Tiger ACLS – Domain Admins & Enterprise Admins

[Spectrum]

I’ve got a Tiger test server setup in my lab to specially test ACLs while running as a domain member of a Win2K3 AD domain since that’s the only real reason for us to upgrade at this time.

This seems to work for any AD group except Domain Admins and Enterprise Admins.

I know in Panther using the AD plugin, these two AD groups were groupmapped to the unix admin group. That doesn’t seem to be the case in Tiger, because I changed the group ownership (local side) to admin on my test folder and neither group had full control rights (which they should).

In an ideal world, I’d like for the Domain Admins / Enterprise Admins to have full control ACL rights to all shared folders, the Domain Users rights will vary between RW, RO and none depending on the folder contents.

For the Domain Users group this works perfectly.

So, either a.) there’s something I am overlooking about the Admin groups (which I hope someone can point me to) or b.) there’s a bug.

Anyone out there investigated this at all?

[Spectrum]

Well, after a bit more digging around with net groupmap list, I found that the Win2k3 legacy group Administrators is mapped to the unix admin group.

Since Administrators contains Domain Admins and Enterprise Admins as members by default, this is a fairly easy work around for the problem. Adding Administrators to ACLs works as expected.

edit: gah – typo. I need coffee.

[Author]

Posts