Hi Rowland, yes I do have two separate config files for smbd/nmbd and winbindd. You can tell winbindd to load a separate config file via the "-s" command line switch. Therefore I set "WINBINDD_EXTRA_OPTS" in "/etc/default/sernet-samba" to "-s /etc/samba/winbindd.conf". The "cached_login" option for pam is also set and working. The problem was the parameter "map untrusted to domain" in smb.conf. We need this parameter for smbd so that users with non-domain computers are able to enter just their username instead of INTRANET\username. However settting this parameter to yes prevents winbindd from correctly enabling the offline logons. (Maybe a bug?) Hence I set "map untrusted to domain" in smb.conf to yes and in winbindd.conf to no. All other settings that are used by both daemons are equal. "getent passwd" and "getent group" work, I see all my domain users and groups. It is just that users cannot modify the read/write permissions of directories via the Windows security tab. How can I solve this problem? Greetings, Felix> Am 04.08.2015 um 17:38 schrieb Rowland Penny <rowlandpenny241155 at gmail.com>: > >> On 04/08/15 15:29, Felix Matouschek wrote: >> Hi Rowland, >> >> I had to split smbd and winbindd config to work around some bugs in credentials offline caching. >> I have a separate winbindd.conf, it looks like this: >> >> [global] >> ### Network ### >> netbios name = Fileserver >> server string = Fileserver (%h V:%v) >> >> ### ad member ### >> workgroup = INTRANET >> realm = INTRANET.MYCOMPANY.DE >> security = ADS >> kerberos method = secrets and keytab >> >> ### WINS ### >> wins server = 192.168.0.197 >> name resolve order = wins host bcast >> >> ### winbind config ### >> winbind offline logon = yes >> winbind cache time = 600 >> winbind enum users = yes >> winbind enum groups = yes >> winbind expand groups = 1 >> winbind nested groups = yes >> winbind use default domain = yes >> winbind refresh tickets = yes >> winbind nss info = rfc2307 >> idmap config * : backend = tdb >> idmap config * : range = 1000000 - 1999999 >> idmap config INTRANET : backend = ad >> idmap config INTRANET : schema_mode = rfc2307 >> idmap config INTRANET : range = 5000 - 40000 >> >> ### offline mode is not working without those ### >> winbind normalize names = no >> map untrusted to domain = no >> >> ### performance ### >> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE >> >> Greetings, >> Felix >> >> -----Ursprüngliche Nachricht----- >> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny >> Gesendet: Dienstag, 4. August 2015 15:17 >> An: samba at lists.samba.org >> Betreff: Re: [Samba] Cannot change directory permissions >> >>> On 04/08/15 14:11, Felix Matouschek wrote: >>> Hi Rowland, >>> >>> my users are known to the OS >> The smb.conf you posted earlier would seem to suggest that they aren't, what does 'getent passwd <username>' produce ? >> >> Rowland >> >>> , they also have the correct permissions to alter the settings. >>> Doing so on the CLI does work when logged in via SSH. >>> >>> When opening the Security Tab the users and groups are displayed, only on directories there are no checkmarks under Read, Write etc. >>> I also cannot set any checkmarks for Read, Write etc. >>> >>> When viewing the Security Tab of a file everything works and I can see and set the checkmarks. >>> >>> Do you know what could be wrong? >>> >>> Greetings, >>> Felix >>> >>> -----Ursprüngliche Nachricht----- >>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von >>> Rowland Penny >>> Gesendet: Dienstag, 4. August 2015 12:55 >>> An: samba at lists.samba.org >>> Betreff: Re: [Samba] Cannot change directory permissions >>> >>>> On 04/08/15 11:46, Felix Matouschek wrote: >>>> Hi Rowland, >>>> >>>> when saying 'I' I theoretically meant any user that has write access to the share. >>>> >>>> It should be possible to right click the directory in windows, the go to security tab and remove the write permissions on the directory. >>>> >>>> This behaviour already works with files, I'm trying to figure out how to make it also work for directories. >>>> >>>> Greetings, >>>> Felix >>>> >>>> -----Ursprüngliche Nachricht----- >>>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von >>>> Rowland Penny >>>> Gesendet: Dienstag, 4. August 2015 11:57 >>>> An: samba at lists.samba.org >>>> Betreff: Re: [Samba] Cannot change directory permissions >>>> >>>>> On 04/08/15 10:07, Felix Matouschek wrote: >>>>> Hello, >>>>> I occasionally need to remove the write permissions from directories inside a share to prevent users from accidentally deleting files inside that directory. >>>>> My problem is that I neither can view nor can change the permissions of directories on my shares. >>>>> Curiously enough viewing and changing permissions of files in the same shares works without a problem. >>>>> Is there anything I misconfigured? >>>>> My smb.conf looks like this: >>>>> [global] >>>>> ### Network ### >>>>> netbios name = Fileserver >>>>> server string = Fileserver (%h V:%v) >>>>> ### ad member ### >>>>> workgroup = INTRANET >>>>> realm = INTRANET.MYCOMPANY.DE >>>>> security = ADS >>>>> kerberos method = secrets and keytab >>>>> ### WINS ### >>>>> wins server = 192.168.0.197 >>>>> name resolve order = wins host bcast >>>>> ### logins without prepending INTRANET\ ### >>>>> map untrusted to domain = yes >>>>> ### other settings ### >>>>> unix extensions = no >>>>> invalid users = root >>>>> ### make exe files executable on windows without x bit ### >>>>> acl allow execute always = yes >>>>> ### performance ### >>>>> deadtime = 10 >>>>> use sendfile = yes >>>>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE >>>>> ### prevent unwanted files ### >>>>> veto files = /$RECYCLE.BIN/desktop.ini/Thumbs.db/.DS_Store/._.DS_Store/.apdisk/._.apdisk/.TemporaryItems/._.TemporaryItems/.Trashes/._.Trashes >>>>> delete veto files = yes >>>>> ### SHARES ### >>>>> [Exchange] >>>>> path = /home/nobackup/exchange >>>>> guest ok = yes >>>>> read only = no >>>>> create mask = 660 >>>>> directory mask = 770 >>>>> force group = exchange-users >>>>> Greetings, >>>>> Felix >>>> Hi, when you say ' I occasionally need to remove the write permissions', whom is the 'I', is this the Administrator ? >>>> >>>> Rowland >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> I am fairly sure your problem is a misconfiguration of smb.conf, for a start have a look here: >>> >>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >>> >>> To change directory settings, your users and groups need to be known to the underlying Unix OS and have the required permissions to alter the settings. >>> >>> Rowland > > I am now officially lost, are you telling me that you have a smb.conf and a winbindd.conf ? > > If you have a winbindd.conf, how are you telling winbindd to load it ? > > Also I don't use the winbind offline logon feature, but I thought you have to have 'cached_login = yes' in the file: /etc/security/pam_winbind.conf. > > Does 'getent passwd' display all your AD domains ? > > Rowland > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 07/08/15 10:52, Felix Matouschek wrote:> Hi Rowland, > > yes I do have two separate config files for smbd/nmbd and winbindd. > > You can tell winbindd to load a separate config file via the "-s" command line switch. > Therefore I set "WINBINDD_EXTRA_OPTS" in "/etc/default/sernet-samba" to "-s /etc/samba/winbindd.conf". > > The "cached_login" option for pam is also set and working. > > The problem was the parameter "map untrusted to domain" in smb.conf. > We need this parameter for smbd so that users with non-domain computers are able to enter just their username instead of INTRANET\username. > However settting this parameter to yes prevents winbindd from correctly enabling the offline logons. (Maybe a bug?)Hmm, very enterprising, but I wonder if using 'winbind use default domain' instead would allow you to use just one smb.conf.