[Samba] Unable to set SeDiskOperatorPrivilege
Henry McLaughlin
henry at incred.com.au
Sat Jan 16 22:05:37 UTC 2016
On 17 January 2016 at 00:50, Rowland penny <rpenny at samba.org> wrote:
> On 16/01/16 13:26, Henry McLaughlin wrote:
>
>>
>> On 15 January 2016 at 23:24, Rowland penny <rpenny at samba.org <mailto:
>> rpenny at samba.org>> wrote:
>>
>> On 15/01/16 12:08, Henry McLaughlin wrote:
>>
>>
>>
>> On 15 January 2016 at 22:28, Rowland penny <rpenny at samba.org
>> <mailto:rpenny at samba.org> <mailto:rpenny at samba.org
>> <mailto:rpenny at samba.org>>> wrote:
>>
>> On 15/01/16 11:12, Henry McLaughlin wrote:
>>
>>
>> Have you by any chance given Administrator a
>> uidNumber ?
>>
>>
>> Yes, 10000
>>
>> Was that wrong?
>>
>>
>>
>>
>> Well, in my opinion, yes. By giving Administrator a
>> uidNumber, you
>> have, as far as Unix is concerned, turned it into a normal
>> user
>> that doesn't have the rights to do anything.
>>
>> Is this on a DC ? if so, remove the uidNumber and it
>> should start
>> working again, if it is a domain member, again remove the
>> uidNumber and add this line to smb.conf
>>
>> username map = /etc/samba/samba_usermapping
>>
>> Create the file '/etc/samba/samba_usermapping' with this
>> content:
>>
>> !root = SAMDOM\Administrator SAMDOM\administrator
>>
>> Replace 'SAMDOM' with your workgroup
>>
>> This will map 'Administrator' to the Unix 'root' user
>>
>> Rowland
>> -- To unsubscribe from this list go to the following
>> URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>> Thanks Rowland this worked however I am totally confused as to
>> when a Windows User/Groups needs to be given a UNIX id in
>> ADUG. Is there a reference out the I can read, study & understand?
>>
>>
>> It is fairly simple, on a DC, users are mapped to (via idmap.ldb)
>> Unix automatically. On a domain member, you have a choice of
>> backends, but the two main ones are 'rid' & 'ad'. The 'rid'
>> backend works similar (from an initial view point) to the DC and
>> maps the users & groups to Unix. The 'ad' backend is different,
>> any user that you want to be visible to Unix must be given a
>> uidNumber attribute, this number must be inside the range that is
>> set in smb.conf, you must also give Domain Users (at least) a
>> gidNumber attribute, this must also be inside the range set in
>> smb.conf, if you want any other groups to be visible to Unix,
>> these also must be given a gidNumber.
>>
>> Any user or group that is visible to Unix, works just like any
>> other Unix user or group and only has the permissions you assign
>> to them.
>>
>> Rowland
>>
>> -- To unsubscribe from this list go to the following URL and read
>> the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>> When a now try to set SeDiskOperatorPrivilege to "DOMAIN\Domain Admins"
>> it is set for "Unix Group\domain admins"? Is this correct as I had expected
>> it to be "DOMAIN\Domain Admins"?
>>
>> root at aphrodite:~# net rpc rights grant 'DOMAIN\Domain Admins'
>> SeDiskOperatorPrivilege -U'DOMAIN\administrator'
>> Enter DOMAIN\administrator's password:
>> Successfully granted rights.
>> root at aphrodite:~# net rpc rights list accounts -U'DOMAIN\administrator'
>> Enter DOMAIN\administrator's password:
>> BUILTIN\Print Operators
>> No privileges assigned
>>
>> BUILTIN\Account Operators
>> No privileges assigned
>>
>> BUILTIN\Backup Operators
>> No privileges assigned
>>
>> BUILTIN\Server Operators
>> No privileges assigned
>>
>> BUILTIN\Administrators
>> SeMachineAccountPrivilege
>> SeTakeOwnershipPrivilege
>> SeBackupPrivilege
>> SeRestorePrivilege
>> SeRemoteShutdownPrivilege
>> SePrintOperatorPrivilege
>> SeAddUsersPrivilege
>> SeDiskOperatorPrivilege
>> SeSecurityPrivilege
>> SeSystemtimePrivilege
>> SeShutdownPrivilege
>> SeDebugPrivilege
>> SeSystemEnvironmentPrivilege
>> SeSystemProfilePrivilege
>> SeProfileSingleProcessPrivilege
>> SeIncreaseBasePriorityPrivilege
>> SeLoadDriverPrivilege
>> SeCreatePagefilePrivilege
>> SeIncreaseQuotaPrivilege
>> SeChangeNotifyPrivilege
>> SeUndockPrivilege
>> SeManageVolumePrivilege
>> SeImpersonatePrivilege
>> SeCreateGlobalPrivilege
>> SeEnableDelegationPrivilege
>>
>> Everyone
>> No privileges assigned
>>
>> Unix Group\domain admins
>> SeDiskOperatorPrivilege
>>
>
> Does Domain Admins have a gidNumber ?
> It doesn't really matter what net shows for Domain Admins as long as it
> works, have you tried it ?
>
> It works for me, but I get this on a domain member:
>
> net rpc rights list accounts -Uadministrator
> Enter administrator's password:
> ~~~~~~~~~~~~
> S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-512
> SeDiskOperatorPrivilege
>
> whilst on a DC, I get this:
> ~~~~~~~~~~~~
> SAMDOM\Domain Admins
> SeDiskOperatorPrivilege
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Domain Admins is the only AD User/Group I have assigned a Unix ID to. (Can
this be verified?)
After the following on the member server:
net rpc rights revoke 'DOMAIN\Domain Admins' SeDiskOperatorPrivilege
-U'DOMAIN\administrator'
Enter DOMAIN\administrator's password:
Successfully revoked rights.
net rpc rights list accounts -Uadministrator
Enter administrator's password:
...
Unix Group\domain admins
No privileges assigned
After the following on the member server:
net rpc rights grant 'DOMAIN\Domain Admins' SeDiskOperatorPrivilege
-U'DOMAIN\administrator'
Enter DOMAIN\administrator's password:
Successfully granted rights.
net rpc rights list accounts -Uadministrator
Enter administrator's password:
...
Unix Group\domain admins
SeDiskOperatorPrivilege
There is no mention of the Domain Admins group when I run "net rpc rights
list accounts -Uadministrator" on the DC.
More information about the samba
mailing list