Kacper Wirski
2019-May-29 08:12 UTC
[Samba] samba file server - sediskoperatorprivilege not being honored
Hello, I've been setting up new file server using samba 4.8.3 (centos 7 RPM), as samba 4 AD member server using my earlier smb.conf when I realised that I was previously somewhat circumventing the SeDiskOperatorPrivilege by using "admin users map" to SAMDOM\Domain admins" parameter in smb.conf. I decided to change my smb.conf and setup shares following samba wiki. All shares are going to be used strictly by windows clients (AD domain members), so I've followed closely samba wiki. I granted both SAMDOM\domain admins and SAMDOM\myuser the SeDiskOperatorPrivilege, but still I'm unable to change ACL from windows client, even when I'm logged in as SAMDOM\myuser (which belongs to SAMDOM\domain admins group) to windows client. My smb.conf: [global] netbios name = VS-FILES1 security = ADS workgroup = SAMDOM realm = MY.REALM.COM log level = 1 log file = /var/log/samba/%m.log max log size = 2000 logging = syslog at 2 file idmap config *:backend = tdb idmap config *:range = 2000-7000 idmap config SAMDOM:backend = rid idmap config SAMDOM:range = 100000-110000 winbind enum users = no winbind enum groups = no winbind nested groups = yes winbind expand groups = 3 winbind refresh tickets = yes winbind use default domain = no winbind offline logon = yes template shell = /bin/bash template homedir = /home/%U@%D kerberos method = secrets and keytab load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes vfs objects = acl_xattr full_audit recycle full_audit:prefix = %u|%I|%M|%S full_audit:failure = connect full_audit:success = mkdir rmdir write rename pwrite unlink full_audit:priority = NOTICE recycle:repository = .recycle recycle:keeptree = yes recycle:versions = yes recycle:touch_mtime = yes recycle:exclude = *.tmp, *.bak, *.ods#, *.odt#, *.xls#, *.TMP, *.cache recycle:exclude_dir = .recycle recycle:maxsize = 1073741824 store dos attributes = yes map acl inherit = yes # admin users = "@BABKA\Domain Admins","@BABKA\Enterprise Admins" [MYSHARE] path = /srv/samba/myshare/ read only = no output of net rpc rights list privileges SeDiskOperatorPrivilege -U "SAMDOM\administrator" -S VS-FILES1 SeDiskOperatorPrivilege: SAMDOM\myuser SAMDOM\Domain Admins BUILTIN\Administrators getfacl myshare # file: myshare # owner: root # group: root user::rwx group::r-x other::r-x THe only way to set ACL through windows is either: - set owner (user/group) and grant rwx permissions ( e.g. chown "SAMDOM\myuser" myshare chmod 0770 myshare) OR - uncomment "admin users" line Otherwise I'm getting denied error from windows client ("unable to list folder contents"). Is this expected? According to wiki setting "SeDiskOperatorPrivilege" should be enough, but isn't. Winbind is working correctly, I can get reasonable output from all wbinfo commands, all ACL set (with either of the methods) stick and are respected. I'd like to know if I have some error in my configuration and if so, to fix it. For quite some time I've been simply using samba file server with "admin users=....", that's why I didn't run into this issue before, but I found some scenarios where this setting has some drawbacks and I'd like to move away from it. Regards, Kacper --- Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast. https://www.avast.com/antivirus
Kacper Wirski
2019-Jun-03 11:29 UTC
[Samba] samba file server - sediskoperatorprivilege not being honored
Hello, Since nobody picked this up I will try to answer myself (hopefully correctly). I think I just misread documentation on wiki, but I would really appreciate a clarification. In the wiki it states: "To enable other accounts than the domain administrator to set permissions on Windows, grant |Full control| (|rwx|) to the user or group you granted the |SeDiskOperatorPrivilege| privilege." Does the "domain administrator" mean EXACTLY the default "Administrator" user, or should I understand it as "any member of Domain Admins group"? If it's the former, than there is no issue (I can change share ACL from windows client using Administrator without changing any of the permissions i.e. owner:group can stay as root:root), if it's the latter, than I have anissue, since none other user from Domain Admins can change any ACL, unless i change owner/group or add initial ACL to domain admins (or any other user/group i gave sediskoperatorprivilege) I suspect it's the former, but if not, than I'm doing something wrong. Regards, Kacper W dniu 29.05.2019 o 10:12, Kacper Wirski via samba pisze:> Hello, > > I've been setting up new file server using samba 4.8.3 (centos 7 RPM), > as samba 4 AD member server using my earlier smb.conf when I realised > that I was previously somewhat circumventing the > SeDiskOperatorPrivilege by using "admin users map" to SAMDOM\Domain > admins" parameter in smb.conf. > > I decided to change my smb.conf and setup shares following samba wiki. > > All shares are going to be used strictly by windows clients (AD domain > members), so I've followed closely samba wiki. > > I granted both SAMDOM\domain admins and