[Samba] Viewing Open Files with Computer Management

[Andrew Walker]

On Wed, May 26, 2021 at 2:58 PM Nick Couchman <nick.e.couchman at gmail.com>
wrote:

> On Wed, May 26, 2021 at 2:56 PM Andrew Walker <walker.aj325 at gmail.com>
> wrote:
>
>>
>>
>> On Wed, May 26, 2021 at 2:45 PM Nick Couchman <nick.e.couchman at gmail.com>
>> wrote:
>>
>>> root@:/usr/ports/net/samba # net groupmap list
>>>> Guests (S-1-5-32-546) -> BUILTIN\guests
>>>> Administrators (S-1-5-32-544) -> BUILTIN\administrators
>>>> Users (S-1-5-32-545) -> BUILTIN\users
>>>> smb_admins (S-1-5-21-3928159180-3161166842-2405926743-1002) ->
>>>> smb_admins
>>>>
>>>> 4) add new sid as a foreign group for BUILTIN\\Administrators and verify
>>>> root@:/usr/ports/net/samba # net groupmap addmem S-1-5-32-544
>>>> S-1-5-21-3928159180-3161166842-2405926743-1002
>>>> root@:/usr/ports/net/samba # net groupmap listmem S-1-5-32-544
>>>> S-1-5-21-3928159180-3161166842-2405926743-1002
>>>>
>>>>
>>> Thank you, Andrew - this wasn't exactly the solution for me, but it put
>>> me on the right track. I am using AD - Samba is a member of the AD domain -
>>> and it was very simple - just needed to get the SID of the users/groups and
>>> then do the "net groupmap addmem" command to add them to the local
>>> Administrators group. Seems to be working great.
>>>
>>> Thank you!
>>> -Nick
>>>
>>
>> Glad to hear it worked for you. Do note that you are making these SIDs
>> de-facto local admins on your server. With great power comes great
>> responsibility and such.
>>
>
> Yep, understood - I'm very choosy about who is going to get that access
> :-D.
>
> -Nick
>

Right, you can view privileges granted to administrators via "net rpc
rights list accounts -U <admin user>". This includes items like
SeTakeOwnershipPrivilege, which allows the user to take ownership of files.
So this is more than just granting access to administer through Computer
Management and should be treated with the same sort of care as granting
local admin access to a Windows server.