[Samba] SeDiskOperatorPrivilege
david.lloyd at fsmail.net
david.lloyd at fsmail.net
Fri Apr 11 10:54:04 MDT 2014
1) That is correct. To modify the DACL on a file, a user must have "Full Control" or more specifically the "Change Permissions" access right to the file. To avoid locking a file out completely, there is a get out of jail free that the *owner* of a file can always set the DACL. So to change an arbitrary DACL you need to take ownership first.
Normally though, the Built-in Administrators group has "Full Control" of most files on a system, so I would guess that either that isn't the case for your files, or your Domain Administrators group is not in the Administrators group of your machine.
2) The File Share permission is an additional ACL for SMB network access to the machine. The ACL on a file may be "Everyone Read/Write", but the ACL on the share maybe "Fred Read-Only". If Fred logs into the machine, he can read and write the file. If he accesses over the network from a remote machine he will only get read access.
The SeDiskOperatorPrivilege also allows a user to open new network shares, so it's pretty important to only give it to users who need it.
Note that the above all applies to Windows, or over the Samba SMB network, rather than poking directly at the files from the Linux command-line...
I hope that helps,
David L
> Message Received: Apr 11 2014, 05:33 PM
> From: samba.20.andwin at spamgourmet.com
> To: samba at lists.samba.org
> Cc:
> Subject: Re: [Samba] SeDiskOperatorPrivilege
>
> Hi David,
>
> I'm quite new to this, so please bear with me.
> 1) Do I get you right that the domain administrator isn't supposed to
> be able to change DACLs on folders and files when he doesn't own them?
> 2) What are the share permissions about at all? What do 'Full
> Control', 'Change' and 'Read' for a whole share mean?
>
> Best regards
> Andreas
>
> On Fri, Apr 11, 2014 at 5:59 PM, david.lloyd at fsmail.net
> <samba.andwin.1ce7df1cf6.david.lloyd#fsmail.net at ob.0sg.net> wrote:
> > Hi,
> >
> > Just to check (apologies if you know this and I have misunderstood) - SeDiskOperatorPrivilege is about opening Samba File Shares and associated ACLs, not about changing ACLs on the files themselves. Changing ACLs on arbitrary files requires SeTakeOwnership, and then yes, you still need to own the file to override the DACL.
> >
> > See: http://www.vionblog.com/manage-samba-permissions-from-windows/
> >
> > David L
> >
> >
> >> Message Received: Apr 11 2014, 04:40 PM
> >> From: samba.20.andwin at spamgourmet.com
> >> To: samba at lists.samba.org
> >> Cc:
> >> Subject: [Samba] SeDiskOperatorPrivilege
> >>
> >> Hi,
> >>
> >> I've set up a Samba 4.1.6 AD controller and a Member Server according
> >> to the Wiki. All running quite well so far. However, I've a problem
> >> concerning file permissions. I've successfully granted the group
> >> 'MYDOM\Domain Admins' the SeDiskOperatorPrivilege. This doesn't seem
> >> to have an effect. For members of this group (and all other users in
> >> fact) it is only possible to change NT ACLs for files which they own.
> >> What is the SeDiskOperatorPrivilege supposed to do?
> >> I didn't set the 'enable privileges' parameter in smb.conf, as the man
> >> page states that this option is deprecated and set to 'yes' by
> >> default. However, when I run samba-tool testparm -v, it lists 'enable
> >> privileges = No'. Should this be explicitely enabled?
> >>
> >> Best regards
> >> Andreas
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list