Hi, I seem to be going in circles when trying to understand "administrative access" to a share on a domain member fileserver: What is the use of granting SeDiskOperatorPrivilege to certain groups on a fileserver so they can manage share permissions when the recommended and default setting for share permissions is "Full control" for "Everyone" anyway? This setting is also _needed_ for the Domain Administrator to _effectively_ get access to the share when using "!root = SAMDOM\Administrator" in "username map". I'm referring to https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Mapping_the_Domain_Administrator_Account_to_the_Local_root_User https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Setting_Share_Permissions_and_ACLs Please enlighten me. thx Matthias
On 27/01/2021 16:43, Matthias Leopold via samba wrote:> Hi, > > I seem to be going in circles when trying to understand > "administrative access" to a share on a domain member fileserver: > What is the use of granting SeDiskOperatorPrivilege to certain groups > on a fileserver so they can manage share permissions when the > recommended and default setting for share permissions is "Full > control" for "Everyone" anyway? This setting is also _needed_ for the > Domain Administrator to _effectively_ get access to the share when > using "!root = SAMDOM\Administrator" in "username map".The 'SeDiskOperatorPrivilege' allows domain users to change the permissions on Samba shares, but the domain user must be known to Unix or be a member of a group that is known to Unix i.e. 'getent' must show the user or group. When it comes to Administrator, if this user is mapped to 'root' in a usermap, then the user effectively becomes root and as such is allowed do anything that root can. This means that Administrator doesn't actually need the SeDiskOperatorPrivilege, though it gets it by membership of 'Administrators'. Rowland
On Wed, Jan 27, 2021 at 12:01 PM Matthias Leopold via samba < samba at lists.samba.org> wrote:> Hi, > > I seem to be going in circles when trying to understand "administrative > access" to a share on a domain member fileserver: > What is the use of granting SeDiskOperatorPrivilege to certain groups on > a fileserver so they can manage share permissions when the recommended > and default setting for share permissions is "Full control" for > "Everyone" anyway? This setting is also _needed_ for the Domain > Administrator to _effectively_ get access to the share when using "!root > = SAMDOM\Administrator" in "username map". > > I'm referring to > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Mapping_the_Domain_Administrator_Account_to_the_Local_root_User > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Setting_Share_Permissions_and_ACLs > > Please enlighten me. > > thx > Matthias > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaPrivileges define what a user/group can do regardless of the ACL on a file. For example, a user with SeTakeOwnershipPrivilege can take ownership of a file regardless of the permissions on it. This is obviously a privilege that must be handed out carefully (as with all of them). Being able to define what users and groups can and cannot do independently of file ACL is particularly important for rpc connections (like when you're using "Computer Management" tool on a Windows client). The BUILTIN\administrators group also always has this privilege (and other admin-related ones), and so as long as the account is a member of "domain admins", there is no need to explicitly grant this privilege.