Windows seems only to allow Administrators to do NetShareEnumAll while Samba seems to allow anyone to do that
Richard Sharpe
realrichardsharpe at gmail.com
Tue Apr 24 21:44:55 MDT 2012
On Mon, Apr 23, 2012 at 9:17 PM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> On Mon, Apr 23, 2012 at 3:13 PM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
>> On 4/23/12, Richard Sharpe <realrichardsharpe at gmail.com> wrote:
>>> On 4/23/12, Jeremy Allison <jra at samba.org> wrote:
>>>> On Mon, Apr 23, 2012 at 02:09:35PM -0700, Richard Sharpe wrote:
>>>>> Hi,
>>>>>
>>>>> I was looking at using Computer Manager to add and remove shares on a
>>>>> Samba node, and was testing the addition and deletion of shares by
>>>>> non-Admin users.
>>>>>
>>>>> While both share addition and share deletion fail for non-Admin users,
>>>>> deletion fails in a weird manner and is unlike what Windows does.
>>>>>
>>>>> What happens on the wire is that the Windows Client sends a
>>>>> NetShareEnumAll request. Samba honors that request, then Windows send
>>>>> a request to enumerate connections, which Samba denies with
>>>>> WERR_ACCESS_DENIED, and the user get weird behavior.
>>>>>
>>>>> Windows servers, on the other hand, deny the NetShareEnumAll.
>>>>>
>>>>> In looking at srv_srvsvc_nt.c, I see that there is no check for DISK
>>>>> OP privilege in neither 3.5.x nor 3.6.x, but I suspect that
>>>>> enumerating shares should only be allowed for those who have DISK OP
>>>>> privilege.
>>>>>
>>>>> Does anyone else have an opinion here?
>>>>
>>>> +1 from me to make us more Windows-like here.
>>>
>>> OK, it seems to be more complex that I thought. There is an article
>>> from 2005 called "How to allow users to manage file and print shares
>>> without granting other advanced privileges" that addresses this.
>>>
>>> A stop-gap that will make things work reasonably would be to insist
>>> that they must have SeDiskOperatorPrivilege ... I will look at that
>>> first and think more about the other stuff.
>>
>> Looks like access is controlled by those DACL looking blobs in the
>> registry keys contained in the attachment.
>
> Those blobs actually look like Security Descriptors.
>
> My suggestion is that we add exactly the same blobs to the registry
> and srvsvc should use them to make access decisions ... that might
> take me a little while though :-)
After more staring at the SDs in the registry, it seems that Windows
gives, by default, BUILTIN\Administrators and BUILTIN\Server Operators
access and no one else.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list