[Samba] Allow user without uidNumber to access to a Samba member file server

L.P.H. van Belle belle at bazuin.nl
Wed Mar 15 16:01:16 UTC 2017


Ok, these : 
> For Administrator / Domain Admins / System / Creator Owner = Full
> Control on folder, subfolders and files 
Are not available on the "Share security" but are on the "Security"

So the "Share security settings" need only.
Everyone FULL CONTROLL  ( or Verified users ) 

And i think your done. 

> For Administrator / Domain Admins / System / Creator Owner = Full Control on folder, subfolders and files

> For Authenticated Users / Domain Users = Read and Execute on this folder only

In your case i suggest, 

Domain Admins 
SYSTEM 
CREATOR OWNER ( or better GROUP ) 
CREATOR GROUP
All full controll. 

Authenticated users OR Domain Users. Setting both isnt needed. With at least read. 
I suggest you set ( in case of GPO things ) Authenticated users.
Since that include also the computers. 

In other cases, use "domain users" and/or the other groups you need.


Greetz, 

Louis





> -----Oorspronkelijk bericht-----
> Van: Arnaud Cruzel [mailto:a.cruzel at ifporient.org]
> Verzonden: woensdag 15 maart 2017 16:40
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Allow user without uidNumber to access to a Samba
> member file server
> 
> Le mercredi 15 mars 2017 à 15:16 +0100, L.P.H. van Belle via samba a
> écrit :
> > > But if he try to access to the file server (from a Windows 10
> > > client),
> > > he get an "Access refused".
> >
> > How did he access the share.
> > \\servername\share  or  \\servername.dnsdom.tld\share
> > (or by \\ip )
> by \\servername\share
> 
> 
> >
> > Can he access \\servername  without the share.
> no it can't
> >
> > And the Win10 eventid + discription of the "Access refused" would be
> > nice.
> There is no event ID neither descriptions. I don't find any entry on
> Windows event viewer.
> >
> > The "Share Security" settings are?
> by exemple for the share 'Shares' :
> For Administrator / Domain Admins / System / Creator Owner = Full
> Control on folder, subfolders and files
> For Authenticated Users / Domain Users = Read and Execute on this
> folder only
> 
> 
> >
> > It should work with rfc2307, i works fine for me
> > ADDC 4.5.3 + members 4.5.3/4.6.0
> > All servers in rfc2307 mode.
> Yes I don't say it's not working. The problem is for set a GPO to
> deploy applications, I have to deploy it by user GPO.
> If I want to do that by computer GPO I have to set uidNumber to all
> computers. I'm lazy to do that :)
> And now with Windows 10 who don't allow to set rfc2307 easily with ADUC
>  it become very complicate to set uidNumber manually for each user.
> 
> >
> > But i did set extra things, so before i advice something i need the
> > above info first.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >
> >
> >





More information about the samba mailing list