Am 25.02.20 um 14:30 schrieb Rowland penny via samba:> OK, I give in, I will alter the wiki page, if you use the 'rid' or > 'autorid'? backend, you can use Domain Admins, just do not give Domain > Admins a gidNumber.While you're at it ;-) It also isn't clear to me where "Unix Admins" comes from. I have to add that group on the DC, add my admin-users ... right? Then grant the SeDiskOperatorPrivilege ... then chgrp the files in the share?
On 25/02/2020 13:49, Stefan G. Weichinger via samba wrote:> Am 25.02.20 um 14:30 schrieb Rowland penny via samba: > >> OK, I give in, I will alter the wiki page, if you use the 'rid' or >> 'autorid'? backend, you can use Domain Admins, just do not give Domain >> Admins a gidNumber. > While you're at it ;-) > > It also isn't clear to me where "Unix Admins" comes from.Out of my head ;-)> > I have to add that group on the DC, add my admin-users ... right? Then > grant the SeDiskOperatorPrivilege ... then chgrp the files in the share?You do not need it, it is only required if using the winbind 'ad' backend and only then if you don't want possible problems with sysvol. Rowland
Am 25.02.20 um 14:54 schrieb Rowland penny via samba:> On 25/02/2020 13:49, Stefan G. Weichinger via samba wrote: >> Am 25.02.20 um 14:30 schrieb Rowland penny via samba: >> >>> OK, I give in, I will alter the wiki page, if you use the 'rid' or >>> 'autorid'? backend, you can use Domain Admins, just do not give Domain >>> Admins a gidNumber. >> While you're at it ;-) >> >> It also isn't clear to me where "Unix Admins" comes from. > Out of my head ;-) >> >> I have to add that group on the DC, add my admin-users ... right? Then >> grant the SeDiskOperatorPrivilege ... then chgrp the files in the share? > > You do not need it, it is only required if using the winbind 'ad' > backend and only then if you don't want possible problems with sysvol.What? Now I *don't* need it? Sorry, can't follow here. So far I only was able to get that mostly working by doing "chown -R Administrator:10513" or so ... Right now I can't access the ACLs from windows at all (on that share, with DOM\Administrator) feels like a loop ....