[Samba] Samba4: Setting u­p share/­security permiss­ions for ­shares on memb

steve steve at steve-ss.com
Tue Oct 21 13:17:42 MDT 2014

On 21/10/14 21:09, Rowland Penny wrote:
> On 21/10/14 19:46, ?icro MEGAS wrote:
>>> have a look here:
>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>> and here:
>>> https://wiki.samba.org/index.php/Delegating_Administration_Permissions
>>> Rowland
>> The first link is known to me, there is no information about "username
>> map" as you explained to me. The second link describes how to assign
>> some "special privileges" to non-DomainAdmin groups, thats nice. But
>> unfortunately I didn't understand how to achieve my goal with that. I
>> don't want to create an extra group "supporters" or similar, I just
>> want to allow all members of 'MYDOM\Domain Admins' to change security
>> settings. The example you gave me before works for one user. I did
>> read the "man smb.conf" for that directive "username map" and I tried
>> various variations for the "smbmap" file:
>> (1)
>> !root = '@MYDOM\Domain Admins' '@MYDOM\domain admins' '@Domain Admins'
>> '@domain admins'
>> '@domain admins'
>> (2)
>> !root = @'MYDOM\Domain Admins' @'MYDOM\domain admins' @'Domain Admins'
>> @'domain admins'
>> @'domain admins'
>> (3)
>> !root = @MYDOM\Domain\040Admins @MYDOM\domain\040admins
>> @Domain\040Admins @domain\040admins
>> @domain\040admins
>> Unfortunately it didn't work. But following works of course:
>> (4)
>> !root = MYDOM\Administrator MYDOM\johndoe MYDOM\foobar MYDOM\admin3
>> MYDOM\admin4
>> administrator
>> Example (4) is doing fine as I realized, but let's say we have 50
>> admins, it's not comfortable to put each name in here. So I would
>> prefer the more elegant way and define a group name which should be
>> the group "MYDOM\Domain Admins".
>> Here's the output of...
>> [root at membersrv1:~$ getent group 'domain admins'
>> domain
>> admins:x:11000:johndoe,foobar,admin3,admin4,admin5,admin6,...,admin50
>> Mirco
> OK, run this on the Samba4 DC:
>   net rpc rights grant EXAMPLE\\"Domain Admins" SeDiskOperatorPrivilege
> -UAdministrator
> Rowland
He's still then faced with how to map the group members to root. As just 
shown, it's a username map, not a groupname map.

On a different note: Having 50 people who could destroy the domain with 
the click of a mouse? Dunno, have only one and delegate?

More information about the samba mailing list