On Mon, 10 Jun 2024 08:33:13 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Sun, 9 Jun 2024 18:52:39 +0100
> Luis Peromarta via samba <samba at lists.samba.org> wrote:
>
> > Update:
> >
> > I have revoked the privilege to BUILIN\Administratos. As before, no
> > root mapping.
> >
> > root at member:/# net rpc rights revoke
"BUILTIN\Administrators"
> > SeDiskOperatorPrivilege -U "MAD\luis" Password for
[MAD\luis]:
> > Successfully revoked rights.
> >
> > root at member:/# net rpc rights list privileges
> > SeDiskOperatorPrivilege -Uluis Password for [MAD\luis]:
> > SeDiskOperatorPrivilege:
> >
> > Reboot. Or else 'net cache flush && /etc/init.d/winbind
restart &&
> > /etc/init.d/smbd restart'
> >
> > I have delete and re-created the folder for there share (/test),
> > chown luis:?unix admins?, and chmod 0770
> >
> > I still can set up the share from Windows no problem.
> >
> > LP
>
> That means one of two things, either once the group has inherited the
> privilege it retains it, even if the parent group loses it. Or the
> privileges are not actually required by AD.
>
> More investigation to follow.
>
> Rowland
>
>
OK, where did the SeDiskOperatorPrivilege come from ? I cannot find any
Windows documentation for it, I did find this:
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory
Which lists the privileges, but there is no SeDiskOperatorPrivilege
Anyway, I created a new Unix domain member using Debian 12 with Samba
from backports.
Once Samba was installed and running, the first thing I did was to
revoke SeDiskOperatorPrivilege from Administrators:
sudo net rpc rights list SeDiskOperatorPrivilege -U
"SAMDOM\administrator"
Password for [SAMDOM\administrator]:
adminuser at debpriv:~$ # <-- nothing
I the setup a share basically following this:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
ignoring SeDiskOperatorPrivilege.
It works, I added Domain Users with full control to the share as a
member of Domain Admins.
Do we really need the SeDiskOperatorPrivilege ? Did we ever need the
SeDiskOperatorPrivilege in AD ?
Rowland