[Samba] SeDiskOperatorPrivilege_Privilege

Bailey Allison ballison at 45drives.com
Tue Jun 11 13:47:30 UTC 2024 

Hey Rowland,

Just wanted to say you are 100% correct, and it does (seemingly) nothing, at least within the context of setting Windows ACLs. I believe I have made a post on here a while ago with the same observation, I will see if I can find it.

For configuring of Windows ACLs, the only thing it initially cares about is the owner user or owner group on the directory you are sharing out. If you are either the user, or a member of the group you can then modify the ACLs, if you are not then you can't modify the ACLs. 

Regards,

Bailey

> -----Original Message-----
> From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland
> Penny via samba
> Sent: June 11, 2024 6:21 AM
> To: samba at lists.samba.org
> Cc: Rowland Penny <rpenny at samba.org>
> Subject: Re: [Samba] SeDiskOperatorPrivilege_Privilege
> 
> On Mon, 10 Jun 2024 13:38:21 +0100
> Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> > On Mon, 10 Jun 2024 08:33:13 +0100
> > Rowland Penny via samba <samba at lists.samba.org> wrote:
> >
> > > On Sun, 9 Jun 2024 18:52:39 +0100
> > > Luis Peromarta via samba <samba at lists.samba.org> wrote:
> > >
> > > > Update:
> > > >
> > > > I have revoked the privilege to BUILIN\Administratos. As before,
> > > > no root mapping.
> > > >
> > > > root at member:/# net rpc rights revoke "BUILTIN\Administrators"
> > > > SeDiskOperatorPrivilege -U "MAD\luis" Password for [MAD\luis]:
> > > > Successfully revoked rights.
> > > >
> > > > root at member:/# net rpc rights list privileges
> > > > SeDiskOperatorPrivilege -Uluis Password for [MAD\luis]:
> > > > SeDiskOperatorPrivilege:
> > > >
> > > > Reboot. Or else 'net cache flush && /etc/init.d/winbind restart &&
> > > > /etc/init.d/smbd restart'
> > > >
> > > > I have delete and re-created the folder for there share (/test),
> > > > chown luis:”unix admins”, and chmod 0770
> > > >
> > > > I still can set up the share from Windows no problem.
> > > >
> > > > LP
> > >
> > > That means one of two things, either once the group has inherited
> > > the privilege it retains it, even if the parent group loses it. Or
> > > the privileges are not actually required by AD.
> > >
> > > More investigation to follow.
> > >
> > > Rowland
> > >
> > >
> >
> > OK, where did the SeDiskOperatorPrivilege come from ? I cannot find
> > any Windows documentation for it, I did find this:
> >
> > https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/s
> > ecurity-best-practices/appendix-b--privileged-accounts-and-groups-in-a
> > ctive-directory
> >
> > Which lists the privileges, but there is no SeDiskOperatorPrivilege
> >
> > Anyway, I created a new Unix domain member using Debian 12 with Samba
> > from backports.
> > Once Samba was installed and running, the first thing I did was to
> > revoke SeDiskOperatorPrivilege from Administrators:
> >
> > sudo net rpc rights list SeDiskOperatorPrivilege -U
> > "SAMDOM\administrator" Password for [SAMDOM\administrator]:
> > adminuser at debpriv:~$     # <-- nothing
> >
> > I the setup a share basically following this:
> >
> >
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_A
> CLs
> >
> > ignoring SeDiskOperatorPrivilege.
> >
> > It works, I added Domain Users with full control to the share as a
> > member of Domain Admins.
> >
> > Do we really need the SeDiskOperatorPrivilege ? Did we ever need the
> > SeDiskOperatorPrivilege in AD ?
> >
> > Rowland
> >
> 
> 
> OK, so I did some more testing this morning. I created a new share, exactly
> the same as last time, apart from ownership, I used 'root:root'
> instead of 'root:Domain Admins'.
> 
> I then connected to the share as a member of Domain Admins on Windows
> and attempted to change the permissions and when I clicked the Security
> tab, I got this:
> 
> Object name: \\DEBPRIV.SAMDOM.EXAMPLE.COM\Test
> 
> You must have read permissions to view the properties of this object
> 
> Click Advanced to continue.
> 
> Clicking 'Advanced' didn't get me anywhere.
> 
> I then granted the SeDiskOperatorPrivilege to BUILTIN\Administrators, this
> didn't help.
> I then granted the SeDiskOperatorPrivilege to SAMDOM\Domain Admins,
> again this didn't help.
> 
> So I revoked both the SeDiskOperatorPrivilege privileges I had granted and
> tried the share I created yesterday, which was owned by 'root:Domain
> Admins' with 0770 permissions, this still works.
> 
> I now feel that having the 'SeDiskOperatorPrivilege' is of no use, what does
> count is that the user you use to connect to the share from Windows must
> have read/write permissions on the share, either as the owner or by being a
> member of the group.
> 
> I still cannot find any Windows documentation for 'SeDiskOperatorPrivilege',
> but I think (if I understand git history
> correctly) that it is a Samba thing. It appears to have been added in
> 2010 and the commitdif contains this:
> 
> +/* we have to define the LUID here due to a horrible check by printmig.exe
> +   that requires the SeBackupPrivilege match what is in Windows.  So match
> +   those that we implement and start Samba privileges at 0x1001 */
> +
> ................
> +               SEC_PRIV_DISK_OPERATOR             = 0x1003,
> 
> 2010 was before Samba 4 was released, so was this only really required for
> NT4-style domains ?
> Was having the 'SeDiskOperatorPrivilege' privilege meant to make you 'root'
> when working from Windows ?
> Who knows, all I can say is that it doesn't seem to do anything now, but
> would like someone else to test it out before I remove it from the wiki.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list