OSVault integrates into a Microsoft Windows Active Directory environment, but sometimes the SAMBA integration with user permissions can be challenging. For example, unless it is explicitly setup, the Administrator account does not always have unlimited permissions to change the security settings on a file stored in OSVault. This is because Administrator privileges are not always translated to "root" privileges in the OSVault/SAMBA software.
The problem comes from custom environments. Usually, the Domain Administrator is called "Administrator" and is in the group "Domain Admins". So, in the OSVault system, we map those user/group permissions to "root" permission. But if you change the names of that user or that group, OSVault won't know it, and will treat those users as a regular (non-privileged) user.
The file /etc/samba/smb.conf in the OSVault/InfiniDisc appliance has the following lines in it:
winbind separator = +
inherit acls
map acl inherit
username map = /etc/samba/smbusers
And in the Share portion
admin users = @"DOMAIN+Domain Admins", DOMAIN+Administrator
Notice that the "+" in the admin users line is the same character as in the winbind separator line. That is VERY important and not mentioned in a lot of on-line material
Friday, April 2, 2010
Subscribe to:
Posts (Atom)