[Samba] samba file server - sediskoperatorprivilege not being honored
Rowland penny
rpenny at samba.org
Mon Jun 3 12:07:15 UTC 2019
On 03/06/2019 12:29, Kacper Wirski via samba wrote:
> Hello,
>
> Since nobody picked this up I will try to answer myself (hopefully
> correctly).
>
> I think I just misread documentation on wiki, but I would really
> appreciate a clarification. In the wiki it states:
>
> "To enable other accounts than the domain administrator to set
> permissions on Windows, grant |Full control| (|rwx|) to the user or
> group you granted the |SeDiskOperatorPrivilege| privilege."
>
> Does the "domain administrator" mean EXACTLY the default
> "Administrator" user,
Drat, something else to fix ;-)
Yes, 'domain administrator' does mean 'Administrator' who needs to be
mapped to 'root'.
However, if you set the group ownership to another group (which must be
an AD group known to the OS), then members of that group, provided the
group has been granted 'SeDiskOperatorPrivilege', will be able to make
the required changes
> or should I understand it as "any member of Domain Admins group"? If
> it's the former, than there is no issue (I can change share ACL from
> windows client using Administrator without changing any of the
> permissions i.e. owner:group can stay as root:root), if it's the
> latter, than I have anissue, since none other user from Domain Admins
> can change any ACL, unless i change owner/group or add initial ACL to
> domain admins (or any other user/group i gave sediskoperatorprivilege)
I wouldn't use 'Domain Admins' if you are using the winbind 'ad' backend
on a Unix domain member, it would mean that it would become just a group
and 'Domain Admins' needs to be both a group & a user on Samba AD DC's
Rowland
More information about the samba
mailing list