Hi, After we switched from an old NT4 PDC to a new AD DC, I am in the process of changing the file/directory rights on our fileserver. Some parts of the files/dirs on our fileserver are offered read-only to the public (intranet only) by a webserver running on the same host. However, I can't find an option to add the "Principal" www-data in my windows tools and I was told that using chmod/own/grp is evil on a AD controlled fileserver. Is it safe to use: setfacl -m u:www-data:r-x <object> on the linux CLI or does that imply any future nightmares with Windows acls, too? Any other best practise to get the issue done? Sorry, but still a little scared to break something ;). -- Mit freundlichen Gruessen/Best regrads Maik Holtkamp Kirchstr. 76 D-32278 Kirchlengern/Germany Tel: +49 5223 879202 Mob.: +49 172 203 5491 e-mail: s-y-l at gmx.net
On 02/09/2020 17:03, Maik Holtkamp via samba wrote:> Hi, > > After we switched from an old NT4 PDC to a new AD DC, I am in the > process of changing the file/directory rights on our fileserver. > > Some parts of the files/dirs on our fileserver are offered read-only to > the public (intranet only) by a webserver running on the same host. > > However, I can't find an option to add the "Principal" www-data in my > windows tools and I was told that using chmod/own/grp is evil on a AD > controlled fileserver.I do not know who told you that, but it is wrong. If your users are connecting to a webpage, it will be www-data that displays the data on the webpage, so there is no reason why you cannot use chmod etc> > Is it safe to use: > > setfacl -m u:www-data:r-x <object>You could do that if you wished, it will store the permissions in a different place from where changing the permissions on Windows does. Rowland
On 02/09/2020 17:35, Rowland penny via samba wrote:> On 02/09/2020 17:03, Maik Holtkamp via samba wrote: >> Hi, >> >> After we switched from an old NT4 PDC to a new AD DC, I am in the >> process of changing the file/directory rights on our fileserver. >> >> Some parts of the files/dirs on our fileserver are offered read-only to >> the public (intranet only) by a webserver running on the same host. >> >> However, I can't find an option to add the "Principal" www-data in my >> windows tools and I was told that using chmod/own/grp is evil on a AD >> controlled fileserver. > I do not know who told you that, but it is wrong. If your users are > connecting to a webpage, it will be www-data that displays the data on > the webpage, so there is no reason why you cannot use chmod etc >> >> Is it safe to use: >> >> setfacl -m u:www-data:r-x <object> > You could do that if you wished, it will store the permissions in a > different place from where changing the permissions on Windows does. > > Rowland >The enclosed may be of assistance. It's something I wrote about three or four years ago to explain thing to sysops. Obviously, beware changing capabilities! -- J Martin Rushton MBCS