[Samba] What's the use of SeDiskOperatorPrivilege?
Rowland penny
rpenny at samba.org
Wed Jan 27 17:28:39 UTC 2021
On 27/01/2021 16:43, Matthias Leopold via samba wrote:
> Hi,
>
> I seem to be going in circles when trying to understand
> "administrative access" to a share on a domain member fileserver:
> What is the use of granting SeDiskOperatorPrivilege to certain groups
> on a fileserver so they can manage share permissions when the
> recommended and default setting for share permissions is "Full
> control" for "Everyone" anyway? This setting is also _needed_ for the
> Domain Administrator to _effectively_ get access to the share when
> using "!root = SAMDOM\Administrator" in "username map".
The 'SeDiskOperatorPrivilege' allows domain users to change the
permissions on Samba shares, but the domain user must be known to Unix
or be a member of a group that is known to Unix i.e. 'getent' must show
the user or group.
When it comes to Administrator, if this user is mapped to 'root' in a
usermap, then the user effectively becomes root and as such is allowed
do anything that root can. This means that Administrator doesn't
actually need the SeDiskOperatorPrivilege, though it gets it by
membership of 'Administrators'.
Rowland
More information about the samba
mailing list