NS Samba AD - RSAT Windows 7

So, how can I full administer Samba AD through Windows 7 RSAT?

Everywhere, it’s written only this: “Log on to a Windows machine, using an account that is a member of the “Domain Admins” group”.

Which is this account? Isn’t administrator@abt.ro, as example?

Sorry to bother you (all), but in this moment I don’t understand anything. :angry::blush:

Another thing.
I found this: https://wiki.samba.org/index.php/Idmap_config_ad
I cannot check right now smb.cfg to see.
Could be the answer?
When I have used RSAT, in “UNIX Attributes” tab, all fields were disabled (grey).

It seemed to working with Samba 4.5.1 on CentOS 7.1511 using Win7 RSAT.

The changes to the shared and security on a Shared Folder were added, no error messages, and it did was to suppose to do using my Win7 users.

First I added the SeDiskOperatorPrivilege properties to the Domain Admin on CentOS, even though

getent group “Domain Admins”

can back to empty instead of

domain admins:x:10001:

All of the other instructions in https://wiki.samba.org/index.php/Shares_with_Windows_ACLs went without an error.

Full Control for Domain Users in sharing:

Domain Admins has Full Control in Security:

Domain Users has Read Control in Security:

1 Like

Your test and what Davide said above about the administrator account, strengthens my belief that the RSAT is not a problem but a problem of implementation of Samba AD in NS.

In the meantime I read about the implementations of Samba AD and I saw that are three things that have been implemented by others and have been mentioned here:

  • administrator account as root
  • NIS extensions
  • RFC2307

Are those three things implemented in NS AD?

1 Like

“Administrator as root” sounds good. I’d find the right configuration to obtain it, but it smells like a “user-mapping” option. The main advantage of configuring a such feature would be being sure administrator is always capable of setting filesystem ACLs and managing files, no matter who is their owner.

NIS extensions and RFC2307 are not clear to me. IIUC latest Microsoft AD implementations added some deprecations against Unix extensions. On the other hand I think our Samba implementation supports Unix extensions, and sssd does not require them though.

Let me try it, too!

1 Like

Thank you for your answer(s)!

I read about this, here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

2 Likes

I confirm that does not fix the problem. However i tried the username map option and seems good. My (temporary) tweaks follow.

  1. Create a file /etc/samba/user.map with the following contents (substitute “NETH” with your NetBIOS domain name):

    root = NETH\administrator
    
  2. Edit /etc/samba/smb.conf by adding the following line in the [global] section

    username map = /etc/samba/user.map
    
  3. systemctl restart smb

Now I can change Share permissions from Computer Management in a Win10Pro client.

Please @GG_jr, @JeffBales test it on your environments and tell me if it breaks something. Be aware of this bug, too: And then shared folders stopped working...?.

The changes above are temporary and are overwritten the next time smb.conf is expanded.

2 Likes

Thank you!
I will try tomorrow.

2 Likes

Will do.

2 Likes

Does it matter if I do it on RC2 or RC1?

Hi Jeff,

I don’t think it matter.
I will do on RC2.
Is closer to the final version.
Is a fresh installation on a dedicated hardware.
Only Samba AD and file server modules.

1 Like

You can upgrade rc1 as explained here

http://docs.nethserver.org/en/v7rc/release_notes.html

1 Like

Hi @davidep,
It works for me!

I have attached two screenshots with “Shares” before and after modifications because “Shares” has been modified. Maybe is relevant.

BR,
Gabriel

2 Likes

As side effect, it seems Administrator lost her home directory share :smile:

Now she see /root ! :dizzy_face:

Is it acceptable though?

Edit: not for me!

2 Likes

Neither for me! :grinning:

Sorry @davidep!

I made a mistake!:pensive:
I substituted “NETH” with “ABT” (domain name) not with “PDC-AD”, which is NetBIOS name!

In the correct case, as you said, the “Shares” are the same as before modifications, but in this case, doesn’t work!

Sorry again!

1 Like

To block access to “/root” directory we can add this line under the [homes] section:

invalid users = root

You did it right! My bad! It wasn’t “NetBIOS name” but “NetBIOS domain name”!

Ok, let me go back to “my mistake” and insert “invalid users = root”.
Please, give me a couple of minutes.

1 Like

OK, “root” is still there and no administrator@abt.ro home directory.
Also, I can modify the share permissions for “root”.

Can you actually access the /root/ directory contents? Can you write to it?