[Samba] What's the use of SeDiskOperatorPrivilege?

[Matthias Leopold]

Am 27.01.21 um 18:28 schrieb Rowland penny via samba:
> On 27/01/2021 16:43, Matthias Leopold via samba wrote:
>> Hi,
>>
>> I seem to be going in circles when trying to understand 
>> "administrative access" to a share on a domain member fileserver:
>> What is the use of granting SeDiskOperatorPrivilege to certain groups 
>> on a fileserver so they can manage share permissions when the 
>> recommended and default setting for share permissions is "Full 
>> control" for "Everyone" anyway? This setting is also _needed_ for the 
>> Domain Administrator to _effectively_ get access to the share when 
>> using "!root = SAMDOM\Administrator" in "username map".
> 
> 
> The 'SeDiskOperatorPrivilege' allows domain users to change the 
> permissions on Samba shares, but the domain user must be known to Unix 
> or be a member of a group that is known to Unix i.e. 'getent' must show 
> the user or group.
> 
> When it comes to Administrator, if this user is mapped to 'root' in a 
> usermap, then the user effectively becomes root and as such is allowed 
> do anything that root can. This means that Administrator doesn't 
> actually need the SeDiskOperatorPrivilege, though it gets it by 
> membership of 'Administrators'.
> 
> Rowland
> 
> 
> 
> 

Thanks.
Is it correct, that "Full Control" for "Everyone" is needed in a shares 
permissions when the Domain Administrator wants to access it (and is 
mapped to root in "username map")?
If Yes: Shall "Full Control" for "Everyone" be the permanent setting for 
a share permissions in this case or shall it only be added when needed?
Maybe all this is obvious to other people, I'm somehow missing a piece 
here in understanding how share permissions are meant to be configured.

Matthias