[Samba] root ownership on all new files for admin users
Vladimir Shved
vladimirshved at gmail.com
Fri Mar 20 14:28:57 GMT 2009
Looks like removing `admin users = @"BUILTIN\administrators"` helped,
so its solved. The only reason I've added that line so non-domain
admins can manage groups on that machine but it seems simply adding
them to BUILTIN\administrators is sufficient. Thank you for helping me
with this.
--Vlad
On Thu, Mar 19, 2009 at 3:56 PM, Mark Casey <markc at unifiedgroup.com> wrote:
> Hi,
>
> I'm dealing with the same issue so I thought I'd share a few ideas I've
> found so far.
>
> "write users=" should just be letting those users write as themselves. Its
> the "admin users=" line that is intervening and mapping them to root.
>
> If its just the need for admin rights, I know that there is a privileges
> system built into samba. Most of the things you would want for an admin user
> to be able to do can actually be enabled for that user instead of mapping
> them to root. I've read that while no account has any privileges by default,
> the Domain Admins group is automatically given the right to hand out new
> privileges. Just search for "samba privileges" online, I think this is the
> preferred way to accomplish what you want, removing the need for the admin
> users parameter.
>
> Another thing you may consider is just make a new user in AD, and then
> change the "admin users" line so that it only lists that account. I don't
> even imagine that account would have to be an admin as far as Windows is
> concerned, but it could be made one if the situation arises to warrant it.
> Then your write list can write as themselves, and the new user can be mapped
> to root and not used to edit user's files. They could share the password if
> more than one person needs access, which is no worse than having them all
> mapped to root anyway (possibly better).
>
> I don't quite have it figured yet so double check me if you go with one of
> those, but I HTH.
>
> -Mark
>
>
>
>
> Vladimir Shved wrote:
>>
>> Hello,
>> I have samba server on windows domain, in ADS mode but have problem
>> tracking files that belong to admin users, anytime new file created
>> the default owner is root. For non-admin users its normal, newly
>> created files have correct ownership permissions. Its possible for a
>> user to go and take ownership manually from windows machine but its
>> just inconvenient. Is there anyway to change default behavior to
>> create files with correct ownership of original user rather than
>> mapping to root for admin users?
>>
>> Thank you,
>> Vladimir Shved
>>
>> My setup:
>> Ubuntu 8.04 Hardy
>> Samba 3.0.28a
>> ext3 fs w/ ACLs
>>
>> censored smb.conf:
>> [global]
>> workgroup = MYDOMAIN
>> realm = MYDOMAIN.LOCAL
>> server string = File Server
>> security = ADS
>> syslog = 0
>> log file = /var/log/samba/log.%m
>> log level = 1 ads:10 auth:10 sam:10 rpc:10
>> max log size = 1000
>> local master = No
>> dns proxy = No
>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>> wins server = 192.168.1.2
>> winbind enum users = no
>> winbind enum groups = no
>> winbind use default domain = yes
>> winbind nested groups = yes
>> passdb backend = tdbsam
>>
>> ldap ssl = on
>>
>> idmap domains = MYDOMAIN
>> idmap config MYDOMAIN:backend = ldap
>> idmap config MYDOMAIN:readonly = yes
>> idmap config MYDOMAIN:default = yes
>> idmap config MYDOMAIN:ldap_base_dn = ou=idmap,dc=mydomain,dc=local
>> idmap config MYDOMAIN:ldap_url = ldaps://ldapmachine
>> idmap config MYDOMAIN:ldap_anon = yes
>>
>> idmap alloc backend = tdb
>> idmap alloc config:range = 30000-49999
>>
>> template shell = /bin/bash
>>
>> admin users = @"BUILTIN\administrators"
>> write list = @"BUILTIN\administrators"
>> client use spnego = yes
>> domain master = no
>> load printers = no
>> printing = bsd
>> printcap name = /dev/null
>> show add printer wizard = no
>> disable spoolss = yes
>>
>> guest account = nobody
>> map to guest = bad user
>> invalid users = root
>> map to guest = bad password
>>
>> [share]
>> path = /share
>> guest ok = Yes
>> create mask = 0664
>> directory mode = 0775
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list