[Samba] samba file server - sediskoperatorprivilege not being honored

Kacper Wirski kacper.wirski at gmail.com
Mon Jun 3 18:10:23 UTC 2019 

Ok, thank You for confirmation, I was a bit worried I have something 
misconfigured.

On my file server I'm using backend = rid, mainly (but only) because of 
this (to not set in AD uid/gid for Domain Admins group).

Regards,

Kacper Wirski

W dniu 03.06.2019 o 14:07, Rowland penny via samba pisze:
> On 03/06/2019 12:29, Kacper Wirski via samba wrote:
>> Hello,
>>
>> Since nobody picked this up I will try to answer myself (hopefully 
>> correctly).
>>
>> I think I just misread documentation on wiki, but I would really 
>> appreciate a clarification. In the wiki it states:
>>
>> "To enable other accounts than the domain administrator to set 
>> permissions on Windows, grant |Full control| (|rwx|) to the user or 
>> group you granted the |SeDiskOperatorPrivilege| privilege."
>>
>> Does the "domain administrator" mean EXACTLY the default 
>> "Administrator" user, 
>
> Drat, something else to fix ;-)
>
> Yes, 'domain administrator' does mean 'Administrator' who needs to be 
> mapped to 'root'.
>
> However, if you set the group ownership to another group (which must 
> be an AD group known to the OS), then members of that group, provided 
> the group has been granted 'SeDiskOperatorPrivilege', will be able to 
> make the required changes
>
>> or should I understand it as "any member of Domain Admins group"? If 
>> it's the former, than there is no issue (I can change share ACL from 
>> windows client using Administrator without changing any of the 
>> permissions i.e. owner:group can stay as root:root), if it's the 
>> latter, than I have anissue, since none other user from Domain Admins 
>> can change any ACL, unless i change owner/group or add initial ACL to 
>> domain admins (or any other user/group i gave sediskoperatorprivilege)
> I wouldn't use 'Domain Admins' if you are using the winbind 'ad' 
> backend on a Unix domain member, it would mean that it would become 
> just a group and 'Domain Admins' needs to be both a group & a user on 
> Samba AD DC's
>
> Rowland
>
>
>

---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus

More information about the samba mailing list