[Samba] Permission Issues with GPO
mourik jan c heupink
heupink at merit.unu.edu
Wed Nov 18 13:11:15 UTC 2015
On 18-11-2015 12:24, Rowland Penny wrote:
> OK, I think I understand this, Mourik is setting this on the share:
>
> valid users = @"Domain Admins", @"Domain Computers"
>
> This means that only members of the 'Domain Admins' or 'Domain
> Computers' groups can connect to the share, whilst Louis has this
> showing in his ACLs from getfacl:
>
> Creator owner special. Only folders and files on underlying folders.
> Creator group special. Only folders and files on underlying folders.
> Verified users read+exec This folder underlying folders and files
> Domain Admins Full This folder underlying folders and files
> Domain users read+exec This folder underlying folders and files
> Domain computers read+exec This folder underlying folders and files
>
> Which gives (amongst others) 'Domain Admins' full control and 'Domain
> Computer' read+exec permissions.
>
> With Mourik's way of doing things, 'Domain Computers' must be known to
> Unix, hence the required gidNumber
>
> Louis's way will probably rely on winbind mapping 'Domain Computers'
>
> Rowland
>
Nice analysis, yes. :-)
More information about the samba
mailing list