Skip to main content

Windows Privilege Support

Windows privileges control permissions for system-related operations. They are distinct from share permissions or ACLs, which control access to objects such as files and directories.

In Windows, privileges are stored in the Security Account Manager (SAM) database or in Active Directory. In Fusion File Share Server, they are stored in a file called the privilege database.

Supported Privileges

Fusion File Share Server supports the following privileges:

  • SeSecurityPrivilege: Grants the ability to perform security-related operations, such as managing the System Access Control List (SACL) within security descriptors for files and directories. In Windows, this privilege is implicitly granted to the Administrators group; however, in Fusion File Share Server no privileges are granted implicitly.
  • SeTakeOwnershipPrivilege: Grants the ability to change the ownership of any file, regardless of the security descriptor contents. In Windows, this privilege is implicitly granted to the Administrators group; however, in Fusion File Share Server there are no privileges that are granted implicitly.
  • TsmbServerOperatorsPrivilege: Grants the ability to perform all available management operations remotely using the DCE/RPC services. This privilege is specific to Fusion File Share Server.
  • TsmbServerShareOperatorsPrivilege: Grants the ability to perform share management operations remotely using the DCE/RPC services. This privilege is specific to Fusion File Share Server.
  • TsmbServerOpenOperatorsPrivilege: Grants the ability to close open files remotely using the DCE/RPC services. This privilege is specific to Fusion File Share Server.
  • TsmbServerSessionOperatorsPrivilege: Grants the ability to close sessions remotely using the DCE/RPC services. This privilege is specific to Fusion File Share Server.

Privilege Database

The privilege database is stored in a file, the path to which is specified in the Fusion File Share Server configuration file. This database stores the privileges granted to users. Therefore, to enable support for Windows privileges, the path to the privilege database must be configured.

Global Parameter Privilege Database Path

Value Type: string

Value Format: <path>

  • <path> specifies the path to the privilege database file.

Default Value: none.

Examples:

  • /var/lib/tsmb/privilegedb specifies that the path to the privilege database is the privilegedb file in the /var/lib/tsmb directory.
important

If you are in a clustered environment, ensure that the path to the privilege database path is on the shared storage.

Configuring the Privilege Database in the Configuration File

To configure the path to the privilege database in the Fusion File Share Server configuration file, set the privilegedb parameter to the path of the privilege database file. For example:

[global]
. . .
privilegedb = /var/lib/tsmb/privilegedb
. . .
[/global]

Managing Privileges

To manage privileges, use the tsmb-privilege command line tool. This tool allows you to grant or revoke privileges to or from users.

Granting a Privilege to a User

To grant a privilege to a user, use the tsmb-privilege grant command. For example, to grant the SeSecurityPrivilege to the user johndoe, run the following command:

sudo tsmb-privilege grant SeSecurityPrivilege johndoe

Revoking a Privilege from a User

To revoke a privilege from a user, use the tsmb-privilege revoke command. For example, to revoke the SeSecurityPrivilege from the user johndoe, run the following command:

sudo tsmb-privilege revoke SeSecurityPrivilege johndoe

Listing Granted Privileges

To list the privileges that are granted to a user, use the tsmb-privilege list command:

sudo tsmb-privilege list