[Samba] net rpc rights list
Henry McLaughlin
henry at incred.com.au
Tue Jan 19 20:00:22 UTC 2016
On 20 January 2016 at 06:43, Rowland penny <rpenny at samba.org> wrote:
> On 19/01/16 19:34, Henry McLaughlin wrote:
>
>> I have sssd configured and working with my domain member server and I now
>> wish to grant the SeDiskOperatorPrivilege to the "MYDOMAIN\Domain Admins"
>> group. When I execute the command it appears to disregard the domain name
>> and grant the privileges to the group "Unix Group\domain admins"
>>
>> net rpc rights list accounts -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>>
>> ...
>> Unix Group\domain admins
>> No privileges assigned
>>
>> net rpc rights grant 'MYDOMAIN\Domain Admins' SeDiskOperatorPrivilege
>> -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>> Successfully granted rights.
>>
>> net rpc rights list accounts -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>>
>> ...
>> Unix Group\domain admins
>> SeDiskOperatorPrivilege
>>
>> net rpc rights revoke 'MYDOMAIN\Domain Admins' SeDiskOperatorPrivilege
>> -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>> Successfully revoked rights.
>>
>> net rpc rights list accounts -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>>
>> ...
>> Unix Group\domain admins
>> No privileges assigned
>>
>>
>> Below I have completely removed the domain name from the command and still
>> get the same outcome.
>>
>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege
>> -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>> Successfully granted rights.
>>
>> net rpc rights list accounts -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>>
>> ...
>> Unix Group\domain admins
>> SeDiskOperatorPrivilege
>>
>> Does this behaviour appear correct or am I missing something in my config
>> that identifies the domain name?
>>
>
> I don't know, I cannot see your smb.conf from here.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
cat /etc/samba/smb.conf
[global]
workgroup = MYDOMAIN
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = AD.MYDOMAIN.COM.AU
security = ads
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
username map = /etc/samba/samba_usermapping
[printers]
path = /var/spool/samba/
printable = yes
printing = CUPS
[Administration]
path = /mnt/disk-2/samba/Administration/
read only = no
More information about the samba
mailing list