[Samba] SeDiskOperatorPrivilege_Privilege

Rowland Penny rpenny at samba.org
Mon Jun 10 12:38:21 UTC 2024 

On Mon, 10 Jun 2024 08:33:13 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:

> On Sun, 9 Jun 2024 18:52:39 +0100
> Luis Peromarta via samba <samba at lists.samba.org> wrote:
> 
> > Update:
> > 
> > I have revoked the privilege to BUILIN\Administratos. As before, no
> > root mapping.
> > 
> > root at member:/# net rpc rights revoke "BUILTIN\Administrators"
> > SeDiskOperatorPrivilege -U "MAD\luis" Password for [MAD\luis]:
> > Successfully revoked rights.
> > 
> > root at member:/# net rpc rights list privileges
> > SeDiskOperatorPrivilege -Uluis Password for [MAD\luis]:
> > SeDiskOperatorPrivilege:
> > 
> > Reboot. Or else 'net cache flush && /etc/init.d/winbind restart &&
> > /etc/init.d/smbd restart'
> > 
> > I have delete and re-created the folder for there share (/test),
> > chown luis:”unix admins”, and chmod 0770
> > 
> > I still can set up the share from Windows no problem.
> > 
> > LP
> 
> That means one of two things, either once the group has inherited the
> privilege it retains it, even if the parent group loses it. Or the
> privileges are not actually required by AD.
> 
> More investigation to follow.
> 
> Rowland
> 
> 

OK, where did the SeDiskOperatorPrivilege come from ? I cannot find any
Windows documentation for it, I did find this:

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory

Which lists the privileges, but there is no SeDiskOperatorPrivilege

Anyway, I created a new Unix domain member using Debian 12 with Samba
from backports.
Once Samba was installed and running, the first thing I did was to
revoke SeDiskOperatorPrivilege from Administrators:

sudo net rpc rights list SeDiskOperatorPrivilege -U "SAMDOM\administrator"
Password for [SAMDOM\administrator]:
adminuser at debpriv:~$     # <-- nothing

I the setup a share basically following this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

ignoring SeDiskOperatorPrivilege.

It works, I added Domain Users with full control to the share as a
member of Domain Admins.

Do we really need the SeDiskOperatorPrivilege ? Did we ever need the
SeDiskOperatorPrivilege in AD ?

Rowland

More information about the samba mailing list