[Samba] Re: 3.0.24 What commands must be executed by root verses ntgroup="Domain Admins"?

Nik Conwell nik at bu.edu
Tue May 1 17:49:51 GMT 2007

Michael Lueck <mlueck <at> lueckdatasystems.com> writes:

> I found the solution, or at least a work around, for my posting: "Can not
grant SeMachineAccountPrivilege
> on Debian Etch"
> I ended up:
> 1) ssh to Debian Etch as root
> 2) smbpasswd -a root
> 3) issue the "net rpc rights grant ..." command
> So, that raises the question that what MUST be executed as user root verses a
member of ntgroup="Domain Admins"?

Funny you should bring this up.  I've been having the same problem but my system
is security=ADS so I can't authenticate the local root user.

>From the source _lsa_add_acct_rights() is supposed to allow grant to members of
Domain Admins (RID 512) but that's apparently not working.  se_access_check()
shows my account has a sid of [getlocalsid]-512 so I should be considered as a
member of Domain Admins.  Time to start the debugging...

nik at bu.edu

More information about the samba mailing list