[Samba] root ownership on all new files for admin users

Vladimir Shved vladimirshved at gmail.com
Fri Mar 20 14:28:57 GMT 2009 

Looks like removing `admin users = @"BUILTIN\administrators"` helped,
so its solved. The only reason I've added that line so non-domain
admins can manage groups on that machine but it seems simply adding
them to BUILTIN\administrators is sufficient. Thank you for helping me
with this.

--Vlad

On Thu, Mar 19, 2009 at 3:56 PM, Mark Casey <markc at unifiedgroup.com> wrote:
> Hi,
>
> I'm dealing with the same issue so I thought I'd share a few ideas I've
> found so far.
>
> "write users=" should just be letting those users write as themselves. Its
> the "admin users=" line that is intervening and mapping them to root.
>
> If its just the need for admin rights, I know that there is a privileges
> system built into samba. Most of the things you would want for an admin user
> to be able to do can actually be enabled for that user instead of mapping
> them to root. I've read that while no account has any privileges by default,
> the Domain Admins group is automatically given the right to hand out new
> privileges. Just search for "samba privileges" online, I think this is the
> preferred way to accomplish what you want, removing the need for the admin
> users parameter.
>
> Another thing you may consider is just make a new user in AD, and then
> change the "admin users" line so that it only lists that account. I don't
> even imagine that account would have to be an admin as far as Windows is
> concerned, but it could be made one if the situation arises to warrant it.
> Then your write list can write as themselves, and the new user can be mapped
> to root and not used to edit user's files. They could share the password if
> more than one person needs access, which is no worse than having them all
> mapped to root anyway (possibly better).
>
> I don't quite have it figured yet so double check me if you go with one of
> those, but I HTH.
>
> -Mark
>
>
>
>
> Vladimir Shved wrote:
>>
>> Hello,
>> I have samba server on windows domain, in ADS mode but have problem
>> tracking files that belong to admin users, anytime new file created
>> the default owner is root. For non-admin users its normal, newly
>> created files have correct ownership permissions. Its possible for a
>> user to go and take ownership manually from windows machine but its
>> just inconvenient. Is there anyway to change default behavior to
>> create files with correct ownership of original user rather than
>> mapping to root for admin users?
>>
>> Thank you,
>> Vladimir Shved
>>
>> My setup:
>> Ubuntu 8.04 Hardy
>> Samba 3.0.28a
>> ext3 fs w/ ACLs
>>
>> censored smb.conf:
>> [global]
>>        workgroup = MYDOMAIN
>>        realm = MYDOMAIN.LOCAL
>>        server string = File Server
>>        security = ADS
>>        syslog = 0
>>        log file = /var/log/samba/log.%m
>>        log level = 1 ads:10 auth:10 sam:10 rpc:10
>>        max log size = 1000
>>        local master = No
>>        dns proxy = No
>>        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>        wins server = 192.168.1.2
>>        winbind enum users = no
>>        winbind enum groups = no
>>        winbind use default domain = yes
>>        winbind nested groups = yes
>>        passdb backend = tdbsam
>>
>>        ldap ssl = on
>>
>>        idmap domains = MYDOMAIN
>>        idmap config MYDOMAIN:backend = ldap
>>        idmap config MYDOMAIN:readonly = yes
>>        idmap config MYDOMAIN:default = yes
>>        idmap config MYDOMAIN:ldap_base_dn = ou=idmap,dc=mydomain,dc=local
>>        idmap config MYDOMAIN:ldap_url = ldaps://ldapmachine
>>        idmap config MYDOMAIN:ldap_anon = yes
>>
>>        idmap alloc backend = tdb
>>        idmap alloc config:range = 30000-49999
>>
>>        template shell = /bin/bash
>>
>>        admin users = @"BUILTIN\administrators"
>>        write list = @"BUILTIN\administrators"
>>        client use spnego = yes
>>        domain master = no
>>        load printers = no
>>        printing = bsd
>>        printcap name = /dev/null
>>        show add printer wizard = no
>>        disable spoolss = yes
>>
>>        guest account = nobody
>>        map to guest = bad user
>>        invalid users = root
>>        map to guest = bad password
>>
>> [share]
>>        path = /share
>>        guest ok = Yes
>>        create mask = 0664
>>        directory mode = 0775
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list