[Samba] Cannot change directory permissions
Aurélien Blachet
Aurelien.Blachet at aduneo.com
Fri Aug 7 12:02:57 UTC 2015
It resolve the groupmap problem :
[root at fileserver ~]# net groupmap list
Administrators (S-1-5-32-544) -> BUILTIN\administrators
Users (S-1-5-32-545) -> BUILTIN\users
But i still have the administrator problem. I have follow the wiki.samba doc and i have set the SeDiskOperatorPrivilege :
net rpc rights list accounts -U'DOMAIN\administrator'
DOMAIN\Domain Admins
SeDiskOperatorPrivilege
but administrator is still the only user of the group 'domain admins' who can't manage the security tab of my shares on windows when i remove "everyone" to the "share permissions" tab.
Even if i add directly the administrator "account" in this tab.
________________________________________
De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny <rowlandpenny241155 at gmail.com>
Envoyé : vendredi 7 août 2015 13:47
À : sambalist
Objet : Re: [Samba] Cannot change directory permissions
On 07/08/15 12:25, Felix Matouschek wrote:
> Hi Rowland,
>
>
> Regarding my permissions problem:
>
> Newly created files, no permission changes yet:
>
> ls -la:
> drwxrwx--- 3 fmatouschek vipco-users 4096 Aug 7 13:12 .
> drwxr-xr-x 55 root vipco-users 4096 Aug 4 10:12 ..
> drwxrwx--- 2 fmatouschek vipco-users 4096 Aug 7 13:11 Directory
> -rw-rw---- 1 fmatouschek vipco-users 0 Aug 7 13:12 File.txt
>
> getfacl:
> # file: .
> # owner: fmatouschek
> # group: vipco-users
> user::rwx
> group::rwx
> other::---
>
> Ticking "write protected" on properties (both file and directory):
>
> ls -la:
> drwxrwx--- 3 fmatouschek vipco-users 4096 Aug 7 13:17 .
> drwxr-xr-x 55 root vipco-users 4096 Aug 4 10:12 ..
> drwxrwx--- 2 fmatouschek vipco-users 4096 Aug 7 13:11 Directory
> -r--r----- 1 fmatouschek vipco-users 0 Aug 7 13:12 File.txt
>
> getfacl:
> # file: .
> # owner: fmatouschek
> # group: vipco-users
> user::rwx
> group::rwx
> other::---
>
> Using the security tab:
>
> ls -la:
> drwxrwx--- 3 fmatouschek vipco-users 4096 Aug 7 13:20 .
> drwxr-xr-x 55 root vipco-users 4096 Aug 4 10:12 ..
> drwxrwx---+ 2 fmatouschek vipco-users 4096 Aug 7 13:20 Directory
> -r--rwx---+ 1 fmatouschek vipco-users 0 Aug 7 13:20 File.txt
>
> getfacl:
> # file: .
> # owner: fmatouschek
> # group: vipco-users
> user::rwx
> group::rwx
> other::---
>
> # file: Directory/
> # owner: fmatouschek
> # group: vipco-users
> user::rwx
> user:fmatouschek:rwx
> group::rwx
> group:vipco-users:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:fmatouschek:r--
> default:group::---
> default:group:vipco-users:r--
> default:mask::rwx
> default:other::---
>
> # file: File.txt
> # owner: fmatouschek
> # group: vipco-users
> user::r--
> user:fmatouschek:r--
> group::r--
> group:vipco-users:r--
> mask::rwx
> other::---
>
> According to this output only ticking write-protected on properties of a file does exactly what I want.
>
> Any ideas?
>
> Greetings,
> Felix
>
>
Taking this back on list where it belongs.
OK, you seem to understand Unix permissions, but anyway for those who don't:
Unix permissions are based on user:group: other AKA ugo. these are
expressed as the letters r w x , r means read, w means write, x means
execute if a file and enter if it is a directory. these can be set with
chmod and you can use the letters or numbers 1-7, to set to allow all
permissions you could use chmod 777 /path/to/dir
Now we have that out of the way, I can tell you that no member of Domain
Admins will be able to set anything on the directory from windows
because they don't have the permission to do so, either via Unix
permissions or windows ACLs. You need to use 'setfacl' to add the
required permissions for Domain Admins, see 'man setfacl' for how to do
this.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list