James B. Byrne
2020-Jun-11 20:29 UTC
[Samba] Samba shares for raoming profiles and redirected folders
On our existing samba43 installation I see this:
ll -d /var/samba4/BROCKLEY-2016/USERS/
drwxrwx---+ 21 root BROCKLEY-2016\domain admins 512 Feb 14 08:43
/var/samba4/BROCKLEY-2016/USERS/
ll -d /var/samba4/BROCKLEY/USERS/
drwxr-xr-x 3 root wheel 3 Jun 11 14:32 /var/samba4/BROCKLEY/USERS/
I have read
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege
and to be frank, this leaves me more confused than anything else.
I have done this:
net rpc rights grant "BROCKLEY\administrator" SeDiskOperatorPrivilege
-U
"BROCKLEY\administrator"
Enter BROCKLEY\administrator's password:
Successfully granted rights.
net rpc rights grant "BROCKLEY\domain admins" SeDiskOperatorPrivilege
-U
"BROCKLEY\administrator"
Enter BROCKLEY\administrator's password:
Successfully granted rights.
net rpc rights list privileges SeDiskOperatorPrivilege -U
"BROCKLEY\administrator"
Enter BROCKLEY\administrator's password:
SeDiskOperatorPrivilege:
BROCKLEY\Administrator
BROCKLEY\Domain Admins
But, I suspect that this is at best unnecessary and at worse total wrong.
I have tried to set the USERS security setting from RSAT but the console simply
closes whenever I try to open the security tab.
I did this once for the existing domain and I do not recall having this much
difficulty.
On the existing domain there is no entry in /etc/group having to do with samba.
How do I set the group to BROCKLEY\domain admins for
/var/samba4/BROCKLEY/USERS/ on the new location?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
Rowland penny
2020-Jun-11 21:06 UTC
[Samba] Samba shares for raoming profiles and redirected folders
On 11/06/2020 21:29, James B. Byrne via samba wrote:> On our existing samba43 installation I see this: > > ll -d /var/samba4/BROCKLEY-2016/USERS/ > drwxrwx---+ 21 root BROCKLEY-2016\domain admins 512 Feb 14 08:43 > /var/samba4/BROCKLEY-2016/USERS/The Unix permissions show that there are ACLs set> > ll -d /var/samba4/BROCKLEY/USERS/ > drwxr-xr-x 3 root wheel 3 Jun 11 14:32 /var/samba4/BROCKLEY/USERS/No ACLS set> > I have read > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege > and to be frank, this leaves me more confused than anything else.What has confused you ? if you can tell us, I might be able to make it clearer.> > I have done this: > > net rpc rights grant "BROCKLEY\administrator" SeDiskOperatorPrivilege -U > "BROCKLEY\administrator" > Enter BROCKLEY\administrator's password: > Successfully granted rights. > > net rpc rights grant "BROCKLEY\domain admins" SeDiskOperatorPrivilege -U > "BROCKLEY\administrator" > Enter BROCKLEY\administrator's password: > Successfully granted rights. > > net rpc rights list privileges SeDiskOperatorPrivilege -U "BROCKLEY\administrator" > Enter BROCKLEY\administrator's password: > SeDiskOperatorPrivilege: > BROCKLEY\Administrator > BROCKLEY\Domain Admins > > > But, I suspect that this is at best unnecessary and at worse total wrong.Required, but possibly not a good idea when it comes to Domain Admins, is this on a DC ?> > I have tried to set the USERS security setting from RSAT but the console simply > closes whenever I try to open the security tab. > > I did this once for the existing domain and I do not recall having this much > difficulty. > > On the existing domain there is no entry in /etc/group having to do with samba.I am extremely glad to hear that, because there shouldn't be ;-)> How do I set the group to BROCKLEY\domain admins for > /var/samba4/BROCKLEY/USERS/ on the new location?I would use the equivalent of the Linux chrgp command, but this would entail 'getent group Domain\ Users' producing output. Not sure how Freebsd does this, does it use /etc/nsswitch ? Do you have the equivalent of the libnss-winbind, libpam-winbind and libpam-krb5 packages installed ? Rowland