Linux ACLs and Samba

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I have a debian stretch file server that is joined to an active directory domain. I have several samba shares set up on it. And am able to authenticate using domain accounts. But I want a samba share set up on it used for H drive mapping for AD users. In my AD server I can set a home folder to be on my linux file server. It creates the folders for all the users. But the permissions are too wide.



This is what I am currently doing:



[account_homes]
path = /account_homes
map acl inherit = yes
store dos attribtes = yes


drwxrwx---+ root "ADDomain Admins" /account_homes



setfacl -n -m g:"ADDomain Users":r-x /account_homes



But I am able to read and write to all the folders no matter what user I am. I assume I am setting my ACLs incorrectly. But the end result that I want is:



  1. Members of the Domain Admins group can create Home folder mappings in AD

  2. Members of the Domain Admins group can rwx to all home folders

  3. Only the user of the Home folder can rwx








share







New contributor




Sdude13 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.























    up vote
    0
    down vote

    favorite












    I have a debian stretch file server that is joined to an active directory domain. I have several samba shares set up on it. And am able to authenticate using domain accounts. But I want a samba share set up on it used for H drive mapping for AD users. In my AD server I can set a home folder to be on my linux file server. It creates the folders for all the users. But the permissions are too wide.



    This is what I am currently doing:



    [account_homes]
    path = /account_homes
    map acl inherit = yes
    store dos attribtes = yes


    drwxrwx---+ root "ADDomain Admins" /account_homes



    setfacl -n -m g:"ADDomain Users":r-x /account_homes



    But I am able to read and write to all the folders no matter what user I am. I assume I am setting my ACLs incorrectly. But the end result that I want is:



    1. Members of the Domain Admins group can create Home folder mappings in AD

    2. Members of the Domain Admins group can rwx to all home folders

    3. Only the user of the Home folder can rwx








    share







    New contributor




    Sdude13 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I have a debian stretch file server that is joined to an active directory domain. I have several samba shares set up on it. And am able to authenticate using domain accounts. But I want a samba share set up on it used for H drive mapping for AD users. In my AD server I can set a home folder to be on my linux file server. It creates the folders for all the users. But the permissions are too wide.



      This is what I am currently doing:



      [account_homes]
      path = /account_homes
      map acl inherit = yes
      store dos attribtes = yes


      drwxrwx---+ root "ADDomain Admins" /account_homes



      setfacl -n -m g:"ADDomain Users":r-x /account_homes



      But I am able to read and write to all the folders no matter what user I am. I assume I am setting my ACLs incorrectly. But the end result that I want is:



      1. Members of the Domain Admins group can create Home folder mappings in AD

      2. Members of the Domain Admins group can rwx to all home folders

      3. Only the user of the Home folder can rwx








      share







      New contributor




      Sdude13 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      I have a debian stretch file server that is joined to an active directory domain. I have several samba shares set up on it. And am able to authenticate using domain accounts. But I want a samba share set up on it used for H drive mapping for AD users. In my AD server I can set a home folder to be on my linux file server. It creates the folders for all the users. But the permissions are too wide.



      This is what I am currently doing:



      [account_homes]
      path = /account_homes
      map acl inherit = yes
      store dos attribtes = yes


      drwxrwx---+ root "ADDomain Admins" /account_homes



      setfacl -n -m g:"ADDomain Users":r-x /account_homes



      But I am able to read and write to all the folders no matter what user I am. I assume I am setting my ACLs incorrectly. But the end result that I want is:



      1. Members of the Domain Admins group can create Home folder mappings in AD

      2. Members of the Domain Admins group can rwx to all home folders

      3. Only the user of the Home folder can rwx






      debian samba acl active-directory





      share







      New contributor




      Sdude13 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.










      share







      New contributor




      Sdude13 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.








      share



      share






      New contributor




      Sdude13 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 2 mins ago









      Sdude13

      1




      1




      New contributor




      Sdude13 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Sdude13 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Sdude13 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.

























          active

          oldest

          votes











          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );






          Sdude13 is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f476650%2flinux-acls-and-samba%23new-answer', 'question_page');

          );

          Post as a guest



































          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          Sdude13 is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          Sdude13 is a new contributor. Be nice, and check out our Code of Conduct.












          Sdude13 is a new contributor. Be nice, and check out our Code of Conduct.











          Sdude13 is a new contributor. Be nice, and check out our Code of Conduct.













           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f476650%2flinux-acls-and-samba%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?