> > Hence I set "map untrusted to domain" in smb.conf to yes and in winbindd.conf to no. > All other settings that are used by both daemons are equal. > > "getent passwd" and "getent group" work, I see all my domain users and groups. > > It is just that users cannot modify the read/write permissions of directories via the Windows security tab. > How can I solve this problem?I think you are going to have to use 'setfacl' on the member server to set the permissions on the share directory, either that or set the Unix directory permissions to ??7 where '?' is whatever is there now for user and group. can you post the outcome of these two commands: ls -la /path/to/shared/directory getfacl /path/to/shared/directory Rowland> > Greetings, > Felix > >> Am 04.08.2015 um 17:38 schrieb Rowland Penny <rowlandpenny241155 at gmail.com>: >> >>> On 04/08/15 15:29, Felix Matouschek wrote: >>> Hi Rowland, >>> >>> I had to split smbd and winbindd config to work around some bugs in credentials offline caching. >>> I have a separate winbindd.conf, it looks like this: >>> >>> [global] >>> ### Network ### >>> netbios name = Fileserver >>> server string = Fileserver (%h V:%v) >>> >>> ### ad member ### >>> workgroup = INTRANET >>> realm = INTRANET.MYCOMPANY.DE >>> security = ADS >>> kerberos method = secrets and keytab >>> >>> ### WINS ### >>> wins server = 192.168.0.197 >>> name resolve order = wins host bcast >>> >>> ### winbind config ### >>> winbind offline logon = yes >>> winbind cache time = 600 >>> winbind enum users = yes >>> winbind enum groups = yes >>> winbind expand groups = 1 >>> winbind nested groups = yes >>> winbind use default domain = yes >>> winbind refresh tickets = yes >>> winbind nss info = rfc2307 >>> idmap config * : backend = tdb >>> idmap config * : range = 1000000 - 1999999 >>> idmap config INTRANET : backend = ad >>> idmap config INTRANET : schema_mode = rfc2307 >>> idmap config INTRANET : range = 5000 - 40000 >>> >>> ### offline mode is not working without those ### >>> winbind normalize names = no >>> map untrusted to domain = no >>> >>> ### performance ### >>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE >>> >>> Greetings, >>> Felix >>> >>> -----Ursprüngliche Nachricht----- >>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny >>> Gesendet: Dienstag, 4. August 2015 15:17 >>> An: samba at lists.samba.org >>> Betreff: Re: [Samba] Cannot change directory permissions >>> >>>> On 04/08/15 14:11, Felix Matouschek wrote: >>>> Hi Rowland, >>>> >>>> my users are known to the OS >>> The smb.conf you posted earlier would seem to suggest that they aren't, what does 'getent passwd <username>' produce ? >>> >>> Rowland >>> >>>> , they also have the correct permissions to alter the settings. >>>> Doing so on the CLI does work when logged in via SSH. >>>> >>>> When opening the Security Tab the users and groups are displayed, only on directories there are no checkmarks under Read, Write etc. >>>> I also cannot set any checkmarks for Read, Write etc. >>>> >>>> When viewing the Security Tab of a file everything works and I can see and set the checkmarks. >>>> >>>> Do you know what could be wrong? >>>> >>>> Greetings, >>>> Felix >>>> >>>> -----Ursprüngliche Nachricht----- >>>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von >>>> Rowland Penny >>>> Gesendet: Dienstag, 4. August 2015 12:55 >>>> An: samba at lists.samba.org >>>> Betreff: Re: [Samba] Cannot change directory permissions >>>> >>>>> On 04/08/15 11:46, Felix Matouschek wrote: >>>>> Hi Rowland, >>>>> >>>>> when saying 'I' I theoretically meant any user that has write access to the share. >>>>> >>>>> It should be possible to right click the directory in windows, the go to security tab and remove the write permissions on the directory. >>>>> >>>>> This behaviour already works with files, I'm trying to figure out how to make it also work for directories. >>>>> >>>>> Greetings, >>>>> Felix >>>>> >>>>> -----Ursprüngliche Nachricht----- >>>>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von >>>>> Rowland Penny >>>>> Gesendet: Dienstag, 4. August 2015 11:57 >>>>> An: samba at lists.samba.org >>>>> Betreff: Re: [Samba] Cannot change directory permissions >>>>> >>>>>> On 04/08/15 10:07, Felix Matouschek wrote: >>>>>> Hello, >>>>>> I occasionally need to remove the write permissions from directories inside a share to prevent users from