Bug 12796 - "Account Operators" group permissions
"Account Operators" group permissions
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other
4.6.3
x64 Linux
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-19 20:31 UTC by cleberson
Modified: 2017-05-19 20:31 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description cleberson 2017-05-19 20:31:10 UTC
Hello,

Following the link reference (https://wiki.samba.org/index.php/Delegation/Account_management) on the "Account Operators" group, i noticed that the users of this group are allowed to change administrative group users.

In the link below, Microsoft reports that this is not possible:

"Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group cannot modify user rights."

https://technet.microsoft.com/en-us/library/dn579255(v=ws.11).aspx#BKMK_AccountOperators

Raising the Domain/Forest functional level to WS2008_R2 and applied the command "samba-tool dbcheck --reset-well-known-acls --fix --yes" and also did not correct.

Is it possible that the default acls in this group are wrong in the db of samba?

If you have a suggestion to correct, I'm grateful.

Cleberson.