[Samba] Domain Admins and SeDiskOperatorPrivilege
Rowland Penny
rowlandpenny at googlemail.com
Thu Apr 3 04:48:45 MDT 2014
I am having trouble giving the Domain Admin group the
'SeDiskOperatorPrivilege' privilege on a member server.
Running 'net rpc rights list accounts -UAdministrator'
Results in this:
Enter Administrator's password:
BUILTIN\Print Operators
No privileges assigned
BUILTIN\Account Operators
No privileges assigned
BUILTIN\Backup Operators
No privileges assigned
BUILTIN\Server Operators
No privileges assigned
BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
Everyone
No privileges assigned
But, running 'net rpc rights grant HOME\\Domain\ Admins
SeDiskOperatorPrivilege -UAdministrator'
Results in:
Failed to grant privileges for HOME\Domain Admins (NT_STATUS_ACCESS_DENIED)
If I bump up debugging, 'net rpc rights grant HOME\\Domain\ Admins
SeDiskOperatorPrivilege -UAdministrator -d3'
Results in:
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface eth0 ip=192.168.0.25 bcast=192.168.0.255
netmask=255.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Enter Administrator's password:
Connecting to 127.0.0.1 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
Failed to grant privileges for HOME\Domain Admins (NT_STATUS_ACCESS_DENIED)
rpc command function failed! (NT_STATUS_ACCESS_DENIED)
return code = -1
The same command works if run on the Samba4 server, but you cannot
change the ACL's on a share on the member server from a windows machine,
it would seem that the 'Domain Admins' group needs the rights on the
member server.
So, is this a winbind bug, or something else.
Samba 4 AD server, self compiled version 4.1.4 running on ubuntu 12.04
Samba 4 client, debian wheezy with version 4.1.6-Debian from backports
Rowland
More information about the samba
mailing list