[Samba] Setting permissions on AD member file server

L.P.H. van Belle belle at bazuin.nl
Fri Mar 11 16:06:30 UTC 2022 

You can "deny" Administrator and/or root. 

Is suggest, you post the right structure of these folders as i asked.. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Gregory Sloop via samba
> Verzonden: vrijdag 11 maart 2022 17:03
> Aan: Rowland Penny via samba
> Onderwerp: Re: [Samba] Setting permissions on AD member file server
> 
> 
> 
> > On Fri, 2022-03-11 at 07:31 -0800, Gregory Sloop via samba wrote:
> 
> >> I'm feeling really stupid this AM - lets use small words 
> to make sure
> >> I understand this properly - I need to add the users that need to
> >> edit permissions to the BUILTIN/Administrators group, 
> because "Domain
> >> Admins" won't cut it. Right?
> 
> > Wrong , that is how it is supposed to work.\
>  
> Huh?!
> Wrong, meaning, that Domain Admins *should* be able to change 
> permissions, and now it's "wrong" and doesn't work that way?
> Or "Wrong" Domain admins shouldn't be able to change permissions?
>  
> (I'm pretty sure it's the first [especially with what you say 
> in the following para], but your reply is very ambiguous.)
>  
>  
>  
> 
> 
> >>  
> >> Is that normal? ...I.E. It's been a while and I don't have a native
> >> Windows setup to tinker on handy, but IIRC, each admin group is a
> >> super-set of the previous. So Domain Admins has all the 
> rights/privs
> >> of Admins, plus some. And Enterprise Admins is a superset of Domain
> >> Admins. So, this seems like odd Samba behavior.
> 
> > It isn't normal and to the best of my recollection, it used to work
> > like that, you logged into Windows as a member of Domain 
> Admins and you
> > could change the permissions on a share. I can only do this now if I
> > log in as Administrator, with a user.map set in smb.conf and 'min
> > domain uid = 0' also set. 
>  
> Is the actual administrator *user account* the only one you 
> can do this with, or does the BUILTIN\Administrators group 
> equivalence/membership also work?
>  
> 
> 
> > I think you could have found a bug :-/
> 
> > Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list