[Samba] Samba as a PDC with LDAP and Kerberos
Josh Kelley
josh at jbc.edu
Fri May 6 21:30:47 GMT 2005
Try doing the "net rpc rights" as a
Ti Leggett wrote:
>However the following fails:
>
>net -S localhost rpc rights grant "CI\Domain Admins"
>SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege
>SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
>
>Reading through the logs, everything appears to be fine until it goes to
>assign privileges. Here's a snip from the logs (log level = 10):
>
>
<snip>
>[2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_ntstatus(672)
> 0000 status: NT_STATUS_ACCESS_DENIED
>
>The LDAP logs show everything successful and there's no MODs trying to
>occur.
>
>
Try doing the "net rpc rights grant" as a domain admin ("-U username")
instead of as root. The Samba HOWTO states, "You must be connected as a
member of the Domain Admins group to be able to grant or revoke
privileges assigned to an account. This capability is inherent to the
Domain Admins group and is not configurable."
Granting rights as root doesn't seem to work. (At least, it doesn't for
me.) I don't know if that's intentional or not; the HOWTO also states,
"Access as the root user (UID=0) bypasses all privilege checks," which
seems to contradict the previous statement and seems to imply that not
working for root is a bug.
Josh Kelley
//
More information about the samba
mailing list