SAMDOM\myuser the > SeDiskOperatorPrivilege, but still I'm unable to change ACL from > windows client, even when I'm logged in as SAMDOM\myuser (which > belongs to SAMDOM\domain admins group) to windows client. > > My smb.conf: > > [global] > netbios name = VS-FILES1 > security = ADS > workgroup = SAMDOM > realm = MY.REALM.COM > > log level = 1 > log file = /var/log/samba/%m.log > max log size = 2000 > logging = syslog at 2 file > idmap config *:backend = tdb > idmap config *:range = 2000-7000 > > idmap config SAMDOM:backend = rid > idmap config SAMDOM:range = 100000-110000 > > winbind enum users = no > winbind enum groups = no > winbind nested groups = yes > winbind expand groups = 3 > winbind refresh tickets = yes > winbind use default domain = no > winbind offline logon = yes > > template shell = /bin/bash > template homedir = /home/%U@%D > > kerberos method = secrets and keytab > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > vfs objects = acl_xattr full_audit recycle > > full_audit:prefix = %u|%I|%M|%S > full_audit:failure = connect > full_audit:success = mkdir rmdir write rename pwrite unlink > full_audit:priority = NOTICE > > recycle:repository = .recycle > recycle:keeptree = yes > recycle:versions = yes > recycle:touch_mtime = yes > recycle:exclude = *.tmp, *.bak, *.ods#, *.odt#, *.xls#, *.TMP, > *.cache > recycle:exclude_dir = .recycle > recycle:maxsize = 1073741824 > > > store dos attributes = yes > map acl inherit = yes > > # admin users = "@BABKA\Domain Admins","@BABKA\Enterprise Admins" > > [MYSHARE] > path = /srv/samba/myshare/ > read only = no > > > output of > > net rpc rights list privileges SeDiskOperatorPrivilege -U > "SAMDOM\administrator" -S VS-FILES1 > > SeDiskOperatorPrivilege: > SAMDOM\myuser > SAMDOM\Domain Admins > BUILTIN\Administrators > > getfacl myshare > # file: myshare > # owner: root > # group: root > user::rwx > group::r-x > other::r-x > > > THe only way to set ACL through windows is either: > - set owner (user/group) and grant rwx permissions > ( e.g. chown "SAMDOM\myuser" myshare > chmod 0770 myshare) > OR > - uncomment "admin users" line > > > Otherwise I'm getting denied error from windows client ("unable to > list folder contents"). Is this expected? According to wiki setting > "SeDiskOperatorPrivilege" should be enough, but isn't. Winbind is > working correctly, I can get reasonable output from all wbinfo > commands, all ACL set (with either of the methods) stick and are > respected. > > I'd like to know if I have some error in my configuration and if so, > to fix it. > > For quite some time I've been simply using samba file server with > "admin users=....", that's why I didn't run into this issue before, > but I found some scenarios where this setting has some drawbacks and > I'd like to move away from it. > > > Regards, > Kacper > > > > --- > Ta wiadomość została sprawdzona na obecność wirusów przez > oprogramowanie antywirusowe Avast. > https://www.avast.com/antivirus--- Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast. https://www.avast.com/antivirus
Rowland penny
2019-Jun-03 12:07 UTC
[Samba] samba file server - sediskoperatorprivilege not being honored
On 03/06/2019 12:29, Kacper Wirski via samba wrote:> Hello, > > Since nobody picked this up I will try to answer myself (hopefully > correctly). > > I think I just misread documentation on wiki, but I would really > appreciate a clarification. In the wiki it states: > > "To enable other accounts than the domain administrator to set > permissions on Windows, grant |Full control| (|rwx|) to the user or > group you granted the |SeDiskOperatorPrivilege| privilege." > > Does the "domain administrator" mean EXACTLY the default > "Administrator" user,Drat, something else to fix ;-) Yes, 'domain administrator' does mean 'Administrator' who needs to be mapped to 'root'. However, if you set the group ownership to another group (which must be an AD group known to the OS), then members of that group, provided the group has been granted 'SeDiskOperatorPrivilege', will be able to make the required changes> or should I understand it as "any member of Domain Admins group"? If > it's the former, than there is no issue (I can change share ACL from > windows client using Administrator without changing any of the > permissions i.e. owner:group can stay as root:root), if it's the > latter, than I have anissue, since none other user from Domain Admins > can change any ACL, unless i change owner/group or add initial ACL to > domain admins (or any other user/group i gave sediskoperatorprivilege)I wouldn't use 'Domain Admins' if you are using the winbind 'ad' backend on a Unix domain member, it would mean that it would become just a group and 'Domain Admins' needs to be both a group & a user on Samba AD DC's Rowland
Reasonably Related Threads
- samba file server - sediskoperatorprivilege not being honored
- samba file server - sediskoperatorprivilege not being honored
- samba file server - sediskoperatorprivilege not being honored
- kerberos + winbind + AD authentication for samba 4 domain member
- Windows 2012 server as a member?