On Sun, 9 Jun 2024 13:29:15 +0100
Luis Peromarta via samba <samba at lists.samba.org> wrote:
> Hi there,
>
> I wonder if this is relevant on Active Directory or maybe is a thing
> of older NT4 style domains.
>
>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege
>
> I have tried setting up a member server with ad-idmap, and used a
> user ?luis? (with uidNumber) from the Unix Admins group (that has
> gidNumber).
>
> Unix Admins group is a member of the Domain Admins group, that has no
> gidNumber.
>
> The share looks like this:
>
> 8.0K drwxrwx---? ?2 luis unix admins 4.0K Jun??9 11:29 test
>
> I also used:
>
> vfs objects = acl_xattr
> acl_xattr:ignore system acls = yes
>
> I din?t need to grant any privilege(s). I just worked. Am I missing
> something ?
>
> Maybe I need to grant the rights to users that are not admins so they
> can set up shares / permissions? How is this reflected in the Windows
> ?security? tab of the share if at all ?
>
> I wonder if these rights should be granted per server (like I have
> always done) ? Or else in a DC ?
>
> Thanks,
>
> LP
You really are getting me thinking this weekend :-)
what is the output of:
net rpc rights list privileges SeDiskOperatorPrivilege -U administrator
When run as 'root' on your Unix domain member.
Depending on that, I think the wikipage may need amending.
Rowland