[Samba] Domain Admins and SeDiskOperatorPrivilege

Denis Cardon denis.cardon at tranquil-it-systems.fr
Thu Apr 3 10:05:26 MDT 2014


Hi Rownland,


>> I know that the "Administrator" from DC is not a Administrator in member
>> server.
>>
>> For resolve that, there are a workaround.
>>
>> This workaround is to use a user_map parameter in smb.conf :
>>
>> username map = path_to_filemap
>>
>> And the filemap must contain in your case :
>>
>> !root = HOME\Administrator HOME\administrator
>>
>> My config use this workaround and it's work
>>
>> have a nice day
>>
>>
>> -----------------------------------
>> Stéphane PURNELLE                         Admin. Systèmes et Réseaux
>> Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467
>>
>>
>>
>> De :    Rowland Penny <rowlandpenny at googlemail.com>
>> A :     sambalist <samba at lists.samba.org>,
>> Date :  03/04/2014 12:49
>> Objet : [Samba] Domain Admins and SeDiskOperatorPrivilege
>> Envoyé par :    samba-bounces at lists.samba.org
>>
>>
>>
>> I am having trouble giving the Domain Admin group the
>> 'SeDiskOperatorPrivilege' privilege on a member server.
>>
>> Running 'net rpc rights list accounts -UAdministrator'
>>
.....
>>
>> Everyone
>> No privileges assigned
>>
>> But, running 'net rpc rights grant HOME\\Domain\ Admins
>> SeDiskOperatorPrivilege -UAdministrator'
>>
>> Results in:
>>
>> Failed to grant privileges for HOME\Domain Admins
>> (NT_STATUS_ACCESS_DENIED)
>>
>> If I bump up debugging, 'net rpc rights grant HOME\\Domain\ Admins
>> SeDiskOperatorPrivilege -UAdministrator -d3'
>>
...
>>
>> The same command works if run on the Samba4 server, but you cannot
>> change the ACL's on a share on the member server from a windows machine,
>> it would seem that the 'Domain Admins' group needs the rights on the
>> member server.
>>
>> So, is this a winbind bug, or something else.
>>
>> Samba 4 AD server, self compiled version 4.1.4 running on ubuntu 12.04
>> Samba 4 client, debian wheezy with version 4.1.6-Debian from backports
>>
>> Rowland
> Stephane,
> I bow down to superior knowledge, you are a genius, I did have
> /etc/samba/smbusers, this contained: 'root = Administrator' and this did
> not work, changed it for the line you supplied and 'Yahoo!!' it works.
>
> Thank you very very much
>
> Rowland
>
> PS could the documentation team please add this to the wiki.

I think the command line you typed is using a old syntax. This is 
working for me on a 4.1.6 :

[root at srvfichiers.tranq ~]# net sam rights  grant  "TRANQUILIT\\domain 
admins" SeDiskOperatorPrivilege
Granted SeDiskOperatorPrivilege to TRANQUILIT\domain admins

[root at srvfichiers.tranq ~]# net rpc rights list accounts -U Administrator
Enter Administrator's password:
....
TRANQUILIT\domain admins
SeDiskOperatorPrivilege

Cheers,

Denis

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr



More information about the samba mailing list