samba - Oct 2016 - Roaming Profiles with Windows ACLs

On 10/12/2016 1:34 PM, Mark Nienberg via samba wrote:
> Well, the easy fix is to add this to the share definition:
>
>   admin users = "@STA\domain admins"
>
> The wiki implies that this should not be necessary, so I don't know if
the
> wiki is wrong or if I failed to follow it correctly. This was my first
> share using Windows ACLS and it was an interesting experience, but for me I
> think the POSIX ACLs are easier to understand and troubleshoot. That may
> just be because I am more of a Linux admin than a Windows admin.
>
> Mark
>
> On Sat, Oct 8, 2016 at 12:04 PM, Mark Nienberg <
> mnlists at tippingstructural.com> wrote:
>
>> On Fri, Oct 7, 2016 at 12:38 PM, Rowland Penny via samba <
>> samba at lists.samba.org> wrote:
>>
>>> have you given Domain Admins the required rights ?
>>>
>>> net rpc rights grant DOMAIN\\"Domain Admins"
>>> SeDiskOperatorPrivilege -UAdministrator
>>>
>> Yes. I followed this wiki example:
>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
>>
>> Here is some output:
>>
>> [nienberg at gecko ~]$ net rpc rights list accounts
-U'STA\myAdminAccount'
>>
>> STA\Domain Admins
>> SeDiskOperatorPrivilege
>>
Do your Domain Admins have 'Full control' as a permission and 'This 
folder, subfolders and files' on the root share under?

-- 
-James

Yes, it looks like this:

https://wiki.samba.org/index.php/Implementing_roaming_profiles#Profile_share_using_Windows_ACLs

but as I say, it works now that I have added the admin users, so I am
satisfied for now.

On Wed, Oct 12, 2016 at 11:31 AM, lingpanda101--- via samba <
samba at lists.samba.org> wrote:
> On 10/12/2016 1:34 PM, Mark Nienberg via samba wrote:
>
>> Well, the easy fix is to add this to the share definition:
>>
>>   admin users = "@STA\domain admins"
>>
>> The wiki implies that this should not be necessary, so I don't know
if the
>> wiki is wrong or if I failed to follow it correctly. This was my first
>> share using Windows ACLS and it was an interesting experience, but for
me
>> I
>> think the POSIX ACLs are easier to understand and troubleshoot. That
may
>> just be because I am more of a Linux admin than a Windows admin.
>>
>> Mark
>>
>> On Sat, Oct 8, 2016 at 12:04 PM, Mark Nienberg <
>> mnlists at tippingstructural.com> wrote:
>>
>> On Fri, Oct 7, 2016 at 12:38 PM, Rowland Penny via samba <
>>> samba at lists.samba.org> wrote:
>>>
>>> have you given Domain Admins the required rights ?
>>>>
>>>> net rpc rights grant DOMAIN\\"Domain Admins"
>>>> SeDiskOperatorPrivilege -UAdministrator
>>>>
>>>> Yes. I followed this wiki example:
>>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
>>>
>>> Here is some output:
>>>
>>> [nienberg at gecko ~]$ net rpc rights list accounts
-U'STA\myAdminAccount'
>>>
>>> STA\Domain Admins
>>> SeDiskOperatorPrivilege
>>>
>>>
> Do your Domain Admins have 'Full control' as a permission and
'This
> folder, subfolders and files' on the root share under?
>
> --
> -James
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 10/12/2016 7:32 PM, Mark Nienberg wrote:
> Yes, it looks like this:
>
>
https://wiki.samba.org/index.php/Implementing_roaming_profiles#Profile_share_using_Windows_ACLs
>
> but as I say, it works now that I have added the admin users, so I am 
> satisfied for now.
>
> On Wed, Oct 12, 2016 at 11:31 AM, lingpanda101--- via samba 
> <samba at lists.samba.org <mailto:samba at lists.samba.org>>
wrote:
>
>     On 10/12/2016 1:34 PM, Mark Nienberg via samba wrote:
>
>         Well, the easy fix is to add this to the share definition:
>
>           admin users = "@STA\domain admins"
>
>         The wiki implies that this should not be necessary, so I don't
>         know if the
>         wiki is wrong or if I failed to follow it correctly. This was
>         my first
>         share using Windows ACLS and it was an interesting experience,
>         but for me I
>         think the POSIX ACLs are easier to understand and
>         troubleshoot. That may
>         just be because I am more of a Linux admin than a Windows admin.
>
>         Mark
>
>         On Sat, Oct 8, 2016 at 12:04 PM, Mark Nienberg <
>         mnlists at tippingstructural.com
>         <mailto:mnlists at tippingstructural.com>> wrote:
>
>             On Fri, Oct 7, 2016 at 12:38 PM, Rowland Penny via samba <
>             samba at lists.samba.org <mailto:samba at
lists.samba.org>> wrote:
>
>                 have you given Domain Admins the required rights ?
>
>                 net rpc rights grant DOMAIN\\"Domain Admins"
>                 SeDiskOperatorPrivilege -UAdministrator
>
>             Yes. I followed this wiki example:
>             https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
>            
<https://wiki.samba.org/index.php/Shares_with_Windows_ACLs>
>
>             Here is some output:
>
>             [nienberg at gecko ~]$ net rpc rights list accounts
>             -U'STA\myAdminAccount'
>
>             STA\Domain Admins
>             SeDiskOperatorPrivilege
>
>
>     Do your Domain Admins have 'Full control' as a permission and
>     'This folder, subfolders and files' on the root share under?
>
>     -- 
>     -James
>
>
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>     <https://lists.samba.org/mailman/options/samba>
>
>
The link doesn't show adding Domain Admins to the ACL permissions. I 
only see 'Administrator'. I assume you did based on your getfacl
command.

-- 
-James