[Samba] Windows ACLs : problems
Stefan G. Weichinger
lists at xunil.at
Tue Feb 25 13:21:22 UTC 2020
Am 25.02.20 um 14:16 schrieb Rowland penny via samba:
> On 25/02/2020 13:04, Stefan G. Weichinger via samba wrote:
>> Am 24.02.20 um 10:34 schrieb Rowland penny via samba:
>>
>>> Change the owner to 'root' and never use Administrator on a Unix domain
>>> member.
>> wiki says:
>>
>> # chown root:"Unix Admins" /srv/samba/Demo/
>> # chmod 0770 /srv/samba/Demo/
>>
>> I dont't have "Unix Admins" ...
>
> And it says immediately above that: .... For example:
>
> And further up the page, in a blue 'NOTE' box, it says this:
>
> If you use the winbind 'ad' backend on Unix domain members and you add a
> gidNumber attribute to the |Domain Admins| group in AD, you will break
> the mapping in |idmap.ldb|. |Domain Admins| is mapped as |ID_TYPE_BOTH|
> in |idmap.ldb|, this is to allow the group to own files in |Sysvol| on a
> Samba AD DC. It is suggested you create a new group (|Unix Admins| for
> instance), give this group a |gidNumber| attribute and add it to the
> |Administrators| group and then, on Unix, use the group wherever you
> would normally use |Domain Admins|.
I use the "rid" backend ...
> You do not need to use another group, but if give Domain Admins a
> gidNumber, you will have problems in sysvol.
Can't remember having done that ...
>> and the chown to root makes my Windows-connections fail with
>> Administrator ...
>
> Do you have a user.map line in smb.conf ?
>
> Something like this:
>
> username map = /etc/samba/smb.conf
>
> Which contains something like this:
>
> !root = DOMAIN\Administrator
Yes.
More information about the samba
mailing list