[Samba] Changing ACLs as administrator
David Brodbeck
DavidB at mail.interclean.com
Mon Jul 29 13:14:03 GMT 2002
Right, if you do it that way any file created by a Domain Admin will be
owned by root. I didn't like that, so I went with the "create a hidden
administrative share" solution. For most people it'd probably work fine,
though.
> -----Original Message-----
> From: Konkol, Josh [mailto:JKonkol at guidemail.com]
> Sent: Monday, July 29, 2002 8:57 AM
> To: 'Rob Helmer'; sspitzner at planalytics.com; samba at lists.samba.org
> Subject: RE: [Samba] Changing ACLs as administrator
>
>
> But that means everything you do will be as root. All new
> files will belong
> to root and not those users.
>
> Right ??
>
> Josh
>
> > -----Original Message-----
> > From: Rob Helmer [mailto:robert at namodn.com]
> > Sent: Friday, July 26, 2002 4:10 PM
> > To: sspitzner at planalytics.com; samba at lists.samba.org
> > Subject: Re: [Samba] Changing ACLs as administrator
> >
> >
> > Hello,
> >
> >
> > I hope you don't mind that I am CC:'ing the list.
> >
> > I used the "username map" directive to point to a username
> map file in
> > smb.conf :
> >
> > --
> > username map = /usr/local/samba/private/username.map
> > --
> >
> > My /usr/local/samba/private/username.map looks like this :
> >
> > --
> > root = @"DOMAIN+Domain Admins"
> > --
> >
> > Seems to work for my purposes :)
> >
> > My smbd/nmbd are currently on 2.2.2 ( winbind is 2.2.3a, because
> > of the memory leak issue in previous versions ).
> >
> >
> >
> > Thanks,
> > Rob
> >
> >
> >
> > On Fri, Jul 26, 2002 at 02:19:34PM -0400,
> > sspitzner at planalytics.com wrote:
> > >
> > >
> > > Could you please tell me how to map the root user?
> According to the
> > > documentation I have
> > > seen, the domain admin group directive is no longer valid
> > in 2.2.5. Obviously, I
> > > have missed
> > > something.
> > >
> > > TIA
> > > Sam
> > >
> > >
> > >
> > >
> > > Rob Helmer <robert at namodn.com> on 07/26/2002 02:09:06 PM
> > >
> > >
> > >
> > >
> > > To: samba at lists.samba.org
> > > cc: (bcc: Samuel K Spitzner/Planalytics)
> > >
> > > Subject: Re: [Samba] Changing ACLs as administrator
> > >
> > >
> > >
> > >
> > > Hello Buchan
> > >
> > >
> > > Thank you very much for your reply.
> > >
> > > The "domain admin" setting in Samba doesn't seem to allow one to
> > > change ACLs or take ownership, but I experimented with the info
> > > in the email you sent and mapped the root user to
> > @"DOMAIN+Domain Admins"
> > > and now all Domain Admins are able to take ownership and/or
> > change ACLs
> > > from their Windows boxes.
> > >
> > >
> > >
> > > Thanks,
> > > Rob
> > >
> > >
> > > On Fri, Jul 26, 2002 at 05:28:35PM +0200, Buchan Milne wrote:
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA1
> > > >
> > > > | Message: 3
> > > > | Date: Thu, 25 Jul 2002 11:35:49 -0700
> > > > | From: Rob Helmer <robert at namodn.com>
> > > > | To: samba at lists.samba.org
> > > > | Organization: Namodn Artists - http://www.namodn.com
> > > > | Subject: [Samba] Changing ACLs as administrator
> > > > |
> > > > | Hello,
> > > > |
> > > > |
> > > > | While the interesting discussion on POSIX ACLs vs. NT ACLs has
> > > > | been going on, I've been trying ( unsuccessfully ) from
> > a Windows
> > > > | box logged in as DOMAIN\Administrator change ACLs on a file
> > > > | owned by a user.
> > > > |
> > > > | I just get "Access denied" every time I attempt it.
> > > > |
> > > > | I have tried setting in the smb.conf :
> > > > |
> > > > | --
> > > > | domain admin group = DOMAIN+Domain Admins
> > > >
> > > > Well, firstly you probably need something like this
> > > >
> > > > domain admin group = @"DOMAIN+Domain Admins"
> > > >
> > > > But, you should read the man page on this option, since
> > this actually
> > > > affects which users are seen by the windows members of a samba
> > > > controlled domain to have admin rights, only on the
> > windows machines.
> > > >
> > > > | --
> > > > |
> > > > | and
> > > > |
> > > > | --
> > > > | domain admin group = DOMAIN+Administrator
> > > > | --
> > > > |
> > > > | but I still don't seem to have this access.
> > > > |
> > > > | Is there something I am missing?
> > > > |
> > > > | Any pointers would be great :) I want to let designated
> > domain admins
> > > > | change ACLs, since NT ACL's "Take Ownership" doesn't
> > seem to be possible
> > > > | with the current POSIX ACL/Samba combination.
> > > >
> > > > You're probably looking for something more like:
> > > >
> > > > admin users = @"DOMAIN+Domain Admins"
> > > >
> > > > this should be applied carefully, and on a share-by-share
> > basis, and I
> > > > am not sure if it will do what you want (allow you to
> > change ownership),
> > > > but it will let you delete anything!
> > > >
> > > > no need for messy hidden shares (which is a secutiy
> > nightmare, unless it
> > > > protected somehow).
> > > >
> > > > Buchan
> > > >
> > > > - --
> > > > |----------------Registered Linux User #182071-----------------|
> > > > Buchan Milne Mechanical Engineer, Network Manager
> > > > Cellphone * Work +27 82 472 2231 * +27 21 8828820x121
> > > > Stellenbosch Automotive Engineering http://www.cae.co.za
> > > > GPG Key http://ranger.dnsalias.com/bgmilne.asc
> > > > 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
> > > > -----BEGIN PGP SIGNATURE-----
> > > > Version: GnuPG v1.0.7 (GNU/Linux)
> > > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> > > >
> > > > iD8DBQE9QWqjrJK6UGDSBKcRApzpAJ9IR+jcRNhBuLZBIb62bpni3SCW2wCcDKPf
> > > > lNJl6ucrV6Nw7R/i4/k1V/Y=
> > > > =Kclx
> > > > -----END PGP SIGNATURE-----
> > > >
> > > >
> > > > --
> > > > To unsubscribe from this list go to the following URL
> and read the
> > > > instructions: http://lists.samba.org/mailman/listinfo/samba
> > > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: http://lists.samba.org/mailman/listinfo/samba
> > >
> > >
> > >
> > >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: http://lists.samba.org/mailman/listinfo/samba
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list