Jaan Talvet
2007-Aug-20 16:07 UTC
[Samba] restricting the windows users security tab with samba acl
Hello, We're porting all our windows file servers over to linux. I just joined our samba server to Active Directory and it works great with ACL - I can add/remove Sales, Marketing, IT groups etc.., unfortunately, so can everyone else. Q) How can I restrict our regular windows XP users from manipulating the "Properties -> Security" tab in file explorer? I'd need to restrict that to only the "Domain Admins" group like in Windows. Right now, anyone can add/remove groups - that's bad. setting "nt acl support = no" removes ACL control completely, not just for regular users, but admins too. any ideas? Thanks, Jaan
Gerald (Jerry) Carter
2007-Aug-20 19:15 UTC
[Samba] restricting the windows users security tab with samba acl
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jaan Talvet wrote:> Hello, > > We're porting all our windows file servers over to linux. I just joined > our samba server to Active Directory and it works great with ACL - I can > add/remove Sales, Marketing, IT groups etc.., unfortunately, so can > everyone else. > > Q) How can I restrict our regular windows XP users from manipulating the > "Properties -> Security" tab in file explorer? I'd need to restrict > that to only the "Domain Admins" group like in Windows. Right now, > anyone can add/remove groups - that's bad.Change the ownership of the files directory to root and rely on group permissions. Assuming you have 'dos filemode = no' (the default), this should give you the semantics you want. cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGyeghIR7qMdg1EfYRAidKAJ4hhmEYtXHKJANeHpqvTlKSANA/CgCeJFeV Tz4WDUgCN9W2gIeGbhtXSQ4=9e7J -----END PGP SIGNATURE-----