Does NET RPC RIGHTS requires Linux PDC? additionally Samba 3.0.11 and RHEL 4 test

Guenther Deschner gd at
Mon Sep 5 22:02:26 GMT 2005

Hi Jerry,

On Mon, Sep 05, 2005 at 07:11:10AM -0500, Gerald (Jerry) Carter wrote:
> Guenther Deschner <gd at> wrote:
> | That would make more sense. Most probably you do not have the
> | "SeDiskOperatorPrivilege" assigned to "Administrator".
> |
> | If you are using "security = ads" please try to switch
> | to "security = domain" to let that privilege take effect.
> Guenther,  There should be no difference in smbd's code
> that builds the user token for domain or ads mode security.
> Do you known of a bug here that hasn't been reported?

Yes, there is a big difference (I tried to explain to you during CIFS
conf ;) : 

When in security = ads, when we reply in reply_spnego_kerberos(), we build
a quite broken NT user token, one that has a local sid with an algorithmic
rid part (instead of using the user's original domain sid). Thus,
privileges never apply when smbd is running as a domain-member in

The best way to fix that (IMHO) is to derive (at least) the user and
primary-group sid directly from the PAC (saving roundtrips). I have
exactly this working (including PAC server-signature verification) for
Heimdal (thanks to the great Samba4 progress) but the abstraction-layer to
make it work with MIT kerberos as well is not yet finished.

You are right, I should open a bug report to track my progress on that.


Günther Deschner                    GPG-ID: 8EE11688
Novell / SUSE LINUX                       gd at
Samba Team                              gd at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba-technical mailing list