[Samba] Permission Issues with GPO

Viktor Trojanovic viktor at troja.ch
Wed Nov 18 12:55:30 UTC 2015 


> On 18 Nov 2015, at 13:24, Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
> 
>> On 18/11/15 10:24, mourik jan c heupink wrote:
>> 
>> 
>>> On 18-11-2015 10:59, Rowland Penny wrote:
>>> OK, I am trying to understand this as well, I take it that the uidNumber
>>> you add is a unique number that is inside the range you have set in
>>> smb.conf, but what about the gidNumber? do you set it to '515' and is
>>> this also inside the range?
>> Yep. gidNumber 515, both inside the range yes. (range starts at 500)
>> 
>>> Who owns the share on the disk and what are the permissions, also what
>>> is the share in smb.conf.
>> 
>>> [ninite]
>>>        guest ok = no
>>>        comment = Ninite Software Updater
>>>        path = /srv/ninite
>>>        read only = No
>>>        writable = yes
>>>        valid users = @"Domain Admins", @"Domain Computers"
>>>        create mask = 0775
>>>        directory mask = 0775
>> 
>> Permissions on disk:
>>> drwxrwxr-x   5 root Domain Admins 4096 Jul  8 14:10 ninite
>> 
>> MJ
> 
> OK, I think I understand this, Mourik is setting this on the share:
> 
> valid users = @"Domain Admins", @"Domain Computers"
> 
> This means that only members of the 'Domain Admins'  or 'Domain Computers' groups can connect to the share, whilst Louis has this showing in his ACLs from getfacl:
> 
> Creator owner    special.     Only folders and files on underlying folders.
> Creator group    special.     Only folders and files on underlying folders.
> Verified users    read+exec    This folder  underlying folders and files
> Domain Admins     Full        This folder  underlying folders and files
> Domain users     read+exec    This folder  underlying folders and files
> Domain computers    read+exec    This folder  underlying folders and files
> 
> Which gives (amongst others) 'Domain Admins' full control and 'Domain Computer' read+exec permissions.
> 
> With Mourik's way of doing things, 'Domain Computers' must be known to Unix, hence the required gidNumber
> 
> Louis's way will probably rely on winbind mapping 'Domain Computers'
> 
> Rowland
> 
Hi all,

A bit difficult to follow since I'm travelling. But, no, I do use Windows to manage the shares. Specifically, (I think) I am doing what is described in the wiki: I give the group full access to the shared folder, and then set the group to "domain admin" (which has a uid and is thus recognized on my nix system). Subsequently, I am managing rights to the files and folders within the shares using Windows ACL.

Isn't that the correct process? Just that I also should add the line Louis suggested to each shared folder definition?

Viktor

More information about the samba mailing list