On Tue, Mar 3, 2015 at 4:24 PM, Richard Sharpe <realrichardsharpe@xxxxxxxxx> wrote: > On Tue, Mar 3, 2015 at 1:16 PM, pisymbol . <pisymbol@xxxxxxxxx> wrote: >> On Tue, Mar 3, 2015 at 3:20 PM, pisymbol . <pisymbol@xxxxxxxxx> wrote: >>> On Tue, Mar 3, 2015 at 2:59 PM, Richard Sharpe >>> <realrichardsharpe@xxxxxxxxx> wrote: >>>> On Tue, Mar 3, 2015 at 11:52 AM, pisymbol . <pisymbol@xxxxxxxxx> wrote: >>>>> A colleague and I just witnessed that we could not write an access >>>>> time of a file on a CIFS mount using CentOS 6.5 despite the fact we >>>>> mounted it with "Backup Intent." >>>>> >>>>> My current theory is that via CIFS, the DACL checks still apply >>>>> because Window backup clients use a different API to access files. >>>>> However, I'm not 100% sure. >>>> >>>> BackupIntent is only useful if you also have SeBackupPrivilege or >>>> SeRestorePrivilege or both. That is why it worked when you added >>>> BackupOperators, because privileges are associated with groups. >>> >>> So the domain user in Windows has to have these privileges set AND be >>> part of the Backup Operators group for all of this to work? > > Yes. Domain admins get it by default, but not ordinary domain users. > >> Btw, I pester only because I had *thought* that those privs were >> automatically granted to anyone in the Backup Operator group and the >> mount.cifs command should follow suit. > > Well, they cannot work around the Windows semantics of this bit. They > can add it by default, but you still have to have the privilege. I indeed had to add the group and/or user to domain's security policy to get the "SeBackupPrivilege" to show up (verified using "net rpc rights" from a Linux machine). Thanks Richard! This is NOT obvious in the MS doc. -aps -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
