Hi,
I'm dealing with the same issue so I thought I'd share a few ideas I've
found so far.
"write users=" should just be letting those users write as themselves.
Its the "admin users=" line that is intervening and mapping them to root.
If its just the need for admin rights, I know that there is a privileges
system built into samba. Most of the things you would want for an admin
user to be able to do can actually be enabled for that user instead of
mapping them to root. I've read that while no account has any privileges
by default, the Domain Admins group is automatically given the right to
hand out new privileges. Just search for "samba privileges" online, I
think this is the preferred way to accomplish what you want, removing
the need for the admin users parameter.
Another thing you may consider is just make a new user in AD, and then
change the "admin users" line so that it only lists that account. I
don't even imagine that account would have to be an admin as far as
Windows is concerned, but it could be made one if the situation arises
to warrant it. Then your write list can write as themselves, and the new
user can be mapped to root and not used to edit user's files. They could
share the password if more than one person needs access, which is no
worse than having them all mapped to root anyway (possibly better).
I don't quite have it figured yet so double check me if you go with one
of those, but I HTH.
-Mark
Vladimir Shved wrote:
Hello,
I have samba server on windows domain, in ADS mode but have problem
tracking files that belong to admin users, anytime new file created
the default owner is root. For non-admin users its normal, newly
created files have correct ownership permissions. Its possible for a
user to go and take ownership manually from windows machine but its
just inconvenient. Is there anyway to change default behavior to
create files with correct ownership of original user rather than
mapping to root for admin users?
Thank you,
Vladimir Shved
My setup:
Ubuntu 8.04 Hardy
Samba 3.0.28a
ext3 fs w/ ACLs
censored smb.conf:
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.LOCAL
server string = File Server
security = ADS
syslog = 0
log file = /var/log/samba/log.%m
log level = 1 ads:10 auth:10 sam:10 rpc:10
max log size = 1000
local master = No
dns proxy = No
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins server = 192.168.1.2
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
winbind nested groups = yes
passdb backend = tdbsam
ldap ssl = on
idmap domains = MYDOMAIN
idmap config MYDOMAIN:backend = ldap
idmap config MYDOMAIN:readonly = yes
idmap config MYDOMAIN:default = yes
idmap config MYDOMAIN:ldap_base_dn = ou=idmap,dc=mydomain,dc=local
idmap config MYDOMAIN:ldap_url = ldaps://ldapmachine
idmap config MYDOMAIN:ldap_anon = yes
idmap alloc backend = tdb
idmap alloc config:range = 30000-49999
template shell = /bin/bash
admin users = @"BUILTIN\administrators"
write list = @"BUILTIN\administrators"
client use spnego = yes
domain master = no
load printers = no
printing = bsd
printcap name = /dev/null
show add printer wizard = no
disable spoolss = yes
guest account = nobody
map to guest = bad user
invalid users = root
map to guest = bad password
[share]
path = /share
guest ok = Yes
create mask = 0664
directory mode = 0775
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
