Web lists-archives.com

Re: [Samba] Upgraded a member server to 4.8, rfc2307 data?




Hai Marco, 

If you dont need it, then you can remove it. 
And in addition to Rowland comment, i'll show how i use it. 

In reply to. 
>It is needed? AFAI've understood it means that users will have UNIX primary group the windows group 
>and not 'domain users', but reeally i don't need that...

I'll explain how i use it and why, maybe its useable for you or others. 

My windows group "Domain User" always the default for the users, it is the default group for every user, except guests. 
This is the windows default, i did assign GID's to 
"domain users"
"domain admins"	< most people dont use this or use with care on the linux side.
"domain guest"
"domain computer" < most people dont use this or use with care on the linux side.

And some other groups i need on linux, only the groups i need (on linux) have GID assigned. 
And yes, i did need all the "domain ...." groups in linux also.. I needed these. 
That why domain admins is having a GID. 

I do want my windows users to login on linux systems and use "Domain Users" as primary group. 

I use this to overcome some inherit problems.
Remember this, and this is the most important part imo. 
17XX "Creator Owner"
277X "Creator Group"
377X "Creator Owner and Creator Group"

/data 	root:"Domain Admins"	1755 ( allow everybody in this folder, even guests ) 
	everyone can walk/enter this folder (/data) due to the last 5 in 1775 on linux. 

/data/dep1	root:"Dep1"	 2770 ( allow users/group rights) and if member of "Dep1" only then you can enter and read/write.
/data/dep2	root:"Dep2"	 2770 ( allow users/group rights) and if member of "Dep2" only then you can enter and read/write.

If user1 creates a file in /data/dep1 , it creates it as user1:"Domain User"
If user2 creates a file in /data/dep2 , it creates it as user2:"Domain User"
But 
User1 is not able to access /data/dep2 due to the group restriction Dep1.
User2 is not able to access /data/dep1 due to the group restriction Dep2.

 >>  The headache points for people.   << 
Now my users switch departments, if wrongly setup, both users and read/write one anothers files.
In my case, both users and read/write the created files from one another, no headache ;-) 

This is a bit how i setup my rights. ( depending on server and use of the server ).

And please note, this is only the LINUX PART of the rights. 
And best is to keep this as much as possible in line. 

I hope this helps a bit for you and others. 


Greetz, 

Louis

 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Marco Gaiarin via samba
> Verzonden: woensdag 5 september 2018 16:15
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Upgraded a member server to 4.8, rfc2307 data?
> 
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> >     idmap config LNFFVG: unix_primary_group = yes
> 
> It is needed? AFAI've understood it means that users will 
> have UNIX primary
> group the windows group and not 'domain users', but reeally i 
> don't need
> that...
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba