samba - Jun 2024 - SeDiskOperatorPrivilege_Privilege

On Sun, 9 Jun 2024 13:29:15 +0100
Luis Peromarta via samba <samba at lists.samba.org> wrote:
> Hi there,
> 
> I wonder if this is relevant on Active Directory or maybe is a thing
> of older NT4 style domains.
> 
>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege
> 
> I have tried setting up a member server with ad-idmap, and used a
> user ?luis? (with uidNumber) from the Unix Admins group (that has
> gidNumber).
> 
> Unix Admins group is a member of the Domain Admins group, that has no
> gidNumber.
> 
> The share looks like this:
> 
> 8.0K drwxrwx---? ?2 luis unix admins 4.0K Jun??9 11:29 test
> 
> I also used:
> 
> vfs objects = acl_xattr
> acl_xattr:ignore system acls = yes
> 
> I din?t need to grant any privilege(s). I just worked. Am I missing
> something ?
> 
> Maybe I need to grant the rights to users that are not admins so they
> can set up shares / permissions? How is this reflected in the Windows
> ?security? tab of the share if at all ?
> 
> I wonder if these rights should be granted per server (like I have
> always done) ? Or else in a DC ?
> 
> Thanks,
> 
> LP
You really are getting me thinking this weekend :-)

what is the output of:

net rpc rights list privileges SeDiskOperatorPrivilege -U administrator

When run as 'root' on your Unix domain member.

Depending on that, I think the wikipage may need amending.

Rowland

Mmm? strange ? Or is this what you were expecting ?

root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege
-Uadministrator
Password for [MAD\administrator]:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege
-Uadministrator
Password for [MAD\administrator]:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege
-UAdministrator
Password for [MAD\Administrator]:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -U
"MAD\Administrator"
Password for [MAD\Administrator]:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

But then:

root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -Uluis
Password for [MAD\luis]:
SeDiskOperatorPrivilege:
?BUILTIN\Administrators

Remember there is no root map via user.map - if it matters. And as FYI:

root at member:/# cat /etc/hosts
127.0.0.1 localhost
192.168.3.1 member.mad.mater.int member

root at member:/# cat /etc/samba/smb.conf
# Global parameters
[global]
?security = ADS
?workgroup = MAD
?realm = MAD.MATER.INT
?netbios name = MEMBER
?server role = member server
?log file = /var/log/samba/%m.log

# Disable Netbios
?disable netbios = yes

# Enforce minimum protolo SMB3
# server min protocol = SMB3

# To enable Group Policy application in winbind,
?apply group policies = yes

# Default ID mapping configuration for local BUILTIN accounts

?idmap config * : backend = tdb
?idmap config * : range = 3000-7999

# idmap config for the MAD domain

?idmap config MAD : backend = ad
?idmap config MAD : schema_mode = rfc2307
?idmap config MAD : range = 10000-999999
?idmap config MAD : unix_nss_info = yes


# Read AD unix attributes to allow ssh login to server:
# winbind nss info = rfc2307

# winbind config:
?winbind use default domain = yes
# winbind enum users = yes
# winbind enum groups = yes

# renew the kerberos ticket

?winbind refresh tickets = yes
?dedicated keytab file = /etc/krb5.keytab
?kerberos method = secrets and keytab

# Map Administrator to root

?username map = /etc/samba/user.map
?min domain uid = 0

# To configure shares using extended access control lists (ACL)
?vfs objects = acl_xattr
?map acl inherit = yes
?acl_xattr:ignore system acls = yes

[test]
?hide unreadable = Yes
?path = /test/
?read only = No



LP
On Jun 9, 2024 at 15:02 +0100, Rowland Penny via samba <samba at
lists.samba.org>, wrote:
> On Sun, 9 Jun 2024 13:29:15 +0100
> Luis Peromarta via samba <samba at lists.samba.org> wrote:
>
> > Hi there,
> >
> > I wonder if this is relevant on Active Directory or maybe is a thing
> > of older NT4 style domains.
> >
> >
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege
> >
> > I have tried setting up a member server with ad-idmap, and used a
> > user ?luis? (with uidNumber) from the Unix Admins group (that has
> > gidNumber).
> >
> > Unix Admins group is a member of the Domain Admins group, that has no
> > gidNumber.
> >
> > The share looks like this:
> >
> > 8.0K drwxrwx---? ?2 luis unix admins 4.0K Jun??9 11:29 test
> >
> > I also used:
> >
> > vfs objects = acl_xattr
> > acl_xattr:ignore system acls = yes
> >
> > I din?t need to grant any privilege(s). I just worked. Am I missing
> > something ?
> >
> > Maybe I need to grant the rights to users that are not admins so they
> > can set up shares / permissions? How is this reflected in the Windows
> > ?security? tab of the share if at all ?
> >
> > I wonder if these rights should be granted per server (like I have
> > always done) ? Or else in a DC ?
> >
> > Thanks,
> >
> > LP
>
> You really are getting me thinking this weekend :-)
>
> what is the output of:
>
> net rpc rights list privileges SeDiskOperatorPrivilege -U administrator
>
> When run as 'root' on your Unix domain member.
>
> Depending on that, I think the wikipage may need amending.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba