[Samba] Permission Issues with GPO
viktor at troja.ch
Wed Nov 18 12:55:30 UTC 2015
> On 18 Nov 2015, at 13:24, Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
>> On 18/11/15 10:24, mourik jan c heupink wrote:
>>> On 18-11-2015 10:59, Rowland Penny wrote:
>>> OK, I am trying to understand this as well, I take it that the uidNumber
>>> you add is a unique number that is inside the range you have set in
>>> smb.conf, but what about the gidNumber? do you set it to '515' and is
>>> this also inside the range?
>> Yep. gidNumber 515, both inside the range yes. (range starts at 500)
>>> Who owns the share on the disk and what are the permissions, also what
>>> is the share in smb.conf.
>>> guest ok = no
>>> comment = Ninite Software Updater
>>> path = /srv/ninite
>>> read only = No
>>> writable = yes
>>> valid users = @"Domain Admins", @"Domain Computers"
>>> create mask = 0775
>>> directory mask = 0775
>> Permissions on disk:
>>> drwxrwxr-x 5 root Domain Admins 4096 Jul 8 14:10 ninite
> OK, I think I understand this, Mourik is setting this on the share:
> valid users = @"Domain Admins", @"Domain Computers"
> This means that only members of the 'Domain Admins' or 'Domain Computers' groups can connect to the share, whilst Louis has this showing in his ACLs from getfacl:
> Creator owner special. Only folders and files on underlying folders.
> Creator group special. Only folders and files on underlying folders.
> Verified users read+exec This folder underlying folders and files
> Domain Admins Full This folder underlying folders and files
> Domain users read+exec This folder underlying folders and files
> Domain computers read+exec This folder underlying folders and files
> Which gives (amongst others) 'Domain Admins' full control and 'Domain Computer' read+exec permissions.
> With Mourik's way of doing things, 'Domain Computers' must be known to Unix, hence the required gidNumber
> Louis's way will probably rely on winbind mapping 'Domain Computers'
A bit difficult to follow since I'm travelling. But, no, I do use Windows to manage the shares. Specifically, (I think) I am doing what is described in the wiki: I give the group full access to the shared folder, and then set the group to "domain admin" (which has a uid and is thus recognized on my nix system). Subsequently, I am managing rights to the files and folders within the shares using Windows ACL.
Isn't that the correct process? Just that I also should add the line Louis suggested to each shared folder definition?
More information about the samba