[Samba] Permission Issues with GPO
Rowland Penny
rowlandpenny241155 at gmail.com
Wed Nov 18 11:24:54 UTC 2015
On 18/11/15 10:24, mourik jan c heupink wrote:
>
>
> On 18-11-2015 10:59, Rowland Penny wrote:
>> OK, I am trying to understand this as well, I take it that the uidNumber
>> you add is a unique number that is inside the range you have set in
>> smb.conf, but what about the gidNumber? do you set it to '515' and is
>> this also inside the range?
> Yep. gidNumber 515, both inside the range yes. (range starts at 500)
>
>> Who owns the share on the disk and what are the permissions, also what
>> is the share in smb.conf.
>
>> [ninite]
>> guest ok = no
>> comment = Ninite Software Updater
>> path = /srv/ninite
>> read only = No
>> writable = yes
>> valid users = @"Domain Admins", @"Domain Computers"
>> create mask = 0775
>> directory mask = 0775
>
> Permissions on disk:
>> drwxrwxr-x 5 root Domain Admins 4096 Jul 8 14:10 ninite
>
> MJ
>
OK, I think I understand this, Mourik is setting this on the share:
valid users = @"Domain Admins", @"Domain Computers"
This means that only members of the 'Domain Admins' or 'Domain
Computers' groups can connect to the share, whilst Louis has this
showing in his ACLs from getfacl:
Creator owner special. Only folders and files on underlying folders.
Creator group special. Only folders and files on underlying folders.
Verified users read+exec This folder underlying folders and files
Domain Admins Full This folder underlying folders and files
Domain users read+exec This folder underlying folders and files
Domain computers read+exec This folder underlying folders and files
Which gives (amongst others) 'Domain Admins' full control and 'Domain
Computer' read+exec permissions.
With Mourik's way of doing things, 'Domain Computers' must be known to
Unix, hence the required gidNumber
Louis's way will probably rely on winbind mapping 'Domain Computers'
Rowland
More information about the samba
mailing list