[Samba] Adding Share Windows ACL
Rowland Penny
rpenny at samba.org
Fri Jan 26 09:35:07 UTC 2018
On Fri, 26 Jan 2018 10:10:24 +0100
Micha Ballmann via samba <samba at lists.samba.org> wrote:
> Hello,
>
> im trying to setup a share using windows acls. I followed the step
> ins
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> but hanging at "Adding a Share"
>
> # mkdir -p /srv/samba/Demo/
> # chown root:"Domain Admins" /srv/samba/Demo/
> *--> chown: ungültige Gruppe: »root:Domain Admins“*
>
> # net rpc rights list privileges SeDiskOperatorPrivilege -U
> "SAMDOM\administrator" SeDiskOperatorPrivilege:
> ROOTRUDI\Domain Admins
> BUILTIN\Administrators
>
> Do i need enable the UNIX Attribute for this group? I cant find any
> advice.
>
> Best regards
> Micha
>
There are two schools of thought here, yes AND no :-)
Yes, Domain Admins needs to be a Unix group.
No, because if Domain Admins is a Unix group, it cannot own GPOs in
sysvol and Domain Admins needs to own GPOs as a user. On a Samba DC,
Domain Admins is mapped to 'ID_TYPE_BOTH' and can own GPOs as a user.
You either need to use the 'rid' backend on Unix domain members and do
not give Domain Admins a gidNumber attribute, or create another group
(I use 'Unix Admins'), give this group a gidNumber attribute and make
the new group a member of the Domain Admins group, use this group
instead of Domain Admins.
Rowland
More information about the samba
mailing list