Hi,> Follow this wiki page: > > https://wiki.samba.org/index.php/Setup_a_Samba_print_server#Setup_the_.5Bprinters.5D_share > Then the page you referred and use windows ACLs not posix ACLsdone> > I also take it you have given your users & groups uidNumber or > gidNumber attributes.yes, this is a test-environment and i have given the unix-id to administrator, domain admins and domain users. # wbinfo -i administrator administrator:*:600:513::/home/administrator:/bin/bash # wbinfo --group-info=Domain\ admins domain admins:x:512: # wbinfo --group-info=Domain\ users domain users:x:513: # getfacl /srv/samba/Printer_drivers getfacl: Removing leading '/' from absolute path names # file: srv/samba/Printer_drivers # owner: administrator # group: domain\040admins user::rwx user:administrator:rwx group::--- group:domain\040admins:--- group:300004:r-x group:300005:rwx mask::rwx other::--- default:user::rwx default:user:administrator:rwx default:group::rwx default:group:domain\040admins:rwx default:group:300004:r-x default:group:300005:rwx default:mask::rwx default:other::--- getfacl /srv/samba/Printer_drivers/x64/ getfacl: Removing leading '/' from absolute path names # file: srv/samba/Printer_drivers/x64/ # owner: administrator # group: domain\040admins user::rwx user:administrator:rwx group::rwx group:domain\040admins:rwx group:300004:r-x group:300005:rwx mask::rwx other::--- default:user::rwx default:user:administrator:rwx default:group::rwx default:group:domain\040admins:rwx default:group:300004:r-x default:group:300005:rwx default:mask::rwx default:other::--- The problem still exists.... heinz> > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- Heinz Hölzl EDV-Abteilung | Ripartizione EDP Südtiroler Gemeindenverband Genossenschaft Consorzio dei Comuni della Provincia di Bolzano Societá Cooperativa I – 39100 Bozen – Kanonikus-Michael-Gamper-Straße 10 I – 39100 Bolzano – via Canonico Michael Gamper 10
On Tue, 06 Dec 2016 17:42:56 +0100 Heinz Hölzl via samba <samba at lists.samba.org> wrote:> > Hi, > > > Follow this wiki page: > > > > https://wiki.samba.org/index.php/Setup_a_Samba_print_server#Setup_the_.5Bprinters.5D_share > > Then the page you referred and use windows ACLs not posix ACLs > > done > > > > > I also take it you have given your users & groups uidNumber or > > gidNumber attributes. > > yes, this is a test-environment and i have given the unix-id to > administrator, domain admins and domain users.Please remove the uidNumber from Administrator, you have just turned it into a normal Unix user without the permisions (i.e. 'root' users) it requires.> # wbinfo -i > administrator administrator:*:600:513::/home/administrator:/bin/bash > # wbinfo --group-info=Domain\ admins > domain admins:x:512: > # wbinfo --group-info=Domain\ users > domain users:x:513: >Please do not use the RID for the gidNumber, it will not leave space for local Unix users & groups.> # getfacl /srv/samba/Printer_drivers > getfacl: Removing leading '/' from absolute path names > # file: srv/samba/Printer_drivers > # owner: administrator > # group: domain\040admins > user::rwx > user:administrator:rwx > group::--- > group:domain\040admins:--- > group:300004:r-x > group:300005:rwx > mask::rwx > other::--- > default:user::rwx > default:user:administrator:rwx > default:group::rwx > default:group:domain\040admins:rwx > default:group:300004:r-x > default:group:300005:rwx > default:mask::rwx > default:other::--- > > getfacl /srv/samba/Printer_drivers/x64/ > getfacl: Removing leading '/' from absolute path names > # file: srv/samba/Printer_drivers/x64/ > # owner: administrator > # group: domain\040admins > user::rwx > user:administrator:rwx > group::rwx > group:domain\040admins:rwx > group:300004:r-x > group:300005:rwx > mask::rwx > other::--- > default:user::rwx > default:user:administrator:rwx > default:group::rwx > default:group:domain\040admins:rwx > default:group:300004:r-x > default:group:300005:rwx > default:mask::rwx > default:other::--- > > > The problem still exists....Probably because Administrator is now a normal Unix user. Rowland
On Wed, 07 Dec 2016 09:08:02 +0100 Heinz Hölzl <heinz.hoelzl at gvcc.net> wrote:> > > Hi, > > > > > > > Follow this wiki page: > > > > > > > > https://wiki.samba.org/index.php/Setup_a_Samba_print_server#Setup_the_.5Bprinters.5D_share > > > > Then the page you referred and use windows ACLs not posix ACLs > > > > > > done > > > > > > > > > > > I also take it you have given your users & groups uidNumber or > > > > gidNumber attributes. > > > > > > yes, this is a test-environment and i have given the unix-id to > > > administrator, domain admins and domain users. > > > > Please remove the uidNumber from Administrator, you have just > > turned it into a normal Unix user without the permisions (i.e. > > 'root' users) it requires. > > > If i remove the uidNumber from Administrator, then i can not connect > to the shares as administrator. In this case, i have to add the > administrator to /etc/passwd ? > > heinz >On a Samba AD DC Administrator is mapped to the 'root' user in idmap.ldb, you can do the same on a domain member by adding this line to smb.conf: username map = /usr/local/samba/etc/user.map Then create the user.map containing this: !root = SAMDOM\Administrator SAMDOM\administrator Administrator administrator You will have to change the path to suit your setup and 'SAMDOM' to your domain name. If you do this, you will be able to connect to anything on the shares and with roots permissions. Rowland