[Samba] Domain Admins and SeDiskOperatorPrivilege

Stéphane PURNELLE stephane.purnelle at corman.be
Thu Apr 3 05:01:06 MDT 2014 

I know that the "Administrator" from DC is not a Administrator in member 
server.

For resolve that, there are a workaround.

This workaround is to use a user_map parameter in smb.conf : 

username map = path_to_filemap

And the filemap must contain in your case : 

!root = HOME\Administrator HOME\administrator

My config use this workaround and it's work

have a nice day


-----------------------------------
Stéphane PURNELLE                         Admin. Systèmes et Réseaux 
Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467



De :    Rowland Penny <rowlandpenny at googlemail.com>
A :     sambalist <samba at lists.samba.org>, 
Date :  03/04/2014 12:49
Objet : [Samba] Domain Admins and SeDiskOperatorPrivilege
Envoyé par :    samba-bounces at lists.samba.org



I am having trouble giving the Domain Admin group the 
'SeDiskOperatorPrivilege' privilege on a member server.

Running 'net rpc rights list accounts -UAdministrator'

Results in this:

Enter Administrator's password:
BUILTIN\Print Operators
No privileges assigned

BUILTIN\Account Operators
No privileges assigned

BUILTIN\Backup Operators
No privileges assigned

BUILTIN\Server Operators
No privileges assigned

BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege

Everyone
No privileges assigned

But, running 'net rpc rights grant HOME\\Domain\ Admins 
SeDiskOperatorPrivilege -UAdministrator'

Results in:

Failed to grant privileges for HOME\Domain Admins 
(NT_STATUS_ACCESS_DENIED)

If I bump up debugging, 'net rpc rights grant HOME\\Domain\ Admins 
SeDiskOperatorPrivilege -UAdministrator -d3'

Results in:

lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file 
"/etc/samba/smb.conf"
Processing section "[global]"
added interface eth0 ip=192.168.0.25 bcast=192.168.0.255 
netmask=255.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Enter Administrator's password:
Connecting to 127.0.0.1 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
Failed to grant privileges for HOME\Domain Admins 
(NT_STATUS_ACCESS_DENIED)
rpc command function failed! (NT_STATUS_ACCESS_DENIED)
return code = -1

The same command works if run on the Samba4 server, but you cannot 
change the ACL's on a share on the member server from a windows machine, 
it would seem that the 'Domain Admins' group needs the rights on the 
member server.

So, is this a winbind bug, or something else.

Samba 4 AD server, self compiled version 4.1.4 running on ubuntu 12.04
Samba 4 client, debian wheezy with version 4.1.6-Debian from backports

Rowland
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list