Web lists-archives.com

Re: [Samba] Adding Share Windows ACL




On Fri, 26 Jan 2018 10:10:24 +0100
Micha Ballmann via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello,
> 
> im trying to setup a share using windows acls. I followed the step
> ins
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> but hanging at "Adding a Share"
> 
> # mkdir -p /srv/samba/Demo/
> # chown root:"Domain Admins" /srv/samba/Demo/
> *--> chown: ungültige Gruppe: »root:Domain Admins“*
> 
> # net rpc rights list privileges SeDiskOperatorPrivilege -U
> "SAMDOM\administrator" SeDiskOperatorPrivilege:
>    ROOTRUDI\Domain Admins
>    BUILTIN\Administrators
> 
> Do i need enable the UNIX Attribute for this group? I cant find any
> advice.
> 
> Best regards
> Micha
> 

There are two schools of thought here, yes AND no :-)

Yes, Domain Admins needs to be a Unix group.
No, because if Domain Admins is a Unix group, it cannot own GPOs in
sysvol and Domain Admins needs to own GPOs as a user. On a Samba DC,
Domain Admins is mapped to 'ID_TYPE_BOTH' and can own GPOs as a user.

You either need to use the 'rid' backend on Unix domain members and do
not give Domain Admins a gidNumber attribute, or create another group
(I use 'Unix Admins'), give this group a gidNumber attribute and make
the new group a member of the Domain Admins group, use this group
instead of Domain Admins.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba