Windows seems only to allow Administrators to do NetShareEnumAll while Samba seems to allow anyone to do that

[Richard Sharpe]

On 4/23/12, Jeremy Allison <jra at samba.org> wrote:
> On Mon, Apr 23, 2012 at 02:09:35PM -0700, Richard Sharpe wrote:
>> Hi,
>>
>> I was looking at using Computer Manager to add and remove shares on a
>> Samba node, and was testing the addition and deletion of shares by
>> non-Admin users.
>>
>> While both share addition and share deletion fail for non-Admin users,
>> deletion fails in a weird manner and is unlike what Windows does.
>>
>> What happens on the wire is that the Windows Client sends a
>> NetShareEnumAll request. Samba honors that request, then Windows send
>> a request to enumerate connections, which Samba denies with
>> WERR_ACCESS_DENIED, and the user get weird behavior.
>>
>> Windows servers, on the other hand, deny the NetShareEnumAll.
>>
>> In looking at srv_srvsvc_nt.c, I see that there is no check for DISK
>> OP privilege in neither 3.5.x nor 3.6.x, but I suspect that
>> enumerating shares should only be allowed for those who have DISK OP
>> privilege.
>>
>> Does anyone else have an opinion here?
>
> +1 from me to make us more Windows-like here.

OK, it seems to be more complex that I thought. There is an article
from 2005 called "How to allow users to manage file and print shares
without granting other advanced privileges" that addresses this.

A stop-gap that will make things work reasonably would be to insist
that they must have SeDiskOperatorPrivilege ... I will look at that
first and think more about the other stuff.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)