[Samba] What's the use of SeDiskOperatorPrivilege?

Rowland penny rpenny at samba.org
Wed Jan 27 17:28:39 UTC 2021

On 27/01/2021 16:43, Matthias Leopold via samba wrote:
> Hi,
> I seem to be going in circles when trying to understand 
> "administrative access" to a share on a domain member fileserver:
> What is the use of granting SeDiskOperatorPrivilege to certain groups 
> on a fileserver so they can manage share permissions when the 
> recommended and default setting for share permissions is "Full 
> control" for "Everyone" anyway? This setting is also _needed_ for the 
> Domain Administrator to _effectively_ get access to the share when 
> using "!root = SAMDOM\Administrator" in "username map".

The 'SeDiskOperatorPrivilege' allows domain users to change the 
permissions on Samba shares, but the domain user must be known to Unix 
or be a member of a group that is known to Unix i.e. 'getent' must show 
the user or group.

When it comes to Administrator, if this user is mapped to 'root' in a 
usermap, then the user effectively becomes root and as such is allowed 
do anything that root can. This means that Administrator doesn't 
actually need the SeDiskOperatorPrivilege, though it gets it by 
membership of 'Administrators'.


More information about the samba mailing list