asked on
Domain Administrator cannot mount volumes
For security purposes, I changed our Samba file server to be a member of the Active Directory domain. This way, domain users on Windows 7 workstations can map Samba shares with domain credential automatically. That bit works fine.
My problem is that I use the Domain Administrator account (Administrator) as the main login account for the SQL Server host (also Windows 7). I can still log into that host with the Administrator account, but I can no longer map Samba shares even though I enter the correct domain credentials. I now get "Access is denied". I can map the Samba shares using the credentials of other domain users (actual users).
I probably shouldn't have used that account in the first place, but I did. Is there a way around this or do I have create a new domain account for this purpose?
My problem is that I use the Domain Administrator account (Administrator) as the main login account for the SQL Server host (also Windows 7). I can still log into that host with the Administrator account, but I can no longer map Samba shares even though I enter the correct domain credentials. I now get "Access is denied". I can map the Samba shares using the credentials of other domain users (actual users).
I probably shouldn't have used that account in the first place, but I did. Is there a way around this or do I have create a new domain account for this purpose?
* SambaWindows OSActive DirectorySecurity
Last Comment
Mark
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Sorry, I had massive issues at the beginning of the year and haven't been able to get back to this question. Please re-open. I'll post some responses to Expert comments.
ASKER
Sorry about the long delay. Year-End fires to put out.
Craig Beck:
ArneLovius:
arnold:
Craig Beck:
Does it work as admin if you use the IP instead of the name to map the drive?No.
ArneLovius:
What AD group did you use to assign permissions to the SAMBA share ?Not sure I assigned an AD group for this. How would I check? in smb.conf I do have:
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 10000-10099
force user = ohprso
force group = ohprs
HPRS\administrator:*:0:10000:Administrator:/home/HPRS/administrator:/bin/bash
arnold:
Sounds like root/administrator is restricted from accessing the samba share.Is there something I can set to permit this user? Here is my smb.conf. I'm doubtful if the Administrator user cannot even log in to that host.
Check smb.conf check samba log ....
[global]
netbios name = OHPRSSTORAGE
server string = HPRS NAS server
domain master = no
prefered master = no
realm = HPRS.LOCAL
workgroup = HPRS
usershare allow guests = Yes
usershare max shares = 10
security = ADS
template shell = /bin/bash
max log size = 10000
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 10000-10099
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
[public]
comment = OHPRS main file and document repository
path = /mnt/RAID/public
hide dot files = yes
map hidden = yes
hide files = /Outlook/outlook/~*/
veto oplock files = /OfficeCalendar.pst/
inherit acls = yes
valid users = @"domain users"
locking = yes
public = yes
writeable = yes
browseable= yes
printable = no
create mask = 0660
force user = ohprso
force group = ohprs
force create mode = 0660
directory mask = 2771
[Backups]
comment = HPRS domain current backup respository
path = /mnt/RAID/Backups
public = yes
guest ok = yes
guest only = yes
writeable = yes
browseable= yes
printable = no
force user = ohprso
force group = ohprs
create mask = 0660
directory mask = 2771
Clarification on what happens when you attempt to mount as admin?
Are you able to view/read but not change.
Designating a default user/group in smb.cobf you have means ownership of the files on the share ..
Does the samba log, sevurity or audit log reflect events dealing with admin attempts to ..
In a command window, what do you get for
net use X: \\ohprsstorage\sharename
Do you get a system error?
Is it limited to a specific system, or on any you use?
Are you able to view/read but not change.
Designating a default user/group in smb.cobf you have means ownership of the files on the share ..
Does the samba log, sevurity or audit log reflect events dealing with admin attempts to ..
In a command window, what do you get for
net use X: \\ohprsstorage\sharename
Do you get a system error?
Is it limited to a specific system, or on any you use?
ASKER
arnold:
I am guessing that without the real domain user's credentials, or if those credentials change, I'll not be able to either map the Samba share or backup to the target folder. It is backing up up at the moment, but when that completes, I'll experiment further with this last hypothesis.
Is it limited to a specific system, or on any you use?Well, here's something very interesting ... prompted by your question. I first ran 'use x: \\ohprsstorage\public' on some other host and got:
C:\Users\Administrator>net use x: \\ohprsstorage\public
The password is invalid for \\ohprsstorage\public.
Enter the user name for 'ohprsstorage': Administrator
Enter the password for ohprsstorage:
System error 5 has occurred.
Access is denied.
C:\Users\Administrator>net use x: \\ohprsstorage\public
The command completed successfully.
I am guessing that without the real domain user's credentials, or if those credentials change, I'll not be able to either map the Samba share or backup to the target folder. It is backing up up at the moment, but when that completes, I'll experiment further with this last hypothesis.
You have the credential backend, or default the user, you seem to be trying to do both.
If memory serves, you had samba4 +dc+LDAP
Uniform user credentials over platforms.
When the Windows system access using credentials stored in tdb, the server only sees users based on /etc/passwd...
.
If memory serves, you had samba4 +dc+LDAP
Uniform user credentials over platforms.
When the Windows system access using credentials stored in tdb, the server only sees users based on /etc/passwd...
.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Iadmonistrator is commonly is commonly mapped to root.
Though the data in you tdb file if you do not prefix administrator with the ors\ the transmission will be machine\administrator from which you are connecting.
Though the data in you tdb file if you do not prefix administrator with the ors\ the transmission will be machine\administrator from which you are connecting.
ASKER
Thanks for your input Arnold et al. I think I've going to solve this long term by doing as I said in my post and create a non-person user which is a member of 'domain users' for "batch" tasks such backups.