Link to home
Create AccountLog in
Avatar of Mark
Mark

asked on

Domain Administrator cannot mount volumes

For security purposes, I changed our Samba file server to be a member of the Active Directory domain. This way, domain users on Windows 7 workstations can map Samba shares with domain credential automatically. That bit works fine.

My problem is that I use the Domain Administrator account (Administrator) as the main login account for the SQL Server host (also Windows 7). I can still log into that host with the Administrator account, but I can no longer map Samba shares even though I enter the correct domain credentials. I now get "Access is denied". I can map the Samba shares using the credentials of other domain users (actual users).

I probably shouldn't have used that account in the first place, but I did. Is there a way around this or do I have create a new domain account for this purpose?
SOLUTION
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Mark
Mark

ASKER

Sorry, I had massive issues at the beginning of the year and haven't been able to get back to this question. Please re-open. I'll post some responses to Expert comments.
Avatar of Mark

ASKER

Sorry about the long delay. Year-End fires to put out.

Craig Beck:
Does it work as admin if you use the IP instead of the name to map the drive?
No.
ArneLovius:
What AD group did you use to assign permissions to the SAMBA share ?
Not sure I assigned an AD group for this. How would I check? in smb.conf I do have:
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 10000-10099

force user = ohprso
force group = ohprs

Open in new window

ohprso and ohprs are not domain user/group. On the AD/DC getent gives:
HPRS\administrator:*:0:10000:Administrator:/home/HPRS/administrator:/bin/bash

Open in new window

showing a userid of zero. The GID of 10000 is the same for all domain users. getent on the Samba server returns nothing. Trying to log on the Samba server as Administrator generates an "Invalid user Administrator" in the log.

arnold:
Sounds like root/administrator is restricted from accessing the samba share.
Check smb.conf check samba log ....
Is there something I can set to permit this user? Here is my smb.conf. I'm doubtful if the Administrator user cannot even log in to that host.
[global]
netbios name = OHPRSSTORAGE


   server string = HPRS NAS server

domain master = no
prefered master = no

realm = HPRS.LOCAL
workgroup = HPRS
usershare allow guests = Yes
usershare max shares = 10
security = ADS
template shell = /bin/bash

max log size = 10000

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
                
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 10000-10099

winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes

[public]
comment = OHPRS main file and document repository
path = /mnt/RAID/public

hide dot files = yes
map hidden = yes
hide files = /Outlook/outlook/~*/

veto oplock files = /OfficeCalendar.pst/

inherit acls = yes
valid users = @"domain users"


locking = yes
public = yes
writeable = yes
browseable= yes
printable = no
create mask = 0660
force user = ohprso
force group = ohprs
force create mode = 0660
directory mask = 2771

[Backups]
comment = HPRS domain current backup respository
path = /mnt/RAID/Backups
public = yes
guest ok = yes
guest only = yes
writeable = yes
browseable= yes
printable = no
force user = ohprso
force group = ohprs
create mask = 0660
directory mask = 2771

Open in new window

Clarification on what happens when you attempt to mount as admin?
Are you able to view/read but not change.
Designating a default user/group in smb.cobf you have means ownership of the files on the share ..


Does the samba log, sevurity or audit log reflect events dealing with admin attempts to ..

In a command window, what do you get for
net use X: \\ohprsstorage\sharename
Do you get a system error?

Is it limited to a specific system, or on any you use?
Avatar of Mark

ASKER

arnold:
Is it limited to a specific system, or on any you use?
Well, here's something very interesting ... prompted by your question. I first ran 'use x: \\ohprsstorage\public' on some other host and got:
C:\Users\Administrator>net use x: \\ohprsstorage\public
The password is invalid for \\ohprsstorage\public.

Enter the user name for 'ohprsstorage': Administrator
Enter the password for ohprsstorage:
System error 5 has occurred.

Access is denied.

Open in new window

I then ran the same 'net use' on the problem computer and got:
C:\Users\Administrator>net use x: \\ohprsstorage\public
The command completed successfully.

Open in new window

I wondered why. After a bit of research, I recalled that I had mapped that share using a real domain user's credentials. Sure enough, in Acronis, I am now able to specify the backup target \\ohprsstorage\Backups\Acronis\workstations\dbserver, which I wasn't before.

I am guessing that without the real domain user's credentials, or if those credentials change, I'll not be able to either map the Samba share or backup to the target folder. It is backing up up at the moment, but when that completes, I'll experiment further with this last hypothesis.
You have the credential backend, or default the user, you seem to be trying to do both.

If memory serves, you had samba4 +dc+LDAP
Uniform user credentials over platforms.

When the Windows system access using credentials stored in tdb, the server only sees users based on /etc/passwd...

.
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Iadmonistrator is commonly is commonly mapped to root.

Though the data in you tdb file if you do not prefix administrator with the ors\ the transmission will be machine\administrator from which you are connecting.
Avatar of Mark

ASKER

Thanks for your input Arnold et al. I think I've going to solve this long term by doing as I said in my post and create a non-person user which is a member of 'domain users' for "batch" tasks such backups.