[Samba] Changing ACLs as administrator

Rob Helmer robert at namodn.com
Fri Jul 26 13:59:02 GMT 2002


Hello,


I hope you don't mind that I am CC:'ing the list.

I used the "username map" directive to point to a username map file in
smb.conf :

--
username map = /usr/local/samba/private/username.map
--

My /usr/local/samba/private/username.map looks like this :

--
root = @"DOMAIN+Domain Admins"
--

Seems to work for my purposes :)

My smbd/nmbd are currently on 2.2.2 ( winbind is 2.2.3a, because
of the memory leak issue in previous versions ).



Thanks,
Rob



On Fri, Jul 26, 2002 at 02:19:34PM -0400, sspitzner at planalytics.com wrote:
> 
> 
> Could you please tell me how to map the root user? According to the
> documentation I have
> seen, the domain admin group directive is no longer valid in 2.2.5. Obviously, I
> have missed
> something.
> 
> TIA
> Sam
> 
> 
> 
> 
> Rob Helmer <robert at namodn.com> on 07/26/2002 02:09:06 PM
> 
> 
> 
> 
> To:   samba at lists.samba.org
> cc:    (bcc: Samuel K Spitzner/Planalytics)
> 
> Subject:  Re: [Samba] Changing ACLs as administrator
> 
> 
> 
> 
> Hello Buchan
> 
> 
> Thank you very much for your reply.
> 
> The "domain admin" setting in Samba doesn't seem to allow one to
> change ACLs or take ownership, but I experimented with the info
> in the email you sent and mapped the root user to @"DOMAIN+Domain Admins"
> and now all Domain Admins are able to take ownership and/or change ACLs
> from their Windows boxes.
> 
> 
> 
> Thanks,
> Rob
> 
> 
> On Fri, Jul 26, 2002 at 05:28:35PM +0200, Buchan Milne wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > | Message: 3
> > | Date: Thu, 25 Jul 2002 11:35:49 -0700
> > | From: Rob Helmer <robert at namodn.com>
> > | To: samba at lists.samba.org
> > | Organization: Namodn Artists - http://www.namodn.com
> > | Subject: [Samba] Changing ACLs as administrator
> > |
> > | Hello,
> > |
> > |
> > | While the interesting discussion on POSIX ACLs vs. NT ACLs has
> > | been going on, I've been trying ( unsuccessfully ) from a Windows
> > | box logged in as DOMAIN\Administrator change ACLs on a file
> > | owned by a user.
> > |
> > | I just get "Access denied" every time I attempt it.
> > |
> > | I have tried setting in the smb.conf :
> > |
> > | --
> > | domain admin group = DOMAIN+Domain Admins
> >
> > Well, firstly you probably need something like this
> >
> > domain admin group = @"DOMAIN+Domain Admins"
> >
> > But, you should read the man page on this option, since this actually
> > affects which users are seen by the windows members of a samba
> > controlled domain to have admin rights, only on the windows machines.
> >
> > | --
> > |
> > | and
> > |
> > | --
> > | domain admin group = DOMAIN+Administrator
> > | --
> > |
> > | but I still don't seem to have this access.
> > |
> > | Is there something I am missing?
> > |
> > | Any pointers would be great :) I want to let designated domain admins
> > | change ACLs, since NT ACL's "Take Ownership" doesn't seem to be possible
> > | with the current POSIX ACL/Samba combination.
> >
> > You're probably looking for something more like:
> >
> > admin users = @"DOMAIN+Domain Admins"
> >
> > this should be applied carefully, and on a share-by-share basis, and I
> > am not sure if it will do what you want (allow you to change ownership),
> > but it will let you delete anything!
> >
> > no need for messy hidden shares (which is a secutiy nightmare, unless it
> > protected somehow).
> >
> > Buchan
> >
> > - --
> > |----------------Registered Linux User #182071-----------------|
> > Buchan Milne                Mechanical Engineer, Network Manager
> > Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
> > Stellenbosch Automotive Engineering         http://www.cae.co.za
> > GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
> > 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.0.7 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQE9QWqjrJK6UGDSBKcRApzpAJ9IR+jcRNhBuLZBIb62bpni3SCW2wCcDKPf
> > lNJl6ucrV6Nw7R/i4/k1V/Y=
> > =Kclx
> > -----END PGP SIGNATURE-----
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> >
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
> 
> 
> 




More information about the samba mailing list