Domain Administrator cannot mount volumes

For security purposes, I changed our Samba file server to be a member of the Active Directory domain. This way, domain users on Windows 7 workstations can map Samba shares with domain credential automatically. That bit works fine.

My problem is that I use the Domain Administrator account (Administrator) as the main login account for the SQL Server host (also Windows 7). I can still log into that host with the Administrator account, but I can no longer map Samba shares even though I enter the correct domain credentials. I now get "Access is denied". I can map the Samba shares using the credentials of other domain users (actual users).

I probably shouldn't have used that account in the first place, but I did. Is there a way around this or do I have create a new domain account for this purpose?
LVL 1
jmarkfoleyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
Does it work as admin if you use the IP instead of the name to map the drive?
0
ArneLoviusCommented:
What AD group did you use to assign permissions to the SAMBA share ?
0
arnoldCommented:
Sounds like root/administrator is restricted from accessing the samba share.
Check smb.conf check samba log ....
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

jmarkfoleyAuthor Commented:
Sorry, I had massive issues at the beginning of the year and haven't been able to get back to this question. Please re-open. I'll post some responses to Expert comments.
0
jmarkfoleyAuthor Commented:
Sorry about the long delay. Year-End fires to put out.

Craig Beck:
Does it work as admin if you use the IP instead of the name to map the drive?
No.
ArneLovius:
What AD group did you use to assign permissions to the SAMBA share ?
Not sure I assigned an AD group for this. How would I check? in smb.conf I do have:
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 10000-10099

force user = ohprso
force group = ohprs

Open in new window

ohprso and ohprs are not domain user/group. On the AD/DC getent gives:
HPRS\administrator:*:0:10000:Administrator:/home/HPRS/administrator:/bin/bash

Open in new window

showing a userid of zero. The GID of 10000 is the same for all domain users. getent on the Samba server returns nothing. Trying to log on the Samba server as Administrator generates an "Invalid user Administrator" in the log.

arnold:
Sounds like root/administrator is restricted from accessing the samba share.
Check smb.conf check samba log ....
Is there something I can set to permit this user? Here is my smb.conf. I'm doubtful if the Administrator user cannot even log in to that host.
[global]
netbios name = OHPRSSTORAGE


   server string = HPRS NAS server

domain master = no
prefered master = no

realm = HPRS.LOCAL
workgroup = HPRS
usershare allow guests = Yes
usershare max shares = 10
security = ADS
template shell = /bin/bash

max log size = 10000

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
                
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 10000-10099

winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes

[public]
comment = OHPRS main file and document repository
path = /mnt/RAID/public

hide dot files = yes
map hidden = yes
hide files = /Outlook/outlook/~*/

veto oplock files = /OfficeCalendar.pst/

inherit acls = yes
valid users = @"domain users"


locking = yes
public = yes
writeable = yes
browseable= yes
printable = no
create mask = 0660
force user = ohprso
force group = ohprs
force create mode = 0660
directory mask = 2771

[Backups]
comment = HPRS domain current backup respository
path = /mnt/RAID/Backups
public = yes
guest ok = yes
guest only = yes
writeable = yes
browseable= yes
printable = no
force user = ohprso
force group = ohprs
create mask = 0660
directory mask = 2771

Open in new window

0
arnoldCommented:
Clarification on what happens when you attempt to mount as admin?
Are you able to view/read but not change.
Designating a default user/group in smb.cobf you have means ownership of the files on the share ..


Does the samba log, sevurity or audit log reflect events dealing with admin attempts to ..

In a command window, what do you get for
net use X: \\ohprsstorage\sharename
Do you get a system error?

Is it limited to a specific system, or on any you use?
0
jmarkfoleyAuthor Commented:
arnold:
Is it limited to a specific system, or on any you use?
Well, here's something very interesting ... prompted by your question. I first ran 'use x: \\ohprsstorage\public' on some other host and got:
C:\Users\Administrator>net use x: \\ohprsstorage\public
The password is invalid for \\ohprsstorage\public.

Enter the user name for 'ohprsstorage': Administrator
Enter the password for ohprsstorage:
System error 5 has occurred.

Access is denied.

Open in new window

I then ran the same 'net use' on the problem computer and got:
C:\Users\Administrator>net use x: \\ohprsstorage\public
The command completed successfully.

Open in new window

I wondered why. After a bit of research, I recalled that I had mapped that share using a real domain user's credentials. Sure enough, in Acronis, I am now able to specify the backup target \\ohprsstorage\Backups\Acronis\workstations\dbserver, which I wasn't before.

I am guessing that without the real domain user's credentials, or if those credentials change, I'll not be able to either map the Samba share or backup to the target folder. It is backing up up at the moment, but when that completes, I'll experiment further with this last hypothesis.
0
arnoldCommented:
You have the credential backend, or default the user, you seem to be trying to do both.

If memory serves, you had samba4 +dc+LDAP
Uniform user credentials over platforms.

When the Windows system access using credentials stored in tdb, the server only sees users based on /etc/passwd...

.
0
jmarkfoleyAuthor Commented:
Yes, but the problem is that 'Administrator' is not in the 'Domain Users' group which, I believe, is why the Samba file server (which now authenticates with domain credentials) fails to authenticate user 'Administrator'. However, any user, domain member or not, can map a network drive using some domain user's credentials. So for example a guest user who is not a domain member can map the Samba share if he/she does know the credentials of some domain user. I've done that successfully. If such a user also selects "Remember my credentials" on the mapping dialog, those credentials are (probably) stored in the Credential Manager. I believe credentials so stored will continue to work for the non-domain user until the specified domain user is deleted, or until the domain user's password is changed.

So, this mechanism will work in the short term whereby 'Administrator' maps and accesses network drives using some actual domain user's credentials, but rather than trying to get the Samba host to somehow allow the Administrator user access, the best solution is to create some administrative-only user (not an actual person/user) which is a member of the 'Domain Users' group having a never changing password and is used only for such non-interactive administrative functions ... like backups!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
arnoldCommented:
Iadmonistrator is commonly is commonly mapped to root.

Though the data in you tdb file if you do not prefix administrator with the ors\ the transmission will be machine\administrator from which you are connecting.
0
jmarkfoleyAuthor Commented:
Thanks for your input Arnold et al. I think I've going to solve this long term by doing as I said in my post and create a non-person user which is a member of 'domain users' for "batch" tasks such backups.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Samba

From novice to tech pro — start learning today.