[Samba] SeDiskOperatorPrivilege
david.lloyd at fsmail.net
david.lloyd at fsmail.net
Fri Apr 11 12:10:42 MDT 2014
>>> will have to chown all of them to MYDOM\administrator to be able to do
>>> this.
What was the ACL on the old machine? If they were Administrators "Full Control" (the normal ACL), I suspect that rsync has stripped all of your ACLs anyway. In that case, yup you'll be resetting all of the ACLs.
>>> a) 'If Fred logs into the machine': does this mean that Fred logs into
>>> the Linux server running Samba as the Member Server and that in this
>>> case the Share permissions do not apply?
Yes, the analogy was with a file share on Windows, though, where logging in locally makes more sense.
>>> b) 'If he accesses over the network': This is what usually happens at
>>> our site. Does this mean that in this case the Share permissions
>>> constitute an upper bound for all file/folder DACLs? Would it be
>>> appropriate to apply 'Everyone Full Control' for the shares, given
>>> that the DACLs are correctly set?
I'd go for "MYDOM/Domain Users" or at most "Authenticated Users" if possible.
David L
> Message Received: Apr 11 2014, 06:33 PM
> From: samba.20.andwin at spamgourmet.com
> To: samba at lists.samba.org
> Cc:
> Subject: Re: [Samba] SeDiskOperatorPrivilege
>
> Hi David,
>
> many thanks for your detailed reply, it is very helpful. Please see my
> comments inline below.
>
> On Fri, Apr 11, 2014 at 6:54 PM, david.lloyd at fsmail.net
> <samba.andwin.1ce7df1cf6.david.lloyd#fsmail.net at ob.0sg.net> wrote:
> >
> > 1) That is correct. To modify the DACL on a file, a user must have "Full Control" or more specifically the "Change Permissions" access right to the file. To avoid locking a file out completely, there is a get out of jail free that the *owner* of a file can always set the DACL. So to change an arbitrary DACL you need to take ownership first.
>
> Thanks, this makes perfectly sense to me now.
>
> > Normally though, the Built-in Administrators group has "Full Control" of most files on a system, so I would guess that either that isn't the case for your files, or your Domain Administrators group is not in the Administrators group of your machine.
>
> My misunderstanding was that the SeDiskOperatorPrivilege would give a
> user the ability to change file DACLs regardless of current ownership
> and permissions.
> I've set up a new machine with the Samba 4.1.6 Member Server and I've
> copied the files from the old machine via rsync to the new machine.
> These files do have arbitrary owners now. My plan was to set up the
> DACLs for these files and folders using the Windows dialogs. I guess I
> will have to chown all of them to MYDOM\administrator to be able to do
> this.
>
> > 2) The File Share permission is an additional ACL for SMB network access to the machine. The ACL on a file may be "Everyone Read/Write", but the ACL on the share maybe "Fred Read-Only". If Fred logs into the machine, he can read and write the file. If he accesses over the network from a remote machine he will only get read access.
>
> a) 'If Fred logs into the machine': does this mean that Fred logs into
> the Linux server running Samba as the Member Server and that in this
> case the Share permissions do not apply?
> b) 'If he accesses over the network': This is what usually happens at
> our site. Does this mean that in this case the Share permissions
> constitute an upper bound for all file/folder DACLs? Would it be
> appropriate to apply 'Everyone Full Control' for the shares, given
> that the DACLs are correctly set?
>
> Best regards
> Andreas
>
> >
> > The SeDiskOperatorPrivilege also allows a user to open new network shares, so it's pretty important to only give it to users who need it.
> >
> > Note that the above all applies to Windows, or over the Samba SMB network, rather than poking directly at the files from the Linux command-line...
> >
> > I hope that helps,
> >
> > David L
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list