Davor Vusir
2015-Mar-04 19:25 UTC
[Samba] Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
2015-03-04 19:59 GMT+01:00 Rowland Penny <rowlandpenny at googlemail.com>:> On 04/03/15 18:31, Shane Robinson wrote: >> >> Hello again Rowland, list! >> >> Sorry for the delayed response, and top posting. >> >> To recap: >> I'd like to complete the member server wiki so that ACLs can be set from >> windows without taking undocumented steps. >> >> The three ways I've found to do this are: >> >> 1) map root to administrator. (LPH VanBelle's script uses this option.) > > > This is the way that I have be using for some time, it works, but is it the > best way ? > You are making the windows Administrator have exactly the same powers that > 'root' has, do you want/need to do this ? > >> >> 2) chmod 0775 then chgrp "<DOMAIN>\Domain Admins" /srv/share > > > This is a better way, you are only giving members of Domain Admins the > rights to the directory and remember that Administrator is a member of > Domain Admins. > >> >> 3) chown -R "<DOMAIN>\Administrator" /srv/share > > > This would mean that you would have to give Administrator a different ID > other than '0'. > > I am now leaning towards a mixture of 2 & 3 >If I remember correctly it doesn't matter what combinations you 'chmod' to. It changes to 755 as soon as you change ACLs from Windows. I suggest you add uid- and gidnumber to all users and groups and chown to a user:group (or perhaps group:group if possible). For example chown FileShareAdmin:FileShareAdminGroup and let the user account which operates the file share be a member of group FileShareAdminGroup. With this approach you get some degree of security if you also allow users to logon to the server with ssh for example. And of course home directories. Choice 3 and uid-/gidNumber assigned. Regards Davor>> >> I'm leaning towards 2, but would like a better idea of pros and cons so I >> may complete the wiki. >> >> Rowland: From your last response, I was searching for how the ID_TYPE_BOTH >> relates to the above, and found a recent thread between yourself and >> Andrew >> (Samba4,idmap.ldb & ID_TYPE_BOTH), last posted to on Feb24. The >> differences >> you point out W.R.T. sysvol appear to relate more to that thread. > > > You are correct that the thread was all about sysvol, but you seem to be > missing the point. If there wasn't 'ID_TYPE_BOTH' then getfacl would work > better, a windows group would show up as only a group, not as it is now, > showing as a group and a user! > The same goes for windows users. > > Rowland > >> >> If those differences are important to my current issue, I apologize for >> being obtuse, but would you mind explaining? >> >> Otherwise, List, please let me know which of the above options you prefer >> and why. I will then document them to the best of my knowledge on the >> wiki. >> >> Thank you kindly, >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-Mar-04 20:13 UTC
[Samba] Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
On 04/03/15 19:25, Davor Vusir wrote:> If I remember correctly it doesn't matter what combinations you > 'chmod' to. It changes to 755 as soon as you change ACLs from Windows. > I suggest you add uid- and gidnumber to all users and groups and chown > to a user:group (or perhaps group:group if possible). For example > chown FileShareAdmin:FileShareAdminGroup and let the user account > which operates the file share be a member of group > FileShareAdminGroup. With this approach you get some degree of > security if you also allow users to logon to the server with ssh for > example. And of course home directories. > > Choice 3 and uid-/gidNumber assigned. > > Regards > Davor >You must be mis-remembering because I just tried it and the Unix acls do not change, mind you I never thought they would. The windows ACLs now show with getfacl, so this may be what you are getting mixed up with. As for giving all users and groups an ID number, just how far do you suggest an admin goes? do you suggest that all the 'well known sids' be given an ID ? Rowland
Shane Robinson
2015-Mar-04 20:35 UTC
[Samba] Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
Hi Davor, If the mapping of administrator to root is not ideal, I do like the idea of having a specific FileShareAdmin group. But, why chown and not simply chgrp? Thanks! Shane Robinson Chief Administrative Officer SimpeQ Care Inc. t. 604.988.3103 ext. 104 c. 604.506.3311 f. 604.988.3105 Please consider the environment before printing this email. -----Original Message----- From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny Sent: Wednesday, March 04, 2015 12:13 PM To: samba at lists.samba.org Subject: Re: [Samba] Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki? On 04/03/15 19:25, Davor Vusir wrote:> If I remember correctly it doesn't matter what combinations you > 'chmod' to. It changes to 755 as soon as you change ACLs from Windows. > I suggest you add uid- and gidnumber to all users and groups and chown > to a user:group (or perhaps group:group if possible). For example > chown FileShareAdmin:FileShareAdminGroup and let the user account > which operates the file share be a member of group > FileShareAdminGroup. With this approach you get some degree of > security if you also allow users to logon to the server with ssh for > example. And of course home directories. > > Choice 3 and uid-/gidNumber assigned. > > Regards > Davor >You must be mis-remembering because I just tried it and the Unix acls do not change, mind you I never thought they would. The windows ACLs now show with getfacl, so this may be what you are getting mixed up with. As for giving all users and groups an ID number, just how far do you suggest an admin goes? do you suggest that all the 'well known sids' be given an ID ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Davor Vusir
2015-Mar-04 20:37 UTC
[Samba] Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
2015-03-04 21:13 GMT+01:00 Rowland Penny <rowlandpenny at googlemail.com>:> On 04/03/15 19:25, Davor Vusir wrote: >> >> If I remember correctly it doesn't matter what combinations you >> 'chmod' to. It changes to 755 as soon as you change ACLs from Windows. >> I suggest you add uid- and gidnumber to all users and groups and chown >> to a user:group (or perhaps group:group if possible). For example >> chown FileShareAdmin:FileShareAdminGroup and let the user account >> which operates the file share be a member of group >> FileShareAdminGroup. With this approach you get some degree of >> security if you also allow users to logon to the server with ssh for >> example. And of course home directories. >> >> Choice 3 and uid-/gidNumber assigned. >> >> Regards >> Davor >> > > You must be mis-remembering because I just tried it and the Unix acls do not > change, mind you I never thought they would. The windows ACLs now show with > getfacl, so this may be what you are getting mixed up with. > > As for giving all users and groups an ID number, just how far do you suggest > an admin goes? do you suggest that all the 'well known sids' be given an ID > ? >I do. I tried to explain my thoughts some time ago in this thread: https://lists.samba.org/archive/samba/2014-October/186268.html. The thread goes on... Regards Davor> Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Apparently Analagous Threads
- Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
- Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
- Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
- Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
- Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?