[Samba] Permission Issues with GPO

[Rowland Penny]

On 18/11/15 10:24, mourik jan c heupink wrote:
>
>
> On 18-11-2015 10:59, Rowland Penny wrote:
>> OK, I am trying to understand this as well, I take it that the uidNumber
>> you add is a unique number that is inside the range you have set in
>> smb.conf, but what about the gidNumber? do you set it to '515' and is
>> this also inside the range?
> Yep. gidNumber 515, both inside the range yes. (range starts at 500)
>
>> Who owns the share on the disk and what are the permissions, also what
>> is the share in smb.conf.
>
>> [ninite]
>>         guest ok = no
>>         comment = Ninite Software Updater
>>         path = /srv/ninite
>>         read only = No
>>         writable = yes
>>         valid users = @"Domain Admins", @"Domain Computers"
>>         create mask = 0775
>>         directory mask = 0775
>
> Permissions on disk:
>> drwxrwxr-x   5 root Domain Admins 4096 Jul  8 14:10 ninite
>
> MJ
>

OK, I think I understand this, Mourik is setting this on the share:

valid users = @"Domain Admins", @"Domain Computers"

This means that only members of the 'Domain Admins'  or 'Domain 
Computers' groups can connect to the share, whilst Louis has this 
showing in his ACLs from getfacl:

Creator owner    special.     Only folders and files on underlying folders.
Creator group    special.     Only folders and files on underlying folders.
Verified users    read+exec    This folder  underlying folders and files
Domain Admins     Full        This folder  underlying folders and files
Domain users     read+exec    This folder  underlying folders and files
Domain computers    read+exec    This folder  underlying folders and files

Which gives (amongst others) 'Domain Admins' full control and 'Domain 
Computer' read+exec permissions.

With Mourik's way of doing things, 'Domain Computers' must be known to 
Unix, hence the required gidNumber

Louis's way will probably rely on winbind mapping 'Domain Computers'

Rowland