[Samba] Samba as a PDC with LDAP and Kerberos

Josh Kelley josh at jbc.edu
Fri May 6 21:30:47 GMT 2005

Try doing the "net rpc rights" as a

Ti Leggett wrote:

>However the following fails:
>net -S localhost rpc rights grant "CI\Domain Admins"
>SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege
>SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
>Reading through the logs, everything appears to be fine until it goes to
>assign privileges. Here's a snip from the logs (log level = 10):

>[2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_ntstatus(672)
>      0000 status: NT_STATUS_ACCESS_DENIED
>The LDAP logs show everything successful and there's no MODs trying to
Try doing the "net rpc rights grant" as a domain admin ("-U username") 
instead of as root.  The Samba HOWTO states, "You must be connected as a 
member of the Domain Admins group to be able to grant or revoke 
privileges assigned to an account. This capability is inherent to the 
Domain Admins group and is not configurable."

Granting rights as root doesn't seem to work.  (At least, it doesn't for 
me.)  I don't know if that's intentional or not; the HOWTO also states, 
"Access as the root user (UID=0) bypasses all privilege checks," which 
seems to contradict the previous statement and seems to imply that not 
working for root is a bug.

Josh Kelley

More information about the samba mailing list