[Samba] Permission acl problem.
Rowland Penny
rpenny at samba.org
Tue Jul 6 10:04:26 UTC 2021
On Tue, 2021-07-06 at 10:50 +0200, Jan JMPBL via samba wrote:
> Hi again.
> samba AD works fine together with updating DNS entries.
>
> Now I have created a virtual machine to create a Samba based file
> server.
> Debian 10 + repositories (Louis van Belle)
>
> Samba as a member has been added to the domain without any problems.
> All
> services are working fine (krb5, winbind)
>
> All domain users are available on Debian
> root @ lab: ~ # getent passwd mac.tro
> mac.tro: *: 11148: 10513: Mac Tro:/home/TEST/mac.tro:/bin/false
>
> root @ lab: ~ # net rpc rights list privileges
> SeDiskOperatorPrivilege -U
> "TEST\administrator"
> Enter GT \ administrator's password:
> SeDiskOperatorPrivilege:
> BUILTIN \ Administrators
> TEST \ Domain Admins
> TEST \ Unix Admins
>
> The problem is that any user from each group can change or remove the
> permissions of any other user or group in the security tab. (also
> administrator)
>
> Where to find the problem?
>
What problem ?
Your AD is working like all AD domains, your users are all admins and
as such can admin AD.
Also, because of 'nesting' any member of Unix Admins or Domain Admins
is also a member of Administrators.
Rowland
More information about the samba
mailing list