[Samba] Why would "net rpc rights grant" fail ?
Koenraad Lelong
k.lelong at ace-electronics.be
Sat Apr 12 12:51:57 MDT 2014
op 11-04-14 15:29, L.P.H. van Belle schreef:
> Hai,
>
>
> The base is always Administrator, this is because of the user mapping root = ... see below..
> I'll go modify the script for that. Can you tell which server/script this is ?
I'm using 1-setup-sernet-samba4-ADDC-wheezy.sh, although I don't know if
it's the latest version. I downloaded it last monday.
I modified it to do a classicupgrade, and to use the ubuntu sernet-packages.
>
> Can you try to run it like this.
>
> net rpc rights grant YOURDOMAIN\\AdminKoen SeDiskOperatorPrivilege -UAdministrator
> ( -U administrator is needed to make it work, its used to authenticate to you can set the privileges. )
I tried using Administrator, but this does not work. I then tried to log
in as Administrator in the "old" domain. This fails also. I tried
modifying its password and use that, but this does not work.
So I tried with my normal "Domain Admin" username AdmiKoen.
I could use root and its password to log in though, both on the "old"
doamin and the new server.
I modified your script to use -U${SETNTUSER} in stead of Administrator
in some places. Now I know that was not good ;-)
>
> And for full admin rights, add the all the SEPrivileges to AdminKoen.
> when you run it outside the script you can also kinit Administrator first.
So all "Domain Admins" have to have all SEPrivileges ? Adding their
names to the group is not sufficient ?
>
> also check if the file in /etc/samba/samba_usermapping exist.
> !root = YOURDOMAIN\Administrator YOURDOMAIN\administrator
No mapping-file found.
>
> If you want to have AdminKoen run as "root" , wel there is only 1 root ( Administrator )
> then you can change it in the samba_usermapping file.
No I just tried Admikoen because Adminstrator could not log in.
But this raises a question : does the root on the new server needs the
same password as on the old server ? And with root I mean "linux-root".
Or are they not related ?
>
> im guessing you have this problem on the member server? that was also the hard one to get working.
>
No, this is a test-server that will become the prime AD-DC, not a member
server.
> Adding a windows 7 pc ( dutch ) should not be any problem, i joined 32bit and 64bit.
> but i did use the user DOMAIN\Administrator for the join.
> Adminsitrator on the pc is disabled.
I know it should be not a problem, but since Administrator did not work
I used AdmiKoen, but I think it's related to the SEPrivileges problem. I
need to solve this first.
>
> So if in look at your problem.
> Your you trying to get AdminKoen to be "root" or just a extra domain admin.
> if only as extra domain admin, the adding him to "domain admin" should be sufficient.
> and do not disable Administrator.. samba uses it also in the back ground
> see the /var/lib/samba/private/named.conf.update
>
> Can you try again and report back?
Will do on monday.
>
>
> Best regards,
>
> Louis
>
Many thanks,
Koenraad.
More information about the samba
mailing list