[Samba] Adding Share Windows ACL

L.P.H. van Belle belle at bazuin.nl
Fri Jan 26 09:50:48 UTC 2018


I dont agree.. 
> Yes, Domain Admins needs to be a Unix group. 
I agree on this one. 

> No, because if Domain Admins is a Unix group, it cannot own GPOs in
> sysvol and Domain Admins needs to own GPOs as a user. On a Samba DC,
> Domain Admins is mapped to 'ID_TYPE_BOTH' and can own GPOs as a user.
Not totaly..  Imo.

Just set ignore systemacls on sysvol and you dont have any trouble with 
setting a gid on "domain admins" or domain guest, domain users, domain computers.
This is why i have Sysvol, users, profiles and deploy shares, all set with ignore systemacl.
All just due to the better matching for windows, and think mostly in gpo, deployments, things like that. 
It solves the problem of ID_TYPE_BOTH., which also solve the for "system".

But thats just my opinion, i suggest, you try it, and is this a good "work around" for now, i think so.
When ID_TYPE_BOTH matches by default better, that we could remove the ignore settting, 
but for now i do advice it to use it on some places, depending on the need. 

Only one BEWARE !! 
If you change to ignore systemacls, you MUST RE-APPPLY ALL SHARE AND SECURITY SETTINGS AGAIN! 
And for sysvol, set it and forget it, dont run samba-tool sysvolreset ! 


Greetz, 

Louis





> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: vrijdag 26 januari 2018 10:35
> Aan: samba at lists.samba.org
> CC: Micha Ballmann
> Onderwerp: Re: [Samba] Adding Share Windows ACL
> 
> On Fri, 26 Jan 2018 10:10:24 +0100
> Micha Ballmann via samba <samba at lists.samba.org> wrote:
> 
> > Hello,
> > 
> > im trying to setup a share using windows acls. I followed the step
> > ins
> > 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> > but hanging at "Adding a Share"
> > 
> > # mkdir -p /srv/samba/Demo/
> > # chown root:"Domain Admins" /srv/samba/Demo/
> > *--> chown: ung├╝ltige Gruppe: ┬╗root:Domain Admins?*
> > 
> > # net rpc rights list privileges SeDiskOperatorPrivilege -U
> > "SAMDOM\administrator" SeDiskOperatorPrivilege:
> >    ROOTRUDI\Domain Admins
> >    BUILTIN\Administrators
> > 
> > Do i need enable the UNIX Attribute for this group? I cant find any
> > advice.
> > 
> > Best regards
> > Micha
> > 
> 
> There are two schools of thought here, yes AND no :-)
> 
> Yes, Domain Admins needs to be a Unix group.
> No, because if Domain Admins is a Unix group, it cannot own GPOs in
> sysvol and Domain Admins needs to own GPOs as a user. On a Samba DC,
> Domain Admins is mapped to 'ID_TYPE_BOTH' and can own GPOs as a user.
> 
> You either need to use the 'rid' backend on Unix domain members and do
> not give Domain Admins a gidNumber attribute, or create another group
> (I use 'Unix Admins'), give this group a gidNumber attribute and make
> the new group a member of the Domain Admins group, use this group
> instead of Domain Admins.
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list