On 25/11/15 11:51, L.P.H. van Belle wrote:> If this is about problems on a member server, read on. > If its on a ADDC, then i dont know, but good info below. ;-) > > ( Rowland, maybe a thing to put on the wiki also, read on.. )The thing is, it was on the wiki and Marc decided it would be better to go down the 'Domain Admins' line. He doesn't seem to like the username map way of doing things. I think it needs to be put back. Hopefully Marc will pick-up on this and comment.> > > If you only use the share from windows machines, make your life easy. > Add : acl_xattr:ignore system acls = yes to the share. > And set the correct rights from within windows. > > If you do use the shares /folders also from within linux. > Set UID/GID for all (needed) users/groups. > Use the user_mapping in samba to map root to the domain administrator, > And/or set user Administrator on the folder > now set the correct rights from withing windows. > > Above can be done on ADDC or member server but there is a big differens. > > Regarding.. ( more explained ) >> sudo ls -l /srv/samba/ >>> drwxrwxr-x 2 root domain admins 4096 Nov 15 11:51 Finance >>> drwxrwxr-x+ 2 root domain admins 4096 Nov 25 08:08 home >> When i try to set the ACLs in Windows I get "Permission Denied" > Yes, totaly correct, i assum you did read: > https://wiki.samba.org/index.php/Shares_with_Windows_ACLs > which says, > # chmod g=rwx /srv/samba/Demo/ > # chgrp "Domain Admins" /srv/samba/Demo/ > > But this example is done on a addc server, and not on a member server. > On a ADDC user Administrator is automaticly mapped to root, > id administrator on addc results in UID 0 and imo most important info, > is missing on the wiki. > > I also assume your doing this on a member server. > Which is ok also, but in the 2 ls example above. > > drwxrwxr-x 2 root domain admins > does not work an a member server without the user mapping or a bit different rights. > So set Adminstrator:"domain admins" on this folder OR use the user mapping.This would mean that you would have to give Administrator a uidNumber, breaking the link between 'root' and 'Administrator'. Not saying this is a bad idea, just that you should be aware of it. Rowland> > And make user that /srv/samba at least has 2775 rights. > And maybe a chgrp "Domain Admins" /srv/samba > > > Greetz, > > Louis > > >
>> drwxrwxr-x 2 root domain admins >> does not work an a member server without the user mapping or a bit >> different rights. >> So set Adminstrator:"domain admins" on this folder OR use the user >> mapping. > > This would mean that you would have to give Administrator a uidNumber, > breaking the link between 'root' and 'Administrator'. Not saying this > is a bad idea, just that you should be aware of it. > > RowlandJust reading this accidentally and finding out that "id Administrator" gives "id: Administrator: No such user" on all my machines, including DCs, and member servers where I explicitly mapped Administrator to root. Looking into ADUC, it turns out that Administrator has a uid: "0". Does that mean that I did this at some point (can't remember it). Any bad consequences, if I take NIS settings back for Administrator? Ole
On 07/12/15 16:51, Ole Traupe wrote:> >>> drwxrwxr-x 2 root domain admins >>> does not work an a member server without the user mapping or a bit >>> different rights. >>> So set Adminstrator:"domain admins" on this folder OR use the user >>> mapping. >> >> This would mean that you would have to give Administrator a >> uidNumber, breaking the link between 'root' and 'Administrator'. Not >> saying this is a bad idea, just that you should be aware of it. >> >> Rowland > > Just reading this accidentally and finding out that "id Administrator" > gives "id: Administrator: No such user" on all my machines, including > DCs, and member servers where I explicitly mapped Administrator to > root. Looking into ADUC, it turns out that Administrator has a uid: > "0". Does that mean that I did this at some point (can't remember it). > Any bad consequences, if I take NIS settings back for Administrator? > > Ole > >There are two ways of mapping Administrator: A) user a 'username map' line in smb.conf on a domain member, this will point to a file similar to this: !root = SAMDOM\Administrator SAMDOM\administrator This will map the windows 'Administrator' to the Unix user 'root' and you will be able to alter ACLs on Samba Unix shares from windows. B) Give Administrator a uidNumber, This would then make Administrator a normal Unix user, so you would have to ensure that s/he had the required permissions to change ACLs on a Samba Unix share from windows. You pays your money and make your own choice which to use. You can, at any time, remove anything that you have done to Administrator and go back to Standard. Rowland