Also a checkbox to enable “admin$” share, mapped to /var/lib/nethserver/ibay, available to members of “Domain Admins” to perform privileged operations on all shared folders (ibays). As alternative the same checkbox could set admin users option to “Domain Admins” on each shared folder to get the same effect ( still wondering…)
This means we can now switch to sssd module, and have a fully working ACL management from Windows clients!
With such enhancement from upstream, I think this workaround is not necessary any more; anyway thank you again @planet_jeroen for pointing me to the right direction.
To make the things work we need a couple of adjustments:
Set admin users = "@domain admins" on shared folders, in smb.conf
Revert the alternatives configuration to the default sssd library
BTW I found the last sssd update left a dangling link. I think this is a bug to fix
There is a distinct difference between a homefolder and a profilefolder. Both are essential for proper configuration of AD accounts and working roaming profiles.
A home folder, should be accessible but the user doesnt have to have full controll
A profile folder either should be owned by Domain Admins, or by the user and the user should have full controll in it.
I’m not sure what the use of the Grant Special permissions checkboxes are so I can not comment on them. I’m also tired, forgive me if I am missing the obvious
First of all: Thanks for hearing me and others @davidep
The workgroup box is clear, for shure.
The control thing i salso clear, I think.
For the special permissions I’m also not shure in which cases I’d need them.
I’ll install a new VM tomorrow to test this and to read the inside help.
So long friends.
What is the difference between option 1 and option 2 for special privileges ? They seem the same ? Is the home$ folder conflated here with profile ?
The profile folder will contain the bare minimum from the profile. (that which can not be redirected to the home folder). Included would be AppData\Roaming and the NTUSER.DAT but not folders like 'My ’
The home folder should be seen as ‘private’ server storage for the user and through folder redirection, the documents and other relevant 'My ’ folders get redirected there.
For the home folder, the user needs full controll IN it, but ownership is irrelevant. For the profile folder, either Domain Admins or the user should be the owner. Notably the last one has been proven difficult for me to setup.
There’s no difference in implementation. The comparison purpose is to evaluate the effectiveness of the text labels: are they comprehensible, self-explaining, clear enough? What option do you prefer? Do you want to suggest an alternative?
Sorry, but roaming profiles are not planned in this feature! We should discuss them in another thread.
For the special permissions I would use: ‘Grant full control on shared folder to Domain Admins group’
There is no special case on a home share that would make it logical to set Domain Admins with full control there, so imho it shouldnt get a special mention as it will confuse people into thinking they need this permission for a home share.
If this permission IS needed due to implementation reasons, then it would need the first message, but we would also need to know why to understand the implications and possible limitations.
That actually will not pass the GDPR. The sysadmin should be able to GET access at all times. Not HAVE acces at all times. Therefore, ownership is much more interesting then actual userrights assignment.
Yes this scenario you mention can be usefull, but therefore I would not name add the (home$ share) reference to the mentioning of the option.
still wondering…)
Is it shit? 
How can we enhance it?
/cc 
