[Samba] samba file server - sediskoperatorprivilege not being honored

Rowland penny rpenny at samba.org
Mon Jun 3 12:07:15 UTC 2019

On 03/06/2019 12:29, Kacper Wirski via samba wrote:
> Hello,
> Since nobody picked this up I will try to answer myself (hopefully 
> correctly).
> I think I just misread documentation on wiki, but I would really 
> appreciate a clarification. In the wiki it states:
> "To enable other accounts than the domain administrator to set 
> permissions on Windows, grant |Full control| (|rwx|) to the user or 
> group you granted the |SeDiskOperatorPrivilege| privilege."
> Does the "domain administrator" mean EXACTLY the default 
> "Administrator" user, 

Drat, something else to fix ;-)

Yes, 'domain administrator' does mean 'Administrator' who needs to be 
mapped to 'root'.

However, if you set the group ownership to another group (which must be 
an AD group known to the OS), then members of that group, provided the 
group has been granted 'SeDiskOperatorPrivilege', will be able to make 
the required changes

> or should I understand it as "any member of Domain Admins group"? If 
> it's the former, than there is no issue (I can change share ACL from 
> windows client using Administrator without changing any of the 
> permissions i.e. owner:group can stay as root:root), if it's the 
> latter, than I have anissue, since none other user from Domain Admins 
> can change any ACL, unless i change owner/group or add initial ACL to 
> domain admins (or any other user/group i gave sediskoperatorprivilege)
I wouldn't use 'Domain Admins' if you are using the winbind 'ad' backend 
on a Unix domain member, it would mean that it would become just a group 
and 'Domain Admins' needs to be both a group & a user on Samba AD DC's


More information about the samba mailing list