samba - Mar 2015 - Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?

Hi Davor,

If the mapping of administrator to root is not ideal, I do like the idea of
having a specific FileShareAdmin group. 

But, why chown and not simply chgrp?

Thanks!

Shane Robinson
Chief Administrative Officer
SimpeQ Care Inc.
t. 604.988.3103 ext. 104
c. 604.506.3311
f. 604.988.3105
Please consider the environment before printing this email.


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Rowland Penny
Sent: Wednesday, March 04, 2015 12:13 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Domain Member Server (wheezy) - Unable to edit
permissions of share without usermapping - shall I add to Wiki?

On 04/03/15 19:25, Davor Vusir wrote:
> If I remember correctly it doesn't matter what combinations you 
> 'chmod' to. It changes to 755 as soon as you change ACLs from
Windows.
> I suggest you add uid- and gidnumber to all users and groups and chown 
> to a user:group (or perhaps group:group if possible). For example 
> chown FileShareAdmin:FileShareAdminGroup and let the user account 
> which operates the file share be a member of group 
> FileShareAdminGroup. With this approach you get some degree of 
> security if you also allow users to logon to the server with ssh for 
> example. And of course home directories.
>
> Choice 3 and uid-/gidNumber assigned.
>
> Regards
> Davor
>
You must be mis-remembering because I just tried it and the Unix acls do not
change, mind you I never thought they would. The windows ACLs now show with
getfacl, so this may be what you are getting mixed up with.

As for giving all users and groups an ID number, just how far do you suggest
an admin goes? do you suggest that all the 'well known sids' be given an
ID
?

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

2015-03-04 21:35 GMT+01:00 Shane Robinson <srobinson at
simpeq.ca>:
> Hi Davor,
>
> If the mapping of administrator to root is not ideal, I do like the idea of
> having a specific FileShareAdmin group.
>
> But, why chown and not simply chgrp?
>
If you consider 'root' as a BUILTIN\Administrator equivivalent it
might work changing both Share and DACL "the Windows way". I'm not
sure it's going to work as 'root' (on the local file/Samba server)
cannot be resolved. There is no 'SERVER\root' account in the AD
database. I suggest to you to change owner to a domain user account
(or if possible a domain group). See also
https://lists.samba.org/archive/samba/2014-October/186286.html.

Regards
Davor
> Thanks!
>
> Shane Robinson
> Chief Administrative Officer
> SimpeQ Care Inc.
> t. 604.988.3103 ext. 104
> c. 604.506.3311
> f. 604.988.3105
> Please consider the environment before printing this email.
>
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at
lists.samba.org]
> On Behalf Of Rowland Penny
> Sent: Wednesday, March 04, 2015 12:13 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Domain Member Server (wheezy) - Unable to edit
> permissions of share without usermapping - shall I add to Wiki?
>
> On 04/03/15 19:25, Davor Vusir wrote:
>> If I remember correctly it doesn't matter what combinations you
>> 'chmod' to. It changes to 755 as soon as you change ACLs from
Windows.
>> I suggest you add uid- and gidnumber to all users and groups and chown
>> to a user:group (or perhaps group:group if possible). For example
>> chown FileShareAdmin:FileShareAdminGroup and let the user account
>> which operates the file share be a member of group
>> FileShareAdminGroup. With this approach you get some degree of
>> security if you also allow users to logon to the server with ssh for
>> example. And of course home directories.
>>
>> Choice 3 and uid-/gidNumber assigned.
>>
>> Regards
>> Davor
>>
>
> You must be mis-remembering because I just tried it and the Unix acls do
not
> change, mind you I never thought they would. The windows ACLs now show with
> getfacl, so this may be what you are getting mixed up with.
>
> As for giving all users and groups an ID number, just how far do you
suggest
> an admin goes? do you suggest that all the 'well known sids' be
given an ID
> ?
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Hi Davor,

If you chmod 0775 then chgrp, you are able to change the permissions from
windows while root remains the owner.

It seems, however that the above may only apply to my silly setup where I
jumped the gun and assigned a UIDnumber to Administrator, and a GIDnumber to
Domain Admins. 

I've read through your thread of October, and while I think your
requirements differ from mine, it was enlightening with respect to the
various mapping permutations.

Thanks,

Shane Robinson
Chief Administrative Officer
SimpeQ Care Inc.
t. 604.988.3103 ext. 104
c. 604.506.3311
f. 604.988.3105
Please consider the environment before printing this email.


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Davor Vusir
Sent: Wednesday, March 04, 2015 12:52 PM
To: samba at lists.samba.org
Subject: *****SPAM***** Re: [Samba] Domain Member Server (wheezy) - Unable
to edit permissions of share without usermapping - shall I add to Wiki?

2015-03-04 21:35 GMT+01:00 Shane Robinson <srobinson at
simpeq.ca>:
> Hi Davor,
>
> If the mapping of administrator to root is not ideal, I do like the 
> idea of having a specific FileShareAdmin group.
>
> But, why chown and not simply chgrp?
>
If you consider 'root' as a BUILTIN\Administrator equivivalent it might
work
changing both Share and DACL "the Windows way". I'm not sure
it's going to
work as 'root' (on the local file/Samba server) cannot be resolved.
There is
no 'SERVER\root' account in the AD database. I suggest to you to change
owner to a domain user account (or if possible a domain group). See also
https://lists.samba.org/archive/samba/2014-October/186286.html.

Regards
Davor
> Thanks!
>
> Shane Robinson
> Chief Administrative Officer
> SimpeQ Care Inc.
> t. 604.988.3103 ext. 104
> c. 604.506.3311
> f. 604.988.3105
> Please consider the environment before printing this email.
>
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org 
> [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Rowland Penny
> Sent: Wednesday, March 04, 2015 12:13 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Domain Member Server (wheezy) - Unable to edit 
> permissions of share without usermapping - shall I add to Wiki?
>
> On 04/03/15 19:25, Davor Vusir wrote:
>> If I remember correctly it doesn't matter what combinations you 
>> 'chmod' to. It changes to 755 as soon as you change ACLs from
Windows.
>> I suggest you add uid- and gidnumber to all users and groups and 
>> chown to a user:group (or perhaps group:group if possible). For 
>> example chown FileShareAdmin:FileShareAdminGroup and let the user 
>> account which operates the file share be a member of group 
>> FileShareAdminGroup. With this approach you get some degree of 
>> security if you also allow users to logon to the server with ssh for 
>> example. And of course home directories.
>>
>> Choice 3 and uid-/gidNumber assigned.
>>
>> Regards
>> Davor
>>
>
> You must be mis-remembering because I just tried it and the Unix acls 
> do not change, mind you I never thought they would. The windows ACLs 
> now show with getfacl, so this may be what you are getting mixed up with.
>
> As for giving all users and groups an ID number, just how far do you 
> suggest an admin goes? do you suggest that all the 'well known
sids'
> be given an ID ?
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba