Re: [Samba] administrator does not have permission
- Date: Fri, 24 Nov 2017 14:18:40 -0600
- From: Robert Wooden via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] administrator does not have permission
In the Windows world side when an "administrator" cannot 'take ownership'
of a file share, the docs discuss the "System" account being used as it
(System account) has greater permissions than that of the administrator.
I remembered reading this page https://wiki.samba.org/index.
php/The_SYSTEM_Account and have now re-read said page *carefully*.
There I find this message box "For compatibility with Windows, add the
SYSTEM account to file system ACLs."
How do I add the SYSTEM account to my ACLs on a Samba member server?
On Tue, Nov 21, 2017 at 9:01 AM, Robert Wooden <bob@xxxxxxxxxxxxxxxxxx>
> In searching for a similar situation, I found this that most closely
> represents the issue I am dealing with. link:
> has-no-permission-to-folder-despite-administrators-group-present Many
> of the images are the "complaints" I am seeing.
> Down within the comments, the discussion is generally about the
> administrator "taking ownership" of the directory and re-assigning rights.
> Of course this is "on the Windows server side" of things. So, how do I
> "take ownership" in our Samba/linux world?
> Anyone . . . . thoughts?
> On Mon, Nov 20, 2017 at 4:41 PM, Robert Wooden <bob@xxxxxxxxxxxxxxxxxx>
>> getent passwd Administrator returns no password . . . good.
>> net rpc rights list -UAdministrator returns the same your example showed
>> (last email.)
>> I still think kerberos was not working properly and allowing me access
>> and now "fixed" kerberos is denying access.
>> More soon (tomorrow) . . . .
>> On Mon, Nov 20, 2017 at 4:01 PM, Rowland Penny via samba <
>> samba@xxxxxxxxxxxxxxx> wrote:
>>> On Mon, 20 Nov 2017 15:38:28 -0600
>>> Robert Wooden <bob@xxxxxxxxxxxxxxxxxx> wrote:
>>> > I have been reading and rereading the wiki and I did "your
>>> > suggestions" yesterday when I discovered the missing krb5.conf.
>>> > Have begun looking into acl permissions.
>>> > But, for the life of me, I cannot figure out why the administrator
>>> > would not have "builtin" permissions to always be able to look at,
>>> > change, or adjust file permissions. How can the administrator
>>> > permissions ability just disappear . . . well, I had an issue with
>>> > krb5 not working correctly before I made these adjustments and now
>>> > kerberos IS working correctly.
>>> Administrator does have these 'builtin' permissions, but only on
>>> Windows ;-)
>>> On Unix the 'root' user has the same sort of authority, this is why you
>>> map 'Administrator' to 'root' in the user.map. This means when you set
>>> ACLs from windows to a Unix share as Administrator, it is actually root
>>> that sets them.
>>> Try running 'getent passwd Administrator' on the Unix domain member, if
>>> you get an output, then you need to find out why, because you shouldn't.
>>> You can check Administrators privileges with:
>>> net rpc rights list -UAdministrator
>>> If you run the above on the Unix domain member, you should get
>>> something like this:
>>> SeMachineAccountPrivilege Add machines to domain
>>> SeTakeOwnershipPrivilege Take ownership of files or other objects
>>> SeBackupPrivilege Back up files and directories
>>> SeRestorePrivilege Restore files and directories
>>> SeRemoteShutdownPrivilege Force shutdown from a remote system
>>> SePrintOperatorPrivilege Manage printers
>>> SeAddUsersPrivilege Add users and groups to the domain
>>> SeDiskOperatorPrivilege Manage disk shares
>>> SeSecurityPrivilege System security
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>> Thank you.
>> Bob Wooden
>> 615.885.2846 <(615)%20885-2846> www.donelsontrophy.com
>> "Everyone deserves an award!!"
> Thank you.
> Bob Wooden
> 615.885.2846 <(615)%20885-2846> www.donelsontrophy.com
> "Everyone deserves an award!!"
615.885.2846 <(615)%20885-2846> www.donelsontrophy.com
"Everyone deserves an award!!"
To unsubscribe from this list go to the following URL and read the