Re: [Samba] using AD groups in "username map"
- Date: Wed, 21 Feb 2018 13:20:55 +0100
- From: Marco Gaiarin via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] using AD groups in "username map"
Mandi! Rowland Penny via samba
In chel di` si favelave...
> I thought something similar as well, but I was logged into a win7
> machine as 'rowland', who is a member of 'Unix Admins' and couldn't
> add a user permissions to the share. Using getfacl to change
> 'group:unix\040admins:---' to 'group:unix\040admins:rwx' allowed me to
> add user permissions.
I've setup for that a brute-force bash script that, simply, ''santize''
(POSIX) ACLs, particulary, set group permission to 7, disable everyone
access (eg other=0), disable special unix permissione (sticky, ...).
In script comment, i've make a note that seems that POSIX ACL mask get
default value from group permission, but, can be set differently.
So, you can loosen permission to POSIX group, or set explicitly the
'setfacl' manpage seems to explain better:
To help the user ensure these rules, setfacl creates entries from existing entries under the following conditions:
* If an ACL contains named user or named group entries, and no mask entry exists, a mask entry containing the same permissions as the group entry is created.
Unless the -n option is given, the permissions of the mask entry are further adjusted to include the union of all permissions affected by the mask entry.
(See the -n option description).
* If a Default ACL entry is created, and the Default ACL contains no owner, owning group, or others entry, a copy of the ACL owner, owning group, or others
entry is added to the Default ACL.
* If a Default ACL contains named user entries or named group entries, and no mask entry exists, a mask entry containing the same permissions as the default
Default ACL's group entry is added. Unless the -n option is given, the permissions of the mask entry are further adjusted to inclu de the union of all per‐
missions affected by the mask entry. (See the -n option description).
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
To unsubscribe from this list go to the following URL and read the