accidentally deleting files inside that directory. >>>>>> My problem is that I neither can view nor can change the permissions of directories on my shares. >>>>>> Curiously enough viewing and changing permissions of files in the same shares works without a problem. >>>>>> Is there anything I misconfigured? >>>>>> My smb.conf looks like this: >>>>>> [global] >>>>>> ### Network ### >>>>>> netbios name = Fileserver >>>>>> server string = Fileserver (%h V:%v) >>>>>> ### ad member ### >>>>>> workgroup = INTRANET >>>>>> realm = INTRANET.MYCOMPANY.DE >>>>>> security = ADS >>>>>> kerberos method = secrets and keytab >>>>>> ### WINS ### >>>>>> wins server = 192.168.0.197 >>>>>> name resolve order = wins host bcast >>>>>> ### logins without prepending INTRANET\ ### >>>>>> map untrusted to domain = yes >>>>>> ### other settings ### >>>>>> unix extensions = no >>>>>> invalid users = root >>>>>> ### make exe files executable on windows without x bit ### >>>>>> acl allow execute always = yes >>>>>> ### performance ### >>>>>> deadtime = 10 >>>>>> use sendfile = yes >>>>>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE >>>>>> ### prevent unwanted files ### >>>>>> veto files = /$RECYCLE.BIN/desktop.ini/Thumbs.db/.DS_Store/._.DS_Store/.apdisk/._.apdisk/.TemporaryItems/._.TemporaryItems/.Trashes/._.Trashes >>>>>> delete veto files = yes >>>>>> ### SHARES ### >>>>>> [Exchange] >>>>>> path = /home/nobackup/exchange >>>>>> guest ok = yes >>>>>> read only = no >>>>>> create mask = 660 >>>>>> directory mask = 770 >>>>>> force group = exchange-users >>>>>> Greetings, >>>>>> Felix >>>>> Hi, when you say ' I occasionally need to remove the write permissions', whom is the 'I', is this the Administrator ? >>>>> >>>>> Rowland >>>>> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>> I am fairly sure your problem is a misconfiguration of smb.conf, for a start have a look here: >>>> >>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >>>> >>>> To change directory settings, your users and groups need to be known to the underlying Unix OS and have the required permissions to alter the settings. >>>> >>>> Rowland >> I am now officially lost, are you telling me that you have a smb.conf and a winbindd.conf ? >> >> If you have a winbindd.conf, how are you telling winbindd to load it ? >> >> Also I don't use the winbind offline logon feature, but I thought you have to have 'cached_login = yes' in the file: /etc/security/pam_winbind.conf. >> >> Does 'getent passwd' display all your AD domains ? >> >> Rowland >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba
On 07/08/15 12:25, Felix Matouschek wrote:> Hi Rowland, > > > Regarding my permissions problem: > > Newly created files, no permission changes yet: > > ls -la: > drwxrwx--- 3 fmatouschek vipco-users 4096 Aug 7 13:12 . > drwxr-xr-x 55 root vipco-users 4096 Aug 4 10:12 .. > drwxrwx--- 2 fmatouschek vipco-users 4096 Aug 7 13:11 Directory > -rw-rw---- 1 fmatouschek vipco-users 0 Aug 7 13:12 File.txt > > getfacl: > # file: . > # owner: fmatouschek > # group: vipco-users > user::rwx > group::rwx > other::--- > > Ticking "write protected" on properties (both file and directory): > > ls -la: > drwxrwx--- 3 fmatouschek vipco-users 4096 Aug 7 13:17 . > drwxr-xr-x 55 root vipco-users 4096 Aug 4 10:12 .. > drwxrwx--- 2 fmatouschek vipco-users 4096 Aug 7 13:11 Directory > -r--r----- 1 fmatouschek vipco-users 0 Aug 7 13:12 File.txt > > getfacl: > # file: . > # owner: fmatouschek > # group: vipco-users > user::rwx > group::rwx > other::--- > > Using the security tab: > > ls -la: > drwxrwx--- 3 fmatouschek vipco-users 4096 Aug 7 13:20 . > drwxr-xr-x 55 root vipco-users 4096 Aug 4 10:12 .. > drwxrwx---+ 2 fmatouschek vipco-users 4096 Aug 7 13:20 Directory > -r--rwx---+ 1 fmatouschek vipco-users 0 Aug 7 13:20 File.txt > > getfacl: > # file: . > # owner: fmatouschek > # group: vipco-users > user::rwx > group::rwx > other::--- > > # file: Directory/ > # owner: fmatouschek > # group: vipco-users > user::rwx > user:fmatouschek:rwx > group::rwx > group:vipco-users:rwx > mask::rwx > other::--- > default:user::rwx > default:user:fmatouschek:r-- > default:group::--- > default:group:vipco-users:r-- > default:mask::rwx > default:other::--- > > # file: File.txt > # owner: fmatouschek > # group: vipco-users > user::r-- > user:fmatouschek:r-- > group::r-- > group:vipco-users:r-- > mask::rwx > other::--- > > According to this output only ticking write-protected on properties of a file does exactly what I want. > > Any ideas? > > Greetings, > Felix > >Taking this back on list where it belongs. OK, you seem to understand Unix permissions, but anyway for those who don't: Unix permissions are based on user:group: other AKA ugo. these are expressed as the letters r w x , r means read, w means write, x means execute if a file and enter if it is a directory. these can be set with chmod and you can use the letters or numbers 1-7, to set to allow all permissions you could use chmod 777 /path/to/dir Now we have that out of the way, I can tell you that no member of Domain Admins will be able to set anything on the directory from windows because they don't have the permission to do so, either via Unix permissions or windows ACLs. You need to use 'setfacl' to add the required permissions for Domain Admins, see 'man setfacl' for how to do this. Rowland
It resolve the groupmap problem : [root at fileserver ~]# net groupmap list Administrators (S-1-5-32-544) -> BUILTIN\administrators Users (S-1-5-32-545) -> BUILTIN\users But i still have the administrator problem. I have follow the wiki.samba doc and i have set the SeDiskOperatorPrivilege : net rpc rights list accounts -U'DOMAIN\administrator' DOMAIN\Domain Admins SeDiskOperatorPrivilege but administrator is still the only user of the group 'domain admins' who can't manage the security tab of my shares on windows when i remove "everyone" to the "share permissions" tab. Even if i add directly the administrator "account" in this tab. ________________________________________ De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny <rowlandpenny241155 at gmail.com> Envoyé : vendredi 7 août 2015 13:47 À : sambalist Objet : Re: [Samba] Cannot change directory permissions On 07/08/15 12:25, Felix Matouschek wrote:> Hi Rowland, > > > Regarding my permissions problem: > > Newly created files, no permission changes yet: > > ls -la: > drwxrwx--- 3 fmatouschek vipco-users 4096 Aug 7 13:12 . > drwxr-xr-x 55 root vipco-users 4096 Aug 4 10:12 .. > drwxrwx--- 2 fmatouschek vipco-users 4096 Aug 7 13:11 Directory > -rw-rw---- 1 fmatouschek vipco-users 0 Aug 7 13:12 File.txt > > getfacl: > # file: . > # owner: fmatouschek > # group: vipco-users > user::rwx > group::rwx > other::--- > > Ticking "write protected" on properties (both file and directory): > > ls -la: > drwxrwx--- 3 fmatouschek vipco-users 4096 Aug 7 13:17 . > drwxr-xr-x 55 root vipco-users 4096 Aug 4 10:12 .. > drwxrwx--- 2 fmatouschek vipco-users 4096 Aug 7 13:11 Directory > -r--r----- 1 fmatouschek vipco-users 0 Aug 7 13:12 File.txt > > getfacl: > # file: . > # owner: fmatouschek > # group: vipco-users > user::rwx > group::rwx > other::--- > > Using the security tab: > > ls -la: > drwxrwx--- 3 fmatouschek vipco-users 4096 Aug 7 13:20 . > drwxr-xr-x 55 root vipco-users 4096 Aug 4 10:12 .. > drwxrwx---+ 2 fmatouschek vipco-users 4096 Aug 7 13:20 Directory > -r--rwx---+ 1 fmatouschek vipco-users 0 Aug 7 13:20 File.txt > > getfacl: > # file: . > # owner: fmatouschek > # group: vipco-users > user::rwx > group::rwx > other::--- > > # file: Directory/ > # owner: fmatouschek > # group: vipco-users > user::rwx > user:fmatouschek:rwx > group::rwx > group:vipco-users:rwx > mask::rwx > other::--- > default:user::rwx > default:user:fmatouschek:r-- > default:group::--- > default:group:vipco-users:r-- > default:mask::rwx > default:other::--- > > # file: File.txt > # owner: fmatouschek > # group: vipco-users > user::r-- > user:fmatouschek:r-- > group::r-- > group:vipco-users:r-- > mask::rwx > other::--- > > According to this output only ticking write-protected on properties of a file does exactly what I want. > > Any ideas? > > Greetings, > Felix > >Taking this back on list where it belongs. OK, you seem to understand Unix permissions, but anyway for those who don't: Unix permissions are based on user:group: other AKA ugo. these are expressed as the letters r w x , r means read, w means write, x means execute if a file and enter if it is a directory. these can be set with chmod and you can use the letters or numbers 1-7, to set to allow all permissions you could use chmod 777 /path/to/dir Now we have that out of the way, I can tell you that no member of Domain Admins will be able to set anything on the directory from windows because they don't have the permission to do so, either via Unix permissions or windows ACLs. You need to use 'setfacl' to add the required permissions for Domain Admins, see 'man setfacl' for how to do this. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Hi Rowland, sorry, I hit the wrong reply button in the last answer. So there is no other way than to use Windows ACLs? I was told with our old systems (Samba 3 in non-domain mode) the behaviour I want to achieve was possible when only using ugo. Greetings, Felix -----Ursprüngliche Nachricht----- Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny Gesendet: Freitag, 7. August 2015 13:48 An: sambalist Betreff: Re: [Samba] Cannot change directory permissions On 07/08/15 12:25, Felix Matouschek wrote:> Hi Rowland, > > > Regarding my permissions problem: > > Newly created files, no permission changes yet: > > ls -la: > drwxrwx--- 3 fmatouschek vipco-users 4096 Aug 7 13:12 . > drwxr-xr-x 55 root vipco-users 4096 Aug 4 10:12 .. > drwxrwx--- 2 fmatouschek vipco-users 4096 Aug 7 13:11 Directory > -rw-rw---- 1 fmatouschek vipco-users 0 Aug 7 13:12 File.txt > > getfacl: > # file: . > # owner: fmatouschek > # group: vipco-users > user::rwx > group::rwx > other::--- > > Ticking "write protected" on properties (both file and directory): > > ls -la: > drwxrwx--- 3 fmatouschek vipco-users 4096 Aug 7 13:17 . > drwxr-xr-x 55 root vipco-users 4096 Aug 4 10:12 .. > drwxrwx--- 2 fmatouschek vipco-users 4096 Aug 7 13:11 Directory > -r--r----- 1 fmatouschek vipco-users 0 Aug 7 13:12 File.txt > > getfacl: > # file: . > # owner: fmatouschek > # group: vipco-users > user::rwx > group::rwx > other::--- > > Using the security tab: > > ls -la: > drwxrwx--- 3 fmatouschek vipco-users 4096 Aug 7 13:20 . > drwxr-xr-x 55 root vipco-users 4096 Aug 4 10:12 .. > drwxrwx---+ 2 fmatouschek vipco-users 4096 Aug 7 13:20 Directory > -r--rwx---+ 1 fmatouschek vipco-users 0 Aug 7 13:20 File.txt > > getfacl: > # file: . > # owner: fmatouschek > # group: vipco-users > user::rwx > group::rwx > other::--- > > # file: Directory/ > # owner: fmatouschek > # group: vipco-users > user::rwx > user:fmatouschek:rwx > group::rwx > group:vipco-users:rwx > mask::rwx > other::--- > default:user::rwx > default:user:fmatouschek:r-- > default:group::--- > default:group:vipco-users:r-- > default:mask::rwx > default:other::--- > > # file: File.txt > # owner: fmatouschek > # group: vipco-users > user::r-- > user:fmatouschek:r-- > group::r-- > group:vipco-users:r-- > mask::rwx > other::--- > > According to this output only ticking write-protected on properties of a file does exactly what I want. > > Any ideas? > > Greetings, > Felix > >Taking this back on list where it belongs. OK, you seem to understand Unix permissions, but anyway for those who don't: Unix permissions are based on user:group: other AKA ugo. these are expressed as the letters r w x , r means read, w means write, x means execute if a file and enter if it is a directory. these can be set with chmod and you can use the letters or numbers 1-7, to set to allow all permissions you could use chmod 777 /path/to/dir Now we have that out of the way, I can tell you that no member of Domain Admins will be able to set anything on the directory from windows because they don't have the permission to do so, either via Unix permissions or windows ACLs. You need to use 'setfacl' to add the required permissions for Domain Admins, see 'man setfacl' for how to do this. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba