[Samba] using the DC as a file Server in AD

joseph-andre Guaragna jaguaragna at rdmo.com
Thu Jun 11 06:18:06 MDT 2015 

HI,

We face your problem when we first migrate to samba4 AD domain. We
decice as you did to only work with the RSAT tools.

If it directory with lot of subdirectories with different acls. What
we did is every group who dld need acces as a read-only at the root
directory and then applied the allowe/disallow on every subdirectories
directly via the RSAT tools.

Using this rules we never face anymore problems.

Meilleures salutations / Best regards,

Joseph-André GUARAGNA
ingénieur Système et Réseau / Network and System engineer



RD MACHINES-OUTILS

77, allée de l'Industrie  F-74130 CONTAMINE SUR ARVE
Tel : +33 (0) 4 50 03 90 77    -   Fax :+33 (0) 4 50 03 66 79
www.rdmo.com / www.rdmo-spare-parts.com


2015-06-11 14:10 GMT+02:00 Mike <1100100 at gmail.com>:
> On Thu, Jun 11, 2015 at 5:01 AM, Klaus Hartnegg <hartnegg at uni-freiburg.de>
> wrote:
>
>> Am 10.06.2015 um 03:25 schrieb Mike:
>>
>>> I'm learning to be very deliberate with changing posix and windows acl's
>>> so
>>> I don't disturb users' access to files and folders.
>>> I check acl's on a specific file/folder on the server with getfacl.
>>> Then make one small acl modification to one file in a sub-directory of a
>>> share.
>>> Then record the difference reported by getfacl again.
>>> Then will access the same file from Windows RSAT console as the Domain
>>> Admin and note the permissions indicated on the Security tab.
>>>
>>
>> If you use acl_xattr (default in AD mode) and change permissions in Linux,
>> this will reset all permissions that were previously set from Windows. Use
>> either setfacl or the security tab, but do not mix them.
>>
>>
> Hi Klaus,
>
> Your point is well received.  I had a problem trying to effect permissions
> changes using windows acls.  The only way I found towards a solution was to
> go back and forth between windows "Domain Users" and "User" accounts, and
> linux getfacl/setfacl changes to the same file......seeing the effect of
> the changes between the two.  It's how I figured out that acl's for windows
> "Domain Users" consistently translates to linux acl's "group:users", etc.
>
> You have to play with both to understand all the parts, but carefully.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list