[Samba] Samba as a PDC with LDAP and Kerberos

Ti Leggett leggett at ci.uchicago.edu
Mon May 9 15:29:50 GMT 2005

Unfortunately this still doesn't work. As a note, I thought about this
and had added the root account to the Domain Admins group.

On Fri, 2005-05-06 at 17:30 -0400, Josh Kelley wrote:
> Try doing the "net rpc rights" as a
> Ti Leggett wrote:
> >However the following fails:
> >
> >net -S localhost rpc rights grant "CI\Domain Admins"
> >SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege
> >SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
> >
> >Reading through the logs, everything appears to be fine until it goes to
> >assign privileges. Here's a snip from the logs (log level = 10):
> >  
> >
> <snip>
> >[2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_ntstatus(672)
> >      0000 status: NT_STATUS_ACCESS_DENIED
> >
> >The LDAP logs show everything successful and there's no MODs trying to
> >occur.
> >  
> >
> Try doing the "net rpc rights grant" as a domain admin ("-U username") 
> instead of as root.  The Samba HOWTO states, "You must be connected as a 
> member of the Domain Admins group to be able to grant or revoke 
> privileges assigned to an account. This capability is inherent to the 
> Domain Admins group and is not configurable."
> Granting rights as root doesn't seem to work.  (At least, it doesn't for 
> me.)  I don't know if that's intentional or not; the HOWTO also states, 
> "Access as the root user (UID=0) bypasses all privilege checks," which 
> seems to contradict the previous statement and seems to imply that not 
> working for root is a bug.
> Josh Kelley
> //

More information about the samba mailing list