Web lists-archives.com

Re: [Samba] administrator does not have permission




In the Windows world side when an "administrator" cannot 'take ownership'
of a file share, the docs discuss the "System" account being used as it
(System account) has greater permissions than that of the administrator.

I remembered reading this page https://wiki.samba.org/index.
php/The_SYSTEM_Account and have now re-read said page *carefully*.

There I find this message box  "For compatibility with Windows, add the
SYSTEM account to file system ACLs."

How do I add the SYSTEM account to my ACLs on a Samba member server?

On Tue, Nov 21, 2017 at 9:01 AM, Robert Wooden <bob@xxxxxxxxxxxxxxxxxx>
wrote:

> In searching for a similar situation, I found this that most closely
> represents the issue I am dealing with. link:
> https://community.spiceworks.com/topic/1749382-domain-admin-
> has-no-permission-to-folder-despite-administrators-group-present     Many
> of the images are the "complaints" I am seeing.
>
> Down within the comments, the discussion is generally about the
> administrator "taking ownership" of the directory and re-assigning rights.
> Of course this is "on the Windows server side" of things. So, how do I
> "take ownership" in our Samba/linux world?
>
> Anyone . . . . thoughts?
>
> On Mon, Nov 20, 2017 at 4:41 PM, Robert Wooden <bob@xxxxxxxxxxxxxxxxxx>
> wrote:
>
>> getent passwd Administrator returns no password . . . good.
>>
>> net rpc rights list -UAdministrator returns the same your example showed
>> (last email.)
>>
>> I still think kerberos was not working properly and allowing me access
>> and now "fixed" kerberos is denying access.
>>
>> More soon (tomorrow) . . . .
>>
>> On Mon, Nov 20, 2017 at 4:01 PM, Rowland Penny via samba <
>> samba@xxxxxxxxxxxxxxx> wrote:
>>
>>> On Mon, 20 Nov 2017 15:38:28 -0600
>>> Robert Wooden <bob@xxxxxxxxxxxxxxxxxx> wrote:
>>>
>>> > I have been reading and rereading the wiki and I did "your
>>> > suggestions" yesterday when I discovered the missing krb5.conf.
>>> >
>>> > Have begun looking into acl permissions.
>>> >
>>> > But, for the life of me, I cannot figure out why the administrator
>>> > would not have "builtin" permissions to always be able to look at,
>>> > change, or adjust file permissions. How can the administrator
>>> > permissions ability just disappear . . . well, I had an issue with
>>> > krb5 not working correctly before I made these adjustments and now
>>> > kerberos IS working correctly.
>>> >
>>>
>>> Administrator does have these 'builtin' permissions, but only on
>>> Windows ;-)
>>> On Unix the 'root' user has the same sort of authority, this is why you
>>> map 'Administrator' to 'root' in the user.map. This means when you set
>>> ACLs from windows to a Unix share as Administrator, it is actually root
>>> that sets them.
>>>
>>> Try running 'getent passwd Administrator' on the Unix domain member, if
>>> you get an output, then you need to find out why, because you shouldn't.
>>>
>>> You can check Administrators privileges with:
>>>
>>> net rpc rights list -UAdministrator
>>>
>>> If you run the above on the Unix domain member, you should get
>>> something like this:
>>>
>>>      SeMachineAccountPrivilege  Add machines to domain
>>>       SeTakeOwnershipPrivilege  Take ownership of files or other objects
>>>              SeBackupPrivilege  Back up files and directories
>>>             SeRestorePrivilege  Restore files and directories
>>>      SeRemoteShutdownPrivilege  Force shutdown from a remote system
>>>       SePrintOperatorPrivilege  Manage printers
>>>            SeAddUsersPrivilege  Add users and groups to the domain
>>>        SeDiskOperatorPrivilege  Manage disk shares
>>>            SeSecurityPrivilege  System security
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>>
>> --
>>
>> Thank you.
>>
>> Bob Wooden
>> 615.885.2846 <(615)%20885-2846>    www.donelsontrophy.com
>> "Everyone deserves an award!!"
>>
>>
>
>
> --
>
> Thank you.
>
> Bob Wooden
> 615.885.2846 <(615)%20885-2846>    www.donelsontrophy.com
> "Everyone deserves an award!!"
>
>


-- 

Thank you.

Bob Wooden
615.885.2846 <(615)%20885-2846>    www.donelsontrophy.com
"Everyone deserves an award!!"
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba