On Fri, 2022-03-11 at 07:31 -0800, Gregory Sloop via samba wrote:> > > I'm feeling really stupid this AM - lets use small words to make sure > I understand this properly - I need to add the users that need to > edit permissions to the BUILTIN/Administrators group, because "Domain > Admins" won't cut it. Right?Wrong , that is how it is supposed to work.> > Is that normal? ...I.E. It's been a while and I don't have a native > Windows setup to tinker on handy, but IIRC, each admin group is a > super-set of the previous. So Domain Admins has all the rights/privs > of Admins, plus some. And Enterprise Admins is a superset of Domain > Admins. So, this seems like odd Samba behavior.It isn't normal and to the best of my recollection, it used to work like that, you logged into Windows as a member of Domain Admins and you could change the permissions on a share. I can only do this now if I log in as Administrator, with a user.map set in smb.conf and 'min domain uid = 0' also set. I think you could have found a bug :-/ Rowland
> On Fri, 2022-03-11 at 07:31 -0800, Gregory Sloop via samba wrote:>> I'm feeling really stupid this AM - lets use small words to make sure >> I understand this properly - I need to add the users that need to >> edit permissions to the BUILTIN/Administrators group, because "Domain >> Admins" won't cut it. Right?> Wrong , that is how it is supposed to work.\? Huh?! Wrong, meaning, that Domain Admins *should* be able to change permissions, and now it's "wrong" and doesn't work that way? Or "Wrong" Domain admins shouldn't be able to change permissions? ? (I'm pretty sure it's the first [especially with what you say in the following para], but your reply is very ambiguous.) ? ? ?>> ? >> Is that normal? ...I.E. It's been a while and I don't have a native >> Windows setup to tinker on handy, but IIRC, each admin group is a >> super-set of the previous. So Domain Admins has all the rights/privs >> of Admins, plus some. And Enterprise Admins is a superset of Domain >> Admins. So, this seems like odd Samba behavior.> It isn't normal and to the best of my recollection, it used to work > like that, you logged into Windows as a member of Domain Admins and you > could change the permissions on a share. I can only do this now if I > log in as Administrator, with a user.map set in smb.conf and 'min > domain uid = 0' also set.?? Is the actual administrator *user account* the only one you can do this with, or does the BUILTIN\Administrators group equivalence/membership also work? ?> I think you could have found a bug :-/> Rowland
L.P.H. van Belle
2022-Mar-11 16:06 UTC
[Samba] Setting permissions on AD member file server
You can "deny" Administrator and/or root. Is suggest, you post the right structure of these folders as i asked.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Gregory Sloop via samba > Verzonden: vrijdag 11 maart 2022 17:03 > Aan: Rowland Penny via samba > Onderwerp: Re: [Samba] Setting permissions on AD member file server > > > > > On Fri, 2022-03-11 at 07:31 -0800, Gregory Sloop via samba wrote: > > >> I'm feeling really stupid this AM - lets use small words > to make sure > >> I understand this properly - I need to add the users that need to > >> edit permissions to the BUILTIN/Administrators group, > because "Domain > >> Admins" won't cut it. Right? > > > Wrong , that is how it is supposed to work.\ > ? > Huh?! > Wrong, meaning, that Domain Admins *should* be able to change > permissions, and now it's "wrong" and doesn't work that way? > Or "Wrong" Domain admins shouldn't be able to change permissions? > ? > (I'm pretty sure it's the first [especially with what you say > in the following para], but your reply is very ambiguous.) > ? > ? > ? > > > >> ? > >> Is that normal? ...I.E. It's been a while and I don't have a native > >> Windows setup to tinker on handy, but IIRC, each admin group is a > >> super-set of the previous. So Domain Admins has all the > rights/privs > >> of Admins, plus some. And Enterprise Admins is a superset of Domain > >> Admins. So, this seems like odd Samba behavior. > > > It isn't normal and to the best of my recollection, it used to work > > like that, you logged into Windows as a member of Domain > Admins and you > > could change the permissions on a share. I can only do this now if I > > log in as Administrator, with a user.map set in smb.conf and 'min > > domain uid = 0' also set.? > ? > Is the actual administrator *user account* the only one you > can do this with, or does the BUILTIN\Administrators group > equivalence/membership also work? > ? > > > > I think you could have found a bug :-/ > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 11 March 2022 15:51 Rowland Penny wrote:> On Fri, 2022-03-11 at 07:31 -0800, Gregory Sloop via samba wrote: > It isn't normal and to the best of my recollection, it used to work like that, you logged > into Windows as a member of Domain Admins and you could change the > permissions on a share. I can only do this now if I log in as Administrator, with a > user.map set in smb.conf and 'min domain uid = 0' also set. > > I think you could have found a bug :-/ >Possibly. I have found that in order to use a 'Domain Admins' user to set permissions from Windows (rather than the Administrator account) I needed to give 'Domain Admins' (or BUILTIN/Administrators) write access to the folder. I follow Louis' very detailed explanation in an earlier thread to set permissions in Linux (see https://lists.samba.org/archive/samba/2021-November/238776.html ) before setting them from Windows using a Domain Admin user and it works fine as far as I can tell. HTH Roy