[Samba] FW: Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?

Shane Robinson srobinson at simpeq.ca
Wed Mar 4 13:32:40 MST 2015 

Forgot to add the list in the TO line!

Shane Robinson
Chief Administrative Officer
SimpeQ Care Inc.
t. 604.988.3103 ext. 104
c. 604.506.3311
f. 604.988.3105
Please consider the environment before printing this email.


-----Original Message-----
From: Shane Robinson [mailto:srobinson at simpeq.ca] 
Sent: Wednesday, March 04, 2015 12:32 PM
To: 'Rowland Penny'
Subject: RE: [Samba] Domain Member Server (wheezy) - Unable to edit
permissions of share without usermapping - shall I add to Wiki?

Hi Rowland,

Thanks for getting back to me!

So, if you, and others are mapping root to Administrator, shall I add that
to the wiki?

Upon reading your response, could my problem have always been that I
immediately gave the Administrator account a UIDnumber? Is the
Administrator's UIDnumber automagically set to '0'? (I'm going to feel
awfully silly if that's a yes)

I think I agree that ID_TYPE_BOTH may simply confuse matters, but it is
present currently, so, given that, why would chown administrator be
preferred over chgrp Domain Admins or visa versa? In my testing, both seem
to allow the changing of acls from windows.

Thanks!

Shane Robinson
Chief Administrative Officer
SimpeQ Care Inc.
t. 604.988.3103 ext. 104
c. 604.506.3311
f. 604.988.3105
Please consider the environment before printing this email.


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Rowland Penny
Sent: Wednesday, March 04, 2015 10:59 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Domain Member Server (wheezy) - Unable to edit
permissions of share without usermapping - shall I add to Wiki?

On 04/03/15 18:31, Shane Robinson wrote:
> Hello again Rowland, list!
>
> Sorry for the delayed response, and top posting.
>
> To recap:
> I'd like to complete the member server wiki so that ACLs can be set 
> from windows without taking undocumented steps.
>
> The three ways I've found to do this are:
>
> 1) map root to administrator. (LPH VanBelle's script uses this
> option.)

This is the way that I have be using for some time, it works, but is it the
best way ?
You are making the windows Administrator have exactly the same powers that
'root' has, do you want/need to do this ?

>
> 2) chmod 0775 then chgrp "<DOMAIN>\Domain Admins" /srv/share

This is a better way, you are only giving members of Domain Admins the
rights to the directory and remember that Administrator is a member of
Domain Admins.

>
> 3) chown -R "<DOMAIN>\Administrator" /srv/share

This would mean that you would have to give Administrator a different ID 
other than '0'.

I am now leaning towards a mixture of 2 & 3

>
> I'm leaning towards 2, but would like a better idea of pros and cons so I
> may complete the wiki.
>
> Rowland: From your last response, I was searching for how the ID_TYPE_BOTH
> relates to the above, and found a recent thread between yourself and
Andrew
> (Samba4,idmap.ldb & ID_TYPE_BOTH), last posted to on Feb24. The
differences
> you point out W.R.T. sysvol appear to relate more to that thread.

You are correct that the thread was all about sysvol, but you seem to be 
missing the point. If there wasn't 'ID_TYPE_BOTH' then getfacl would 
work better, a windows group would show up as only a group, not as it is 
now, showing as a group and a user!
The same goes for windows users.

Rowland

>   
>
> If those differences are important to my current issue, I apologize for
> being obtuse, but would you mind explaining?
>
> Otherwise, List, please let me know which of the above options you prefer
> and why. I will then document them to the best of my knowledge on the
wiki.
>
> Thank you kindly,
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list