[Samba] SeDiskOperatorPrivilege

Fri Apr 11 12:10:42 MDT 2014

>>> will have to chown all of them to MYDOM\administrator to be able to do
>>> this.

What was the ACL on the old machine?  If they were Administrators "Full Control" (the normal ACL), I suspect that rsync has stripped all of your ACLs anyway.  In that case, yup you'll be resetting all of the ACLs.

>>> a) 'If Fred logs into the machine': does this mean that Fred logs into
>>> the Linux server running Samba as the Member Server and that in this
>>> case the Share permissions do not apply?

Yes, the analogy was with a file share on Windows, though, where logging in locally makes more sense.

>>> b) 'If he accesses over the network': This is what usually happens at
>>> our site. Does this mean that in this case the Share permissions
>>> constitute an upper bound for all file/folder DACLs? Would it be
>>> appropriate to apply 'Everyone Full Control' for the shares, given
>>> that the DACLs are correctly set?

I'd go for "MYDOM/Domain Users" or at most "Authenticated Users" if possible.

David L

> Message Received: Apr 11 2014, 06:33 PM
> From: samba.20.andwin at spamgourmet.com
> To: samba at lists.samba.org
> Cc: 
> Subject: Re: [Samba] SeDiskOperatorPrivilege
> 
> Hi David,
> 
> many thanks for your detailed reply, it is very helpful. Please see my
> comments inline below.
> 
> On Fri, Apr 11, 2014 at 6:54 PM, david.lloyd at fsmail.net
> <samba.andwin.1ce7df1cf6.david.lloyd#fsmail.net at ob.0sg.net> wrote:
> >
> > 1) That is correct.  To modify the DACL on a file, a user must have "Full Control" or more specifically the "Change Permissions" access right to the file.  To avoid locking a file out completely, there is a get out of jail free that the *owner* of a file can always set the DACL.  So to change an arbitrary DACL you need to take ownership first.
> 
> Thanks, this makes perfectly sense to me now.
> 
> > Normally though, the Built-in Administrators group has "Full Control" of most files on a system, so I would guess that either that isn't the case for your files, or your Domain Administrators group is not in the Administrators group of your machine.
> 
> My misunderstanding was that the SeDiskOperatorPrivilege would give a
> user the ability to change file DACLs regardless of current ownership
> and permissions.
> I've set up a new machine with the Samba 4.1.6 Member Server and I've
> copied the files from the old machine via rsync to the new machine.
> These files do have arbitrary owners now. My plan was to set up the
> DACLs for these files and folders using the Windows dialogs. I guess I
> will have to chown all of them to MYDOM\administrator to be able to do
> this.
> 
> > 2) The File Share permission is an additional ACL for SMB network access to the machine.  The ACL on a file may be "Everyone Read/Write", but the ACL on the share maybe "Fred Read-Only".  If Fred logs into the machine, he can read and write the file.  If he accesses over the network from a remote machine he will only get read access.
> 
> a) 'If Fred logs into the machine': does this mean that Fred logs into
> the Linux server running Samba as the Member Server and that in this
> case the Share permissions do not apply?
> b) 'If he accesses over the network': This is what usually happens at
> our site. Does this mean that in this case the Share permissions
> constitute an upper bound for all file/folder DACLs? Would it be
> appropriate to apply 'Everyone Full Control' for the shares, given
> that the DACLs are correctly set?
> 
> Best regards
> Andreas
> 
> >
> > The SeDiskOperatorPrivilege also allows a user to open new network shares, so it's pretty important to only give it to users who need it.
> >
> > Note that the above all applies to Windows, or over the Samba SMB network, rather than poking directly at the files from the Linux command-line...
> >
> > I hope that helps,
> >
> > David L
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 