[Samba] samba file server - sediskoperatorprivilege not being honored

Wed May 29 08:12:19 UTC 2019

Hello,

I've been setting up new file server using samba 4.8.3 (centos 7 RPM), 
as samba 4 AD member server using my earlier smb.conf when I realised 
that I was  previously somewhat circumventing the 
SeDiskOperatorPrivilege by using "admin users map" to SAMDOM\Domain 
admins" parameter in smb.conf.

I decided to change my smb.conf and setup shares following samba wiki.

All shares are going to be used strictly by windows clients (AD domain 
members), so I've followed closely samba wiki.

I granted both SAMDOM\domain admins  and SAMDOM\myuser  the 
SeDiskOperatorPrivilege, but still I'm unable to change ACL from windows 
client, even when I'm logged in as SAMDOM\myuser (which belongs to 
SAMDOM\domain admins group) to windows client.

My smb.conf:

[global]
        netbios name = VS-FILES1
        security = ADS
        workgroup = SAMDOM
        realm = MY.REALM.COM

        log level = 1
        log file = /var/log/samba/%m.log
         max log size = 2000
         logging = syslog at 2 file
        idmap config *:backend = tdb
        idmap config *:range = 2000-7000

        idmap config SAMDOM:backend = rid
        idmap config SAMDOM:range = 100000-110000

         winbind enum users = no
         winbind enum groups = no
         winbind nested groups = yes
         winbind expand groups = 3
         winbind refresh tickets = yes
         winbind use default domain = no
         winbind offline logon = yes

         template shell = /bin/bash
         template homedir = /home/%U@%D

         kerberos method = secrets and keytab

         load printers = no
         printing = bsd
         printcap name = /dev/null
         disable spoolss = yes

         vfs objects = acl_xattr full_audit recycle

         full_audit:prefix = %u|%I|%M|%S
         full_audit:failure = connect
         full_audit:success =  mkdir rmdir write rename pwrite unlink
         full_audit:priority = NOTICE

         recycle:repository = .recycle
         recycle:keeptree = yes
         recycle:versions = yes
         recycle:touch_mtime = yes
         recycle:exclude = *.tmp, *.bak, *.ods#, *.odt#, *.xls#, *.TMP, 
*.cache
         recycle:exclude_dir = .recycle
         recycle:maxsize = 1073741824

        store dos attributes = yes
         map acl inherit = yes

#        admin users = "@BABKA\Domain Admins","@BABKA\Enterprise Admins"

[MYSHARE]
         path = /srv/samba/myshare/
         read only = no

output of

net rpc rights list privileges SeDiskOperatorPrivilege -U "SAMDOM\administrator" -S VS-FILES1

SeDiskOperatorPrivilege:
   SAMDOM\myuser
   SAMDOM\Domain Admins
   BUILTIN\Administrators

getfacl myshare
# file: myshare
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

THe only way to set ACL through windows is either:
- set owner (user/group) and grant rwx permissions
( e.g. chown "SAMDOM\myuser" myshare
chmod 0770 myshare)
OR
- uncomment "admin users" line

Otherwise I'm getting denied error from windows client ("unable to list folder contents"). Is this expected? According to wiki setting "SeDiskOperatorPrivilege" should be enough, but isn't. Winbind is working correctly, I can get reasonable output from all wbinfo commands, all ACL set (with either of the methods) stick and are respected.

I'd like to know if I have some error in my configuration and if so, to fix it.

For quite some time I've been simply using samba file server with "admin users=....", that's why I didn't run into this issue before, but I found some scenarios where this setting has some drawbacks and I'd like to move away from it.

Regards,
Kacper

---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus