
> suggestions" yesterday when I discovered the missing krb5.conf.
>
> Have begun looking into acl permissions.
>
> But, for the life of me, I cannot figure out why the administrator
> would not have "builtin" permissions to always be able to look at,
> change, or adjust file permissions. How can the administrator
> permissions ability just disappear . . . well, I had an issue with
> krb5 not working correctly before I made these adjustments and now
> kerberos IS working correctly.
>

Administrator does have these 'builtin' permissions, but only on
Windows ;-)
On Unix the 'root' user has the same sort of authority, this is why you
map 'Administrator' to 'root' in the user.map. This means when you set
ACLs from windows to a Unix share as Administrator, it is actually root
that sets them.

Try running 'getent passwd Administrator' on the Unix domain member, if
you get an output, then you need to find out why, because you shouldn't.

You can check Administrators privileges with:

net rpc rights list -UAdministrator

If you run the above on the Unix domain member, you should get
something like this:

     SeMachineAccountPrivilege  Add machines to domain
      SeTakeOwnershipPrivilege  Take ownership of files or other objects
             SeBackupPrivilege  Back up files and directories
            SeRestorePrivilege  Restore files and directories
     SeRemoteShutdownPrivilege  Force shutdown from a remote system
      SePrintOperatorPrivilege  Manage printers
           SeAddUsersPrivilege  Add users and groups to the domain
       SeDiskOperatorPrivilege  Manage disk shares
           SeSecurityPrivilege  System security

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: administrator does not have permission

Samba - General mailing list
In the Windows world side when an "administrator" cannot 'take ownership'
of a file share, the docs discuss the "System" account being used as it
(System account) has greater permissions than that of the administrator.

I remembered reading this page https://wiki.samba.org/index.
php/The_SYSTEM_Account and have now re-read said page *carefully*.

There I find this message box  "For compatibility with Windows, add the
SYSTEM account to file system ACLs."

How do I add the SYSTEM account to my ACLs on a Samba member server?

On Tue, Nov 21, 2017 at 9:01 AM, Robert Wooden <[hidden email]>
wrote:

> In searching for a similar situation, I found this that most closely
> represents the issue I am dealing with. link:
> https://community.spiceworks.com/topic/1749382-domain-admin-
> has-no-permission-to-folder-despite-administrators-group-present     Many
> of the images are the "complaints" I am seeing.
>
> Down within the comments, the discussion is generally about the
> administrator "taking ownership" of the directory and re-assigning rights.
> Of course this is "on the Windows server side" of things. So, how do I
> "take ownership" in our Samba/linux world?
>
> Anyone . . . . thoughts?
>
> On Mon, Nov 20, 2017 at 4:41 PM, Robert Wooden <[hidden email]>
> wrote:
>
>> getent passwd Administrator returns no password . . . good.
>>
>> net rpc rights list -UAdministrator returns the same your example showed
>> (last email.)
>>
>> I still think kerberos was not working properly and allowing me access
>> and now "fixed" kerberos is denying access.
>>
>> More soon (tomorrow) . . . .
>>
>> On Mon, Nov 20, 2017 at 4:01 PM, Rowland Penny via samba <
>> [hidden email]> wrote:
>>
>>> On Mon, 20 Nov 2017 15:38:28 -0600
>>> Robert Wooden <[hidden email]> wrote:
>>>
>>> > I have been reading and rereading the wiki and I did "your
>>> > suggestions" yesterday when I discovered the missing krb5.conf.
>>> >
>>> > Have begun looking into acl permissions.
>>> >
>>> > But, for the life of me, I cannot figure out why the administrator
>>> > would not have "builtin" permissions to always be able to look at,
>>> > change, or adjust file permissions. How can the administrator
>>> > permissions ability just disappear . . . well, I had an issue with
>>> > krb5 not working correctly before I made these adjustments and now
>>> > kerberos IS working correctly.
>>> >
>>>
>>> Administrator does have these 'builtin' permissions, but only on
>>> Windows ;-)
>>> On Unix the 'root' user has the same sort of authority, this is why you
>>> map 'Administrator' to 'root' in the user.map. This means when you set
>>> ACLs from windows to a Unix share as Administrator, it is actually root
>>> that sets them.
>>>
>>> Try running 'getent passwd Administrator' on the Unix domain member, if
>>> you get an output, then you need to find out why, because you shouldn't.
>>>
>>> You can check Administrators privileges with:
>>>
>>> net rpc rights list -UAdministrator
>>>
>>> If you run the above on the Unix domain member, you should get
>>> something like this:
>>>
>>>      SeMachineAccountPrivilege  Add machines to domain
>>>       SeTakeOwnershipPrivilege  Take ownership of files or other objects
>>>              SeBackupPrivilege  Back up files and directories
>>>             SeRestorePrivilege  Restore files and directories
>>>      SeRemoteShutdownPrivilege  Force shutdown from a remote system
>>>       SePrintOperatorPrivilege  Manage printers
>>>            SeAddUsersPrivilege  Add users and groups to the domain
>>>        SeDiskOperatorPrivilege  Manage disk shares
>>>            SeSecurityPrivilege  System security
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>>
>> --
>>
>> Thank you.
>>
>> Bob Wooden
>> 615.885.2846 <(615)%20885-2846>    www.donelsontrophy.com
>> "Everyone deserves an award!!"
>>
>>
>
>
> --
>
> Thank you.
>
> Bob Wooden
> 615.885.2846 <(615)%20885-2846>    www.donelsontrophy.com
> "Everyone deserves an award!!"
>
>


--

Thank you.

Bob Wooden
615.885.2846 <(615)%20885-2846>    www.donelsontrophy.com
"Everyone deserves an award!!"
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: administrator does not have permission

Samba - General mailing list
On Fri, 24 Nov 2017 14:18:40 -0600
Robert Wooden via samba <[hidden email]> wrote:

> In the Windows world side when an "administrator" cannot 'take
> ownership' of a file share, the docs discuss the "System" account
> being used as it (System account) has greater permissions than that
> of the administrator.
>
> I remembered reading this page https://wiki.samba.org/index.
> php/The_SYSTEM_Account and have now re-read said page *carefully*.
>
> There I find this message box  "For compatibility with Windows, add
> the SYSTEM account to file system ACLs."
>
> How do I add the SYSTEM account to my ACLs on a Samba member server?

From windows ;-)

see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Setting_ACLs_on_a_Folder

In the 'Permissions for Folder' box add 'SYSTEM' to the 'Group or user
names:' box, with 'Full control'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba