[Samba] 'rights' usage of 'Domain Admins' - User can't take possession of file on server...should it work?

L. A. Walsh samba at tlinx.org
Sun Jun 20 23:52:50 MDT 2010

I'm a little fuzzy about this, but I can't think of why samba would
provide rights if it wasn't for this case.

As mentioned in the HOWTO, domain admins, on a samba host, 
have no special rights other than what are assigned using
"net rpc rights".  So I assigned the "TakeOwnerShip" right
to that group.  I placed myself in that group.

Then on a workstation, I log in as "domain\me" (as opposed
to local login).  
The I use explorer to browse a directory owned by
user/group 'dummy/dummy' on a share on the domain server.
Trying to create a subdirectory there, fails, as expected.  
However, when I try taking ownership of that directory --
that also fails with a permission denied.

Why?  FWIW, I am in the local-workstation's admin
group, so I can take possession of local files in such
a situation.

Also, FWIW, I am in the domain server's "Administrators" 
group which is a unix group that is mapped to the built
"Administrators" group.

I'm running winbind, and my /etc/nsswitch.conf file
passwd: files winbind
group: files winbind

I am NOT running nscd -- as the HOWTO says it can cause 
a conflict (though trying it with nscd seems to make no difference).

Is this suppose to work?

Should rights assigned to domain groups also propagate to domain machines?

I.e. should 'Domain Admins' having the "Take ownership" right
allow a user to take file ownership on a workstation if it was
their only rights-enabling SID?

If domain rights DON't work this way -- they what are they for?



More information about the samba mailing list