[Samba] Windows ACLs : problems
Stefan G. Weichinger
lists at xunil.at
Tue Feb 25 14:29:05 UTC 2020
Am 25.02.20 um 15:16 schrieb Rowland penny via samba:
> On 25/02/2020 14:01, Stefan G. Weichinger via samba wrote:
>> Am 25.02.20 um 14:54 schrieb Rowland penny via samba:
>>> You do not need it, it is only required if using the winbind 'ad'
>>> backend and only then if you don't want possible problems with sysvol.
>> What? Now I *don't* need it?
>
> Bad choice of words there, you do not need 'Unix Admins', you can use
> 'Domain Admins' instead. You only need to use 'Unix Admins' if you use
> the winbind 'ad' backend and do not care if you mess up sysvol.
>
> If you add GPOs, then they can be owned by Domain Admins (something that
> normally cannot happen on Unix). This is because Domain Admins is mapped
> to 'ID_TYPE_BOTH' in idmap.ldb. If you give Domain Admins a gidNumber,
> it becomes just a group and cannot own anything in sysvol. On a Unix
> domain member using the 'rid' backend, the mapping is done locally and
> does not affect idmap.ldb.
Hm, I understand that partially, it seems.
Fact is that I can't edit the share from within Windows with the
DOM\Administrator user right now.
No read permissions ..
That is bad ...
That user is member of both DOM\IT and DOM\domänen-admins
And should have the needed privilege:
# net rpc rights list privileges SeDiskOperatorPrivilege -U
"CUSTOMER\administrator"
Enter CUSTOMER\administrator's password:
SeDiskOperatorPrivilege:
CUSTOMER\Administrator
BUILTIN\Administrators
CUSTOMER\IT
More information about the samba
mailing list