[Samba] Domain Admins and SeDiskOperatorPrivilege

Rowland Penny rowlandpenny at googlemail.com
Thu Apr 3 05:12:11 MDT 2014 

On 03/04/14 12:01, Stéphane PURNELLE wrote:
> I know that the "Administrator" from DC is not a Administrator in member
> server.
>
> For resolve that, there are a workaround.
>
> This workaround is to use a user_map parameter in smb.conf :
>
> username map = path_to_filemap
>
> And the filemap must contain in your case :
>
> !root = HOME\Administrator HOME\administrator
>
> My config use this workaround and it's work
>
> have a nice day
>
>
> -----------------------------------
> Stéphane PURNELLE                         Admin. Systèmes et Réseaux
> Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467
>
>
>
> De :    Rowland Penny <rowlandpenny at googlemail.com>
> A :     sambalist <samba at lists.samba.org>,
> Date :  03/04/2014 12:49
> Objet : [Samba] Domain Admins and SeDiskOperatorPrivilege
> Envoyé par :    samba-bounces at lists.samba.org
>
>
>
> I am having trouble giving the Domain Admin group the
> 'SeDiskOperatorPrivilege' privilege on a member server.
>
> Running 'net rpc rights list accounts -UAdministrator'
>
> Results in this:
>
> Enter Administrator's password:
> BUILTIN\Print Operators
> No privileges assigned
>
> BUILTIN\Account Operators
> No privileges assigned
>
> BUILTIN\Backup Operators
> No privileges assigned
>
> BUILTIN\Server Operators
> No privileges assigned
>
> BUILTIN\Administrators
> SeMachineAccountPrivilege
> SeTakeOwnershipPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeRemoteShutdownPrivilege
> SePrintOperatorPrivilege
> SeAddUsersPrivilege
> SeDiskOperatorPrivilege
> SeSecurityPrivilege
> SeSystemtimePrivilege
> SeShutdownPrivilege
> SeDebugPrivilege
> SeSystemEnvironmentPrivilege
> SeSystemProfilePrivilege
> SeProfileSingleProcessPrivilege
> SeIncreaseBasePriorityPrivilege
> SeLoadDriverPrivilege
> SeCreatePagefilePrivilege
> SeIncreaseQuotaPrivilege
> SeChangeNotifyPrivilege
> SeUndockPrivilege
> SeManageVolumePrivilege
> SeImpersonatePrivilege
> SeCreateGlobalPrivilege
> SeEnableDelegationPrivilege
>
> Everyone
> No privileges assigned
>
> But, running 'net rpc rights grant HOME\\Domain\ Admins
> SeDiskOperatorPrivilege -UAdministrator'
>
> Results in:
>
> Failed to grant privileges for HOME\Domain Admins
> (NT_STATUS_ACCESS_DENIED)
>
> If I bump up debugging, 'net rpc rights grant HOME\\Domain\ Admins
> SeDiskOperatorPrivilege -UAdministrator -d3'
>
> Results in:
>
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> Processing section "[global]"
> added interface eth0 ip=192.168.0.25 bcast=192.168.0.255
> netmask=255.255.255.0
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> Enter Administrator's password:
> Connecting to 127.0.0.1 at port 445
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178 at please_ignore
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60088215
> Failed to grant privileges for HOME\Domain Admins
> (NT_STATUS_ACCESS_DENIED)
> rpc command function failed! (NT_STATUS_ACCESS_DENIED)
> return code = -1
>
> The same command works if run on the Samba4 server, but you cannot
> change the ACL's on a share on the member server from a windows machine,
> it would seem that the 'Domain Admins' group needs the rights on the
> member server.
>
> So, is this a winbind bug, or something else.
>
> Samba 4 AD server, self compiled version 4.1.4 running on ubuntu 12.04
> Samba 4 client, debian wheezy with version 4.1.6-Debian from backports
>
> Rowland
Stephane,
I bow down to superior knowledge, you are a genius, I did have 
/etc/samba/smbusers, this contained: 'root = Administrator' and this did 
not work, changed it for the line you supplied and 'Yahoo!!' it works.

Thank you very very much

Rowland

PS could the documentation team please add this to the wiki.

Rowland

More information about the samba mailing list