Rowland Penny
2015-Feb-15 19:37 UTC
[Samba] What options do I have to create OUs and ACLs in Samba4?
On 15/02/15 18:27, Marc Muehlfeld wrote:> Hello John, > > Am 15.02.2015 um 18:56 schrieb John Lewis: >> I need to create a couple of OUs under Users to separate my internal >> users from my external users that have LDAP backed accounts so I can put >> ACLs over the external users so I can limit what they can see on the >> tree. What options do I have to create the OUs and the ACLs in a Samba4 >> AD-DC domain? > The comfortable, easy and recommended way: Use ADUC. > https://wiki.samba.org/index.php/Installing_RSAT_on_Windows_for_AD_Management > > > The (very) unattractive way: OUs you can create LDAP-style via importing > LDIFs. ACLs can be set via samba-tool. But as far as I know, we don't > have any documentation yet about "samba-tool dsacl set". Here is an > example, that I found on the internet and the output it produces: > https://cpaste.org/py3kczpjk/ra3wba/raw > It seems to do something. But I have no idea what :-) > > > Regards, > MarcFYI Marc, It is allowing 'Domain Computers' access to "CN=demo01,CN=Users,DC=samdom,DC=example,DC=com", the container will inherit ACES and 'Domain Computers' can read the sddls, list children and read control. :-) See here: https://msdn.microsoft.com/en-gb/library/windows/desktop/aa374928%28v=vs.85%29.aspx and here: https://msdn.microsoft.com/en-gb/library/windows/desktop/aa379602%28v=vs.85%29.aspx
Marc Muehlfeld
2015-Feb-15 20:05 UTC
[Samba] What options do I have to create OUs and ACLs in Samba4?
Hello Rowland, Am 15.02.2015 um 20:37 schrieb Rowland Penny:> FYI Marc, It is allowing 'Domain Computers' access to > "CN=demo01,CN=Users,DC=samdom,DC=example,DC=com", the container will > inherit ACES and 'Domain Computers' can read the sddls, list children > and read control. :-) > > See here: > https://msdn.microsoft.com/en-gb/library/windows/desktop/aa374928%28v=vs.85%29.aspx > > > and here: > https://msdn.microsoft.com/en-gb/library/windows/desktop/aa379602%28v=vs.85%29.aspxThanks for that interesting links. Maybe I can write a user documentation for the Wiki out of that for the really tough guys using samba-tool :-) Regards, Marc
John Lewis
2015-Feb-15 20:19 UTC
[Samba] What options do I have to create OUs and ACLs in Samba4?
On 02/15/2015 03:05 PM, Marc Muehlfeld wrote:> Hello Rowland, > > Am 15.02.2015 um 20:37 schrieb Rowland Penny: >> FYI Marc, It is allowing 'Domain Computers' access to >> "CN=demo01,CN=Users,DC=samdom,DC=example,DC=com", the container will >> inherit ACES and 'Domain Computers' can read the sddls, list children >> and read control. :-) >> >> See here: >> https://msdn.microsoft.com/en-gb/library/windows/desktop/aa374928%28v=vs.85%29.aspx >> >> >> and here: >> https://msdn.microsoft.com/en-gb/library/windows/desktop/aa379602%28v=vs.85%29.aspx > > > Thanks for that interesting links. Maybe I can write a user > documentation for the Wiki out of that for the really tough guys using > samba-tool :-) > > > Regards, > Marc >I would greatly appreciate it Marc. I am one of the tough guys. I can't afford to sneak a Windows Server machine onto my 1GB memory Ramnode VPS. I think I could get around that with some ssh reverse proxies, openVPN, creative firewall rules, but being able to do it with samba tool would be simpler.
John Lewis
2015-Feb-15 20:19 UTC
[Samba] What options do I have to create OUs and ACLs in Samba4?
On 02/15/2015 03:05 PM, Marc Muehlfeld wrote:> Hello Rowland, > > Am 15.02.2015 um 20:37 schrieb Rowland Penny: >> FYI Marc, It is allowing 'Domain Computers' access to >> "CN=demo01,CN=Users,DC=samdom,DC=example,DC=com", the container will >> inherit ACES and 'Domain Computers' can read the sddls, list children >> and read control. :-) >> >> See here: >> https://msdn.microsoft.com/en-gb/library/windows/desktop/aa374928%28v=vs.85%29.aspx >> >> >> and here: >> https://msdn.microsoft.com/en-gb/library/windows/desktop/aa379602%28v=vs.85%29.aspx > > > Thanks for that interesting links. Maybe I can write a user > documentation for the Wiki out of that for the really tough guys using > samba-tool :-) > > > Regards, > Marc >I would greatly appreciate it Marc. I am one of the tough guys. I can't afford to sneak a Windows Server machine onto my 1GB memory Ramnode VPS. I think I could get around that with some ssh reverse proxies, openVPN, creative firewall rules, but being able to do it with samba tool would be simpler.