Am 27.01.21 um 18:28 schrieb Rowland penny via samba:> On 27/01/2021 16:43, Matthias Leopold via samba wrote: >> Hi, >> >> I seem to be going in circles when trying to understand >> "administrative access" to a share on a domain member fileserver: >> What is the use of granting SeDiskOperatorPrivilege to certain groups >> on a fileserver so they can manage share permissions when the >> recommended and default setting for share permissions is "Full >> control" for "Everyone" anyway? This setting is also _needed_ for the >> Domain Administrator to _effectively_ get access to the share when >> using "!root = SAMDOM\Administrator" in "username map". > > > The 'SeDiskOperatorPrivilege' allows domain users to change the > permissions on Samba shares, but the domain user must be known to Unix > or be a member of a group that is known to Unix i.e. 'getent' must show > the user or group. > > When it comes to Administrator, if this user is mapped to 'root' in a > usermap, then the user effectively becomes root and as such is allowed > do anything that root can. This means that Administrator doesn't > actually need the SeDiskOperatorPrivilege, though it gets it by > membership of 'Administrators'. > > Rowland > > > >Thanks. Is it correct, that "Full Control" for "Everyone" is needed in a shares permissions when the Domain Administrator wants to access it (and is mapped to root in "username map")? If Yes: Shall "Full Control" for "Everyone" be the permanent setting for a share permissions in this case or shall it only be added when needed? Maybe all this is obvious to other people, I'm somehow missing a piece here in understanding how share permissions are meant to be configured. Matthias
On 28/01/2021 09:11, Matthias Leopold via samba wrote:> > Thanks. > Is it correct, that "Full Control" for "Everyone" is needed in a > shares permissions when the Domain Administrator wants to access it > (and is mapped to root in "username map")?Yes, but more importantly, if you do not have 'Everyone' set on the share tab (which, as far as I can see, is the default) then your users will not be able to access the permissions. Unless you have a valid reason to alter the share tab (and I cannot think of one), leave it alone, this is one of the mistakes that a lot of people make, they alter the share tab.> If Yes: Shall "Full Control" for "Everyone" be the permanent setting > for a share permissions in this case or shall it only be added when > needed? > Maybe all this is obvious to other people, I'm somehow missing a piece > here in understanding how share permissions are meant to be configured.The problem is that Microsoft called the tab that you might need to modify 'security', a better name would have been 'NTFS permissions'. Rowland