[Samba] Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?

Shane Robinson srobinson at simpeq.ca
Wed Mar 4 14:12:18 MST 2015 

Hello Rowland,

Oh dear! I do feel rather silly. :/

Thanks so much for your patience!

I think I'll clarify the wiki (which does mention this, but only mentions
the local administrator).

When I read it, it mentions that there will be mapping for non-domain
accounts in TDB. I (quite wrongly) assumed that my domain administrator was
not included in this, and, therefore, would need a UIDnumber to be able to
do anything. I will review idmap.ldb and try to list on the wiki which
commonly-used accounts/groups do not need  UIDnumbers/gidnumbers.

If I'm off-base (yet again) please let me know.

Thanks!

Shane Robinson
Chief Administrative Officer
SimpeQ Care Inc.
t. 604.988.3103 ext. 104
c. 604.506.3311
f. 604.988.3105
Please consider the environment before printing this email.


-----Original Message-----
From: Rowland Penny [mailto:rowlandpenny at googlemail.com] 
Sent: Wednesday, March 04, 2015 12:53 PM
To: Shane Robinson
Subject: *****SPAM***** Re: [Samba] Domain Member Server (wheezy) - Unable
to edit permissions of share without usermapping - shall I add to Wiki?

On 04/03/15 20:32, Shane Robinson wrote:
> Hi Rowland,
>
> Thanks for getting back to me!
>
> So, if you, and others are mapping root to Administrator, shall I add 
> that to the wiki?
>
> Upon reading your response, could my problem have always been that I 
> immediately gave the Administrator account a UIDnumber? Is the 
> Administrator's UIDnumber automagically set to '0'? (I'm going to feel 
> awfully silly if that's a yes)

ER, start feeling silly :-)

If you examine idmap.ldb on the samba4 DC, you will find that Administrator
is indeed mapped to '0'

> I think I agree that ID_TYPE_BOTH may simply confuse matters, but it 
> is present currently, so, given that, why would chown administrator be 
> preferred over chgrp Domain Admins or visa versa? In my testing, both 
> seem to allow the changing of acls from windows.

At the moment, with 'ID_TYPE_BOTH' and if you do not give Domain Admins a
gidNumber, it doesn't make any difference. To change the ACLs  from windows
the user must be known to Unix and if you are changing the group, this must
be known as well (I am probably telling you what you already know). So the
user and group must be either mapped or they must have a uidNumber or
gidNumber, so It probably doesn't really matter which way you do it. just so
long as you can set the ACLs from windows

Rowland

> Thanks!
>
> Shane Robinson
> Chief Administrative Officer
> SimpeQ Care Inc.
> t. 604.988.3103 ext. 104
> c. 604.506.3311
> f. 604.988.3105
> Please consider the environment before printing this email.
>
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org 
> [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Rowland Penny
> Sent: Wednesday, March 04, 2015 10:59 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Domain Member Server (wheezy) - Unable to edit 
> permissions of share without usermapping - shall I add to Wiki?
>
> On 04/03/15 18:31, Shane Robinson wrote:
>> Hello again Rowland, list!
>>
>> Sorry for the delayed response, and top posting.
>>
>> To recap:
>> I'd like to complete the member server wiki so that ACLs can be set 
>> from windows without taking undocumented steps.
>>
>> The three ways I've found to do this are:
>>
>> 1) map root to administrator. (LPH VanBelle's script uses this
>> option.)
> This is the way that I have be using for some time, it works, but is 
> it the best way ?
> You are making the windows Administrator have exactly the same powers 
> that 'root' has, do you want/need to do this ?
>
>> 2) chmod 0775 then chgrp "<DOMAIN>\Domain Admins" /srv/share
> This is a better way, you are only giving members of Domain Admins the 
> rights to the directory and remember that Administrator is a member of 
> Domain Admins.
>
>> 3) chown -R "<DOMAIN>\Administrator" /srv/share
> This would mean that you would have to give Administrator a different 
> ID other than '0'.
>
> I am now leaning towards a mixture of 2 & 3
>
>> I'm leaning towards 2, but would like a better idea of pros and cons 
>> so I may complete the wiki.
>>
>> Rowland: From your last response, I was searching for how the 
>> ID_TYPE_BOTH relates to the above, and found a recent thread between 
>> yourself and
> Andrew
>> (Samba4,idmap.ldb & ID_TYPE_BOTH), last posted to on Feb24. The
> differences
>> you point out W.R.T. sysvol appear to relate more to that thread.
> You are correct that the thread was all about sysvol, but you seem to 
> be missing the point. If there wasn't 'ID_TYPE_BOTH' then getfacl 
> would work better, a windows group would show up as only a group, not 
> as it is now, showing as a group and a user!
> The same goes for windows users.
>
> Rowland
>
>>    
>>
>> If those differences are important to my current issue, I apologize 
>> for being obtuse, but would you mind explaining?
>>
>> Otherwise, List, please let me know which of the above options you 
>> prefer and why. I will then document them to the best of my knowledge 
>> on the
> wiki.
>> Thank you kindly,
>>

More information about the samba mailing list