[Samba] Windows ACLs : problems

Stefan G. Weichinger lists at xunil.at
Tue Feb 25 14:29:05 UTC 2020


Am 25.02.20 um 15:16 schrieb Rowland penny via samba:
> On 25/02/2020 14:01, Stefan G. Weichinger via samba wrote:
>> Am 25.02.20 um 14:54 schrieb Rowland penny via samba:
>>> You do not need it, it is only required if using the winbind 'ad'
>>> backend and only then if you don't want possible problems with sysvol.
>> What? Now I *don't* need it?
> 
> Bad choice of words there, you do not need 'Unix Admins', you can use
> 'Domain Admins' instead. You only need to use 'Unix Admins' if you use
> the winbind 'ad' backend and do not care if you mess up sysvol.
> 
> If you add GPOs, then they can be owned by Domain Admins (something that
> normally cannot happen on Unix). This is because Domain Admins is mapped
> to 'ID_TYPE_BOTH' in idmap.ldb. If you give Domain Admins a gidNumber,
> it becomes just a group and cannot own anything in sysvol. On a Unix
> domain member using the 'rid' backend, the mapping is done locally and
> does not affect idmap.ldb.

Hm, I understand that partially, it seems.

Fact is that I can't edit the share from within Windows with the
DOM\Administrator user right now.

No read permissions ..

That is bad ...

That user is member of both DOM\IT and DOM\domänen-admins

And should have the needed privilege:

# net rpc rights list privileges SeDiskOperatorPrivilege -U
"CUSTOMER\administrator"
Enter CUSTOMER\administrator's password:
SeDiskOperatorPrivilege:
  CUSTOMER\Administrator
  BUILTIN\Administrators
  CUSTOMER\IT



More information about the samba mailing list