Am 27.01.21 um 18:28 schrieb Rowland penny via samba:> On 27/01/2021 16:43, Matthias Leopold via samba wrote:
>> Hi,
>>
>> I seem to be going in circles when trying to understand
>> "administrative access" to a share on a domain member
fileserver:
>> What is the use of granting SeDiskOperatorPrivilege to certain groups
>> on a fileserver so they can manage share permissions when the
>> recommended and default setting for share permissions is "Full
>> control" for "Everyone" anyway? This setting is also
_needed_ for the
>> Domain Administrator to _effectively_ get access to the share when
>> using "!root = SAMDOM\Administrator" in "username
map".
>
>
> The 'SeDiskOperatorPrivilege' allows domain users to change the
> permissions on Samba shares, but the domain user must be known to Unix
> or be a member of a group that is known to Unix i.e. 'getent' must
show
> the user or group.
>
> When it comes to Administrator, if this user is mapped to 'root' in
a
> usermap, then the user effectively becomes root and as such is allowed
> do anything that root can. This means that Administrator doesn't
> actually need the SeDiskOperatorPrivilege, though it gets it by
> membership of 'Administrators'.
>
> Rowland
>
>
>
>
Thanks.
Is it correct, that "Full Control" for "Everyone" is needed
in a shares
permissions when the Domain Administrator wants to access it (and is
mapped to root in "username map")?
If Yes: Shall "Full Control" for "Everyone" be the permanent
setting for
a share permissions in this case or shall it only be added when needed?
Maybe all this is obvious to other people, I'm somehow missing a piece
here in understanding how share permissions are meant to be configured.
Matthias