samba - Jun 2015 - using the DC as a file Server in AD

Am 10.06.2015 um 03:25 schrieb Mike:
> I'm learning to be very deliberate with changing posix and windows
acl's so
> I don't disturb users' access to files and folders.
> I check acl's on a specific file/folder on the server with getfacl.
> Then make one small acl modification to one file in a sub-directory of a
> share.
> Then record the difference reported by getfacl again.
> Then will access the same file from Windows RSAT console as the Domain
> Admin and note the permissions indicated on the Security tab.
If you use acl_xattr (default in AD mode) and change permissions in 
Linux, this will reset all permissions that were previously set from 
Windows. Use either setfacl or the security tab, but do not mix them.

On Thu, Jun 11, 2015 at 5:01 AM, Klaus Hartnegg <hartnegg at
uni-freiburg.de>
wrote:
> Am 10.06.2015 um 03:25 schrieb Mike:
>
>> I'm learning to be very deliberate with changing posix and windows
acl's
>> so
>> I don't disturb users' access to files and folders.
>> I check acl's on a specific file/folder on the server with getfacl.
>> Then make one small acl modification to one file in a sub-directory of
a
>> share.
>> Then record the difference reported by getfacl again.
>> Then will access the same file from Windows RSAT console as the Domain
>> Admin and note the permissions indicated on the Security tab.
>>
>
> If you use acl_xattr (default in AD mode) and change permissions in Linux,
> this will reset all permissions that were previously set from Windows. Use
> either setfacl or the security tab, but do not mix them.
>
>
Hi Klaus,

Your point is well received.  I had a problem trying to effect permissions
changes using windows acls.  The only way I found towards a solution was to
go back and forth between windows "Domain Users" and "User"
accounts, and
linux getfacl/setfacl changes to the same file......seeing the effect of
the changes between the two.  It's how I figured out that acl's for
windows
"Domain Users" consistently translates to linux acl's
"group:users", etc.

You have to play with both to understand all the parts, but carefully.

HI,

We face your problem when we first migrate to samba4 AD domain. We
decice as you did to only work with the RSAT tools.

If it directory with lot of subdirectories with different acls. What
we did is every group who dld need acces as a read-only at the root
directory and then applied the allowe/disallow on every subdirectories
directly via the RSAT tools.

Using this rules we never face anymore problems.

Meilleures salutations / Best regards,

Joseph-Andr? GUARAGNA
ing?nieur Syst?me et R?seau / Network and System engineer



RD MACHINES-OUTILS

77, all?e de l'Industrie  F-74130 CONTAMINE SUR ARVE
Tel : +33 (0) 4 50 03 90 77    -   Fax :+33 (0) 4 50 03 66 79
www.rdmo.com / www.rdmo-spare-parts.com


2015-06-11 14:10 GMT+02:00 Mike <1100100 at
gmail.com>:
> On Thu, Jun 11, 2015 at 5:01 AM, Klaus Hartnegg <hartnegg at
uni-freiburg.de>
> wrote:
>
>> Am 10.06.2015 um 03:25 schrieb Mike:
>>
>>> I'm learning to be very deliberate with changing posix and
windows acl's
>>> so
>>> I don't disturb users' access to files and folders.
>>> I check acl's on a specific file/folder on the server with
getfacl.
>>> Then make one small acl modification to one file in a sub-directory
of a
>>> share.
>>> Then record the difference reported by getfacl again.
>>> Then will access the same file from Windows RSAT console as the
Domain
>>> Admin and note the permissions indicated on the Security tab.
>>>
>>
>> If you use acl_xattr (default in AD mode) and change permissions in
Linux,
>> this will reset all permissions that were previously set from Windows.
Use
>> either setfacl or the security tab, but do not mix them.
>>
>>
> Hi Klaus,
>
> Your point is well received.  I had a problem trying to effect permissions
> changes using windows acls.  The only way I found towards a solution was to
> go back and forth between windows "Domain Users" and
"User" accounts, and
> linux getfacl/setfacl changes to the same file......seeing the effect of
> the changes between the two.  It's how I figured out that acl's for
windows
> "Domain Users" consistently translates to linux acl's
"group:users", etc.
>
> You have to play with both to understand all the parts, but carefully.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba