[Samba] Samba shares for raoming profiles and redirected folders

Rowland penny rpenny at samba.org
Thu Jun 11 21:06:05 UTC 2020 

On 11/06/2020 21:29, James B. Byrne via samba wrote:
> On our existing samba43 installation I see this:
>
> ll -d /var/samba4/BROCKLEY-2016/USERS/
> drwxrwx---+ 21 root  BROCKLEY-2016\domain admins  512 Feb 14 08:43
> /var/samba4/BROCKLEY-2016/USERS/
The Unix permissions show that there are ACLs set
>
> ll -d /var/samba4/BROCKLEY/USERS/
> drwxr-xr-x  3 root  wheel  3 Jun 11 14:32 /var/samba4/BROCKLEY/USERS/
No ACLS set
>
> I have read
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege
> and to be frank, this leaves me more confused than anything else.
What has confused you ? if you can tell us, I might be able to make it 
clearer.
>
> I have done this:
>
> net rpc rights grant "BROCKLEY\administrator" SeDiskOperatorPrivilege -U
> "BROCKLEY\administrator"
> Enter BROCKLEY\administrator's password:
> Successfully granted rights.
>
> net rpc rights grant "BROCKLEY\domain admins" SeDiskOperatorPrivilege -U
> "BROCKLEY\administrator"
> Enter BROCKLEY\administrator's password:
> Successfully granted rights.
>
> net rpc rights list privileges SeDiskOperatorPrivilege -U "BROCKLEY\administrator"
> Enter BROCKLEY\administrator's password:
> SeDiskOperatorPrivilege:
> BROCKLEY\Administrator
> BROCKLEY\Domain Admins
>
>
> But, I suspect that this is at best unnecessary and at worse total wrong.
Required, but possibly not a good idea when it comes to Domain Admins, 
is this on a DC ?
>
> I have tried to set the USERS security setting from RSAT but the console simply
> closes whenever I try to open the security tab.
>
> I did this once for the existing domain and I do not recall having this much
> difficulty.
>
> On the existing domain there is no entry in /etc/group having to do with samba.
I am extremely glad to hear that, because there shouldn't be ;-)
> How do I set the group to BROCKLEY\domain admins for
> /var/samba4/BROCKLEY/USERS/ on the new location?

I would use the equivalent of the Linux chrgp command, but this would 
entail 'getent group Domain\ Users' producing output.

Not sure how Freebsd does this, does it use /etc/nsswitch ?

Do you have the equivalent of the libnss-winbind, libpam-winbind and 
libpam-krb5 packages installed ?

Rowland

More information about the samba mailing list