[Samba] Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?

Davor Vusir davortvusir at gmail.com
Wed Mar 4 13:52:12 MST 2015


2015-03-04 21:35 GMT+01:00 Shane Robinson <srobinson at simpeq.ca>:
> Hi Davor,
>
> If the mapping of administrator to root is not ideal, I do like the idea of
> having a specific FileShareAdmin group.
>
> But, why chown and not simply chgrp?
>

If you consider 'root' as a BUILTIN\Administrator equivivalent it
might work changing both Share and DACL "the Windows way". I'm not
sure it's going to work as 'root' (on the local file/Samba server)
cannot be resolved. There is no 'SERVER\root' account in the AD
database. I suggest to you to change owner to a domain user account
(or if possible a domain group). See also
https://lists.samba.org/archive/samba/2014-October/186286.html.

Regards
Davor

> Thanks!
>
> Shane Robinson
> Chief Administrative Officer
> SimpeQ Care Inc.
> t. 604.988.3103 ext. 104
> c. 604.506.3311
> f. 604.988.3105
> Please consider the environment before printing this email.
>
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Rowland Penny
> Sent: Wednesday, March 04, 2015 12:13 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Domain Member Server (wheezy) - Unable to edit
> permissions of share without usermapping - shall I add to Wiki?
>
> On 04/03/15 19:25, Davor Vusir wrote:
>> If I remember correctly it doesn't matter what combinations you
>> 'chmod' to. It changes to 755 as soon as you change ACLs from Windows.
>> I suggest you add uid- and gidnumber to all users and groups and chown
>> to a user:group (or perhaps group:group if possible). For example
>> chown FileShareAdmin:FileShareAdminGroup and let the user account
>> which operates the file share be a member of group
>> FileShareAdminGroup. With this approach you get some degree of
>> security if you also allow users to logon to the server with ssh for
>> example. And of course home directories.
>>
>> Choice 3 and uid-/gidNumber assigned.
>>
>> Regards
>> Davor
>>
>
> You must be mis-remembering because I just tried it and the Unix acls do not
> change, mind you I never thought they would. The windows ACLs now show with
> getfacl, so this may be what you are getting mixed up with.
>
> As for giving all users and groups an ID number, just how far do you suggest
> an admin goes? do you suggest that all the 'well known sids' be given an ID
> ?
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list