Web lists-archives.com

Re: [Samba] idmap problems

On Tue, 8 Jan 2019 13:19:34 +0100
L.P.H. van Belle <belle@xxxxxxxxx> wrote:

> > I thought that an object inherited rights from the object above it
> > i.e. nested groups
> > So a group that is a member of Domain Admins would have the same
> > rights as Administrators, because Domain Admins is a member of
> > Administrators, or am I missing something ???
> No, this is correct what your thinking, but now add the SePrivileges
> to this. But if we think in GROUP ACL only then we are thinking
> wrong. 

Ah, I think I understand where we differ, you are talking about ACLs
and I am talking about ownership.

I am suggesting using a group that isn't 'Administrators' or 'Domain
Admins' to be the Unix group, this would then allow 'Administrators' and
'Domain Admins' to own things in sysvol. If the new group is given the
'SeDiskOperatorPrivilege', then members of that group could make the
required changes to the ACLs from Windows. 

Or to put it another way, replace 'Domain Admins' with the new group
wherever it appears on this wiki page:



To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba