[Samba] samba file server - sediskoperatorprivilege not being honored
Kacper Wirski
kacper.wirski at gmail.com
Wed May 29 08:12:19 UTC 2019
Hello,
I've been setting up new file server using samba 4.8.3 (centos 7 RPM),
as samba 4 AD member server using my earlier smb.conf when I realised
that I was previously somewhat circumventing the
SeDiskOperatorPrivilege by using "admin users map" to SAMDOM\Domain
admins" parameter in smb.conf.
I decided to change my smb.conf and setup shares following samba wiki.
All shares are going to be used strictly by windows clients (AD domain
members), so I've followed closely samba wiki.
I granted both SAMDOM\domain admins and SAMDOM\myuser the
SeDiskOperatorPrivilege, but still I'm unable to change ACL from windows
client, even when I'm logged in as SAMDOM\myuser (which belongs to
SAMDOM\domain admins group) to windows client.
My smb.conf:
[global]
netbios name = VS-FILES1
security = ADS
workgroup = SAMDOM
realm = MY.REALM.COM
log level = 1
log file = /var/log/samba/%m.log
max log size = 2000
logging = syslog at 2 file
idmap config *:backend = tdb
idmap config *:range = 2000-7000
idmap config SAMDOM:backend = rid
idmap config SAMDOM:range = 100000-110000
winbind enum users = no
winbind enum groups = no
winbind nested groups = yes
winbind expand groups = 3
winbind refresh tickets = yes
winbind use default domain = no
winbind offline logon = yes
template shell = /bin/bash
template homedir = /home/%U@%D
kerberos method = secrets and keytab
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
vfs objects = acl_xattr full_audit recycle
full_audit:prefix = %u|%I|%M|%S
full_audit:failure = connect
full_audit:success = mkdir rmdir write rename pwrite unlink
full_audit:priority = NOTICE
recycle:repository = .recycle
recycle:keeptree = yes
recycle:versions = yes
recycle:touch_mtime = yes
recycle:exclude = *.tmp, *.bak, *.ods#, *.odt#, *.xls#, *.TMP,
*.cache
recycle:exclude_dir = .recycle
recycle:maxsize = 1073741824
store dos attributes = yes
map acl inherit = yes
# admin users = "@BABKA\Domain Admins","@BABKA\Enterprise Admins"
[MYSHARE]
path = /srv/samba/myshare/
read only = no
output of
net rpc rights list privileges SeDiskOperatorPrivilege -U "SAMDOM\administrator" -S VS-FILES1
SeDiskOperatorPrivilege:
SAMDOM\myuser
SAMDOM\Domain Admins
BUILTIN\Administrators
getfacl myshare
# file: myshare
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
THe only way to set ACL through windows is either:
- set owner (user/group) and grant rwx permissions
( e.g. chown "SAMDOM\myuser" myshare
chmod 0770 myshare)
OR
- uncomment "admin users" line
Otherwise I'm getting denied error from windows client ("unable to list folder contents"). Is this expected? According to wiki setting "SeDiskOperatorPrivilege" should be enough, but isn't. Winbind is working correctly, I can get reasonable output from all wbinfo commands, all ACL set (with either of the methods) stick and are respected.
I'd like to know if I have some error in my configuration and if so, to fix it.
For quite some time I've been simply using samba file server with "admin users=....", that's why I didn't run into this issue before, but I found some scenarios where this setting has some drawbacks and I'd like to move away from it.
Regards,
Kacper
---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus
More information about the samba
mailing list