Looks like removing `admin users = @BUILTIN\administrators` helped,
so its solved. The only reason I've added that line so non-domain
admins can manage groups on that machine but it seems simply adding
them to BUILTIN\administrators is sufficient. Thank you for helping me
with this.
--Vlad
On Thu, Mar 19, 2009 at 3:56 PM, Mark Casey ma...@unifiedgroup.com wrote:
Hi,
I'm dealing with the same issue so I thought I'd share a few ideas I've
found so far.
write users= should just be letting those users write as themselves. Its
the admin users= line that is intervening and mapping them to root.
If its just the need for admin rights, I know that there is a privileges
system built into samba. Most of the things you would want for an admin user
to be able to do can actually be enabled for that user instead of mapping
them to root. I've read that while no account has any privileges by default,
the Domain Admins group is automatically given the right to hand out new
privileges. Just search for samba privileges online, I think this is the
preferred way to accomplish what you want, removing the need for the admin
users parameter.
Another thing you may consider is just make a new user in AD, and then
change the admin users line so that it only lists that account. I don't
even imagine that account would have to be an admin as far as Windows is
concerned, but it could be made one if the situation arises to warrant it.
Then your write list can write as themselves, and the new user can be mapped
to root and not used to edit user's files. They could share the password if
more than one person needs access, which is no worse than having them all
mapped to root anyway (possibly better).
I don't quite have it figured yet so double check me if you go with one of
those, but I HTH.
-Mark
Vladimir Shved wrote:
Hello,
I have samba server on windows domain, in ADS mode but have problem
tracking files that belong to admin users, anytime new file created
the default owner is root. For non-admin users its normal, newly
created files have correct ownership permissions. Its possible for a
user to go and take ownership manually from windows machine but its
just inconvenient. Is there anyway to change default behavior to
create files with correct ownership of original user rather than
mapping to root for admin users?
Thank you,
Vladimir Shved
My setup:
Ubuntu 8.04 Hardy
Samba 3.0.28a
ext3 fs w/ ACLs
censored smb.conf:
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.LOCAL
server string = File Server
security = ADS
syslog = 0
log file = /var/log/samba/log.%m
log level = 1 ads:10 auth:10 sam:10 rpc:10
max log size = 1000
local master = No
dns proxy = No
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins server = 192.168.1.2
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
winbind nested groups = yes
passdb backend = tdbsam
ldap ssl = on
idmap domains = MYDOMAIN
idmap config MYDOMAIN:backend = ldap
idmap config MYDOMAIN:readonly = yes
idmap config MYDOMAIN:default = yes
idmap config MYDOMAIN:ldap_base_dn = ou=idmap,dc=mydomain,dc=local
idmap config MYDOMAIN:ldap_url = ldaps://ldapmachine
idmap config MYDOMAIN:ldap_anon = yes
idmap alloc backend = tdb
idmap alloc config:range = 3-4
template shell = /bin/bash
admin users = @BUILTIN\administrators
write list = @BUILTIN\administrators
client use spnego = yes
domain master = no
load printers = no
printing = bsd
printcap name = /dev/null
show add printer wizard = no
disable spoolss = yes
guest account = nobody
map to guest = bad user
invalid users = root
map to guest = bad password
[share]
path = /share
guest ok = Yes
create mask = 0664
directory mode = 0775
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
