[Samba] Samba4: Setting up share/security permissions for shares on memb
rowlandpenny at googlemail.com
Tue Oct 21 13:09:41 MDT 2014
On 21/10/14 19:46, ?icro MEGAS wrote:
>> have a look here: https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>> and here: https://wiki.samba.org/index.php/Delegating_Administration_Permissions
> The first link is known to me, there is no information about "username map" as you explained to me. The second link describes how to assign some "special privileges" to non-DomainAdmin groups, thats nice. But unfortunately I didn't understand how to achieve my goal with that. I don't want to create an extra group "supporters" or similar, I just want to allow all members of 'MYDOM\Domain Admins' to change security settings. The example you gave me before works for one user. I did read the "man smb.conf" for that directive "username map" and I tried various variations for the "smbmap" file:
> !root = '@MYDOM\Domain Admins' '@MYDOM\domain admins' '@Domain Admins' '@domain admins'
> '@domain admins'
> !root = @'MYDOM\Domain Admins' @'MYDOM\domain admins' @'Domain Admins' @'domain admins'
> @'domain admins'
> !root = @MYDOM\Domain\040Admins @MYDOM\domain\040admins @Domain\040Admins @domain\040admins
> Unfortunately it didn't work. But following works of course:
> !root = MYDOM\Administrator MYDOM\johndoe MYDOM\foobar MYDOM\admin3 MYDOM\admin4
> Example (4) is doing fine as I realized, but let's say we have 50 admins, it's not comfortable to put each name in here. So I would prefer the more elegant way and define a group name which should be the group "MYDOM\Domain Admins".
> Here's the output of...
> [root at membersrv1:~$ getent group 'domain admins'
> domain admins:x:11000:johndoe,foobar,admin3,admin4,admin5,admin6,...,admin50
OK, run this on the Samba4 DC:
net rpc rights grant EXAMPLE\\"Domain Admins" SeDiskOperatorPrivilege
More information about the samba