[Samba] What's the use of SeDiskOperatorPrivilege?
matthias.leopold at meduniwien.ac.at
Thu Jan 28 09:11:56 UTC 2021
Am 27.01.21 um 18:28 schrieb Rowland penny via samba:
> On 27/01/2021 16:43, Matthias Leopold via samba wrote:
>> I seem to be going in circles when trying to understand
>> "administrative access" to a share on a domain member fileserver:
>> What is the use of granting SeDiskOperatorPrivilege to certain groups
>> on a fileserver so they can manage share permissions when the
>> recommended and default setting for share permissions is "Full
>> control" for "Everyone" anyway? This setting is also _needed_ for the
>> Domain Administrator to _effectively_ get access to the share when
>> using "!root = SAMDOM\Administrator" in "username map".
> The 'SeDiskOperatorPrivilege' allows domain users to change the
> permissions on Samba shares, but the domain user must be known to Unix
> or be a member of a group that is known to Unix i.e. 'getent' must show
> the user or group.
> When it comes to Administrator, if this user is mapped to 'root' in a
> usermap, then the user effectively becomes root and as such is allowed
> do anything that root can. This means that Administrator doesn't
> actually need the SeDiskOperatorPrivilege, though it gets it by
> membership of 'Administrators'.
Is it correct, that "Full Control" for "Everyone" is needed in a shares
permissions when the Domain Administrator wants to access it (and is
mapped to root in "username map")?
If Yes: Shall "Full Control" for "Everyone" be the permanent setting for
a share permissions in this case or shall it only be added when needed?
Maybe all this is obvious to other people, I'm somehow missing a piece
here in understanding how share permissions are meant to be configured.
More information about the samba