Windows seems only to allow Administrators to do NetShareEnumAll while Samba seems to allow anyone to do that

Mon Apr 23 22:17:47 MDT 2012

On Mon, Apr 23, 2012 at 3:13 PM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> On 4/23/12, Richard Sharpe <realrichardsharpe at gmail.com> wrote:
>> On 4/23/12, Jeremy Allison <jra at samba.org> wrote:
>>> On Mon, Apr 23, 2012 at 02:09:35PM -0700, Richard Sharpe wrote:
>>>> Hi,
>>>>
>>>> I was looking at using Computer Manager to add and remove shares on a
>>>> Samba node, and was testing the addition and deletion of shares by
>>>> non-Admin users.
>>>>
>>>> While both share addition and share deletion fail for non-Admin users,
>>>> deletion fails in a weird manner and is unlike what Windows does.
>>>>
>>>> What happens on the wire is that the Windows Client sends a
>>>> NetShareEnumAll request. Samba honors that request, then Windows send
>>>> a request to enumerate connections, which Samba denies with
>>>> WERR_ACCESS_DENIED, and the user get weird behavior.
>>>>
>>>> Windows servers, on the other hand, deny the NetShareEnumAll.
>>>>
>>>> In looking at srv_srvsvc_nt.c, I see that there is no check for DISK
>>>> OP privilege in neither 3.5.x nor 3.6.x, but I suspect that
>>>> enumerating shares should only be allowed for those who have DISK OP
>>>> privilege.
>>>>
>>>> Does anyone else have an opinion here?
>>>
>>> +1 from me to make us more Windows-like here.
>>
>> OK, it seems to be more complex that I thought. There is an article
>> from 2005 called "How to allow users to manage file and print shares
>> without granting other advanced privileges" that addresses this.
>>
>> A stop-gap that will make things work reasonably would be to insist
>> that they must have SeDiskOperatorPrivilege ... I will look at that
>> first and think more about the other stuff.
>
> Looks like access is controlled by those DACL looking blobs in the
> registry keys contained in the attachment.

Those blobs actually look like Security Descriptors.

My suggestion is that we add exactly the same blobs to the registry
and srvsvc should use them to make access decisions ... that might
take me a little while though :-)

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)