[Samba] Changing ACLs as administrator
Rob Helmer
robert at namodn.com
Fri Jul 26 10:59:08 GMT 2002
Hello Buchan
Thank you very much for your reply.
The "domain admin" setting in Samba doesn't seem to allow one to
change ACLs or take ownership, but I experimented with the info
in the email you sent and mapped the root user to @"DOMAIN+Domain Admins"
and now all Domain Admins are able to take ownership and/or change ACLs
from their Windows boxes.
Thanks,
Rob
On Fri, Jul 26, 2002 at 05:28:35PM +0200, Buchan Milne wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> | Message: 3
> | Date: Thu, 25 Jul 2002 11:35:49 -0700
> | From: Rob Helmer <robert at namodn.com>
> | To: samba at lists.samba.org
> | Organization: Namodn Artists - http://www.namodn.com
> | Subject: [Samba] Changing ACLs as administrator
> |
> | Hello,
> |
> |
> | While the interesting discussion on POSIX ACLs vs. NT ACLs has
> | been going on, I've been trying ( unsuccessfully ) from a Windows
> | box logged in as DOMAIN\Administrator change ACLs on a file
> | owned by a user.
> |
> | I just get "Access denied" every time I attempt it.
> |
> | I have tried setting in the smb.conf :
> |
> | --
> | domain admin group = DOMAIN+Domain Admins
>
> Well, firstly you probably need something like this
>
> domain admin group = @"DOMAIN+Domain Admins"
>
> But, you should read the man page on this option, since this actually
> affects which users are seen by the windows members of a samba
> controlled domain to have admin rights, only on the windows machines.
>
> | --
> |
> | and
> |
> | --
> | domain admin group = DOMAIN+Administrator
> | --
> |
> | but I still don't seem to have this access.
> |
> | Is there something I am missing?
> |
> | Any pointers would be great :) I want to let designated domain admins
> | change ACLs, since NT ACL's "Take Ownership" doesn't seem to be possible
> | with the current POSIX ACL/Samba combination.
>
> You're probably looking for something more like:
>
> admin users = @"DOMAIN+Domain Admins"
>
> this should be applied carefully, and on a share-by-share basis, and I
> am not sure if it will do what you want (allow you to change ownership),
> but it will let you delete anything!
>
> no need for messy hidden shares (which is a secutiy nightmare, unless it
> protected somehow).
>
> Buchan
>
> - --
> |----------------Registered Linux User #182071-----------------|
> Buchan Milne Mechanical Engineer, Network Manager
> Cellphone * Work +27 82 472 2231 * +27 21 8828820x121
> Stellenbosch Automotive Engineering http://www.cae.co.za
> GPG Key http://ranger.dnsalias.com/bgmilne.asc
> 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQE9QWqjrJK6UGDSBKcRApzpAJ9IR+jcRNhBuLZBIb62bpni3SCW2wCcDKPf
> lNJl6ucrV6Nw7R/i4/k1V/Y=
> =Kclx
> -----END PGP SIGNATURE-----
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list