[Samba] Samba4: Setting u­p share/­security permiss­ions for ­shares on memb

[Rowland Penny]

On 21/10/14 19:46, ?icro MEGAS wrote:
>> have a look here: https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>> and here: https://wiki.samba.org/index.php/Delegating_Administration_Permissions
>>
>> Rowland
> The first link is known to me, there is no information about "username map" as you explained to me. The second link describes how to assign some "special privileges" to non-DomainAdmin groups, thats nice. But unfortunately I didn't understand how to achieve my goal with that. I don't want to create an extra group "supporters" or similar, I just want to allow all members of 'MYDOM\Domain Admins' to change security settings. The example you gave me before works for one user. I did read the "man smb.conf" for that directive "username map" and I tried various variations for the "smbmap" file:
>
> (1)
> !root = '@MYDOM\Domain Admins' '@MYDOM\domain admins' '@Domain Admins' '@domain admins'
> '@domain admins'
>
> (2)
> !root = @'MYDOM\Domain Admins' @'MYDOM\domain admins' @'Domain Admins' @'domain admins'
> @'domain admins'
>
> (3)
> !root = @MYDOM\Domain\040Admins @MYDOM\domain\040admins @Domain\040Admins @domain\040admins
> @domain\040admins
>
> Unfortunately it didn't work. But following works of course:
> (4)
> !root = MYDOM\Administrator MYDOM\johndoe MYDOM\foobar MYDOM\admin3 MYDOM\admin4
> administrator
>
> Example (4) is doing fine as I realized, but let's say we have 50 admins, it's not comfortable to put each name in here. So I would prefer the more elegant way and define a group name which should be the group "MYDOM\Domain Admins".
>
> Here's the output of...
> [root at membersrv1:~$ getent group 'domain admins'
> domain admins:x:11000:johndoe,foobar,admin3,admin4,admin5,admin6,...,admin50
>
> Mirco
OK, run this on the Samba4 DC:

  net rpc rights grant EXAMPLE\\"Domain Admins" SeDiskOperatorPrivilege 
-UAdministrator

Rowland