Rowland penny
2019-Jun-03 12:07 UTC
[Samba] samba file server - sediskoperatorprivilege not being honored
On 03/06/2019 12:29, Kacper Wirski via samba wrote:> Hello, > > Since nobody picked this up I will try to answer myself (hopefully > correctly). > > I think I just misread documentation on wiki, but I would really > appreciate a clarification. In the wiki it states: > > "To enable other accounts than the domain administrator to set > permissions on Windows, grant |Full control| (|rwx|) to the user or > group you granted the |SeDiskOperatorPrivilege| privilege." > > Does the "domain administrator" mean EXACTLY the default > "Administrator" user,Drat, something else to fix ;-) Yes, 'domain administrator' does mean 'Administrator' who needs to be mapped to 'root'. However, if you set the group ownership to another group (which must be an AD group known to the OS), then members of that group, provided the group has been granted 'SeDiskOperatorPrivilege', will be able to make the required changes> or should I understand it as "any member of Domain Admins group"? If > it's the former, than there is no issue (I can change share ACL from > windows client using Administrator without changing any of the > permissions i.e. owner:group can stay as root:root), if it's the > latter, than I have anissue, since none other user from Domain Admins > can change any ACL, unless i change owner/group or add initial ACL to > domain admins (or any other user/group i gave sediskoperatorprivilege)I wouldn't use 'Domain Admins' if you are using the winbind 'ad' backend on a Unix domain member, it would mean that it would become just a group and 'Domain Admins' needs to be both a group & a user on Samba AD DC's Rowland
Kacper Wirski
2019-Jun-03 18:10 UTC
[Samba] samba file server - sediskoperatorprivilege not being honored
Ok, thank You for confirmation, I was a bit worried I have something misconfigured. On my file server I'm using backend = rid, mainly (but only) because of this (to not set in AD uid/gid for Domain Admins group). Regards, Kacper Wirski W dniu 03.06.2019 o 14:07, Rowland penny via samba pisze:> On 03/06/2019 12:29, Kacper Wirski via samba wrote: >> Hello, >> >> Since nobody picked this up I will try to answer myself (hopefully >> correctly). >> >> I think I just misread documentation on wiki, but I would really >> appreciate a clarification. In the wiki it states: >> >> "To enable other accounts than the domain administrator to set >> permissions on Windows, grant |Full control| (|rwx|) to the user or >> group you granted the |SeDiskOperatorPrivilege| privilege." >> >> Does the "domain administrator" mean EXACTLY the default >> "Administrator" user, > > Drat, something else to fix ;-) > > Yes, 'domain administrator' does mean 'Administrator' who needs to be > mapped to 'root'. > > However, if you set the group ownership to another group (which must > be an AD group known to the OS), then members of that group, provided > the group has been granted 'SeDiskOperatorPrivilege', will be able to > make the required changes > >> or should I understand it as "any member of Domain Admins group"? If >> it's the former, than there is no issue (I can change share ACL from >> windows client using Administrator without changing any of the >> permissions i.e. owner:group can stay as root:root), if it's the >> latter, than I have anissue, since none other user from Domain Admins >> can change any ACL, unless i change owner/group or add initial ACL to >> domain admins (or any other user/group i gave sediskoperatorprivilege) > I wouldn't use 'Domain Admins' if you are using the winbind 'ad' > backend on a Unix domain member, it would mean that it would become > just a group and 'Domain Admins' needs to be both a group & a user on > Samba AD DC's > > Rowland > > >--- Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast. https://www.avast.com/antivirus
Rowland penny
2019-Jun-03 18:18 UTC
[Samba] samba file server - sediskoperatorprivilege not being honored
On 03/06/2019 19:10, Kacper Wirski via samba wrote:> Ok, thank You for confirmation, I was a bit worried I have something > misconfigured. > > On my file server I'm using backend = rid, mainly (but only) because > of this (to not set in AD uid/gid for Domain Admins group).Then you can use Domain Admins, as this means you are not changing anything in AD. Rowland