[Samba] samba4.1 as domain member in a domain I don't be admin
sebastian.gabbert at gmail.com
Thu Jun 12 12:26:04 MDT 2014
I bet this question was asked several times, but I'm honestly not able
to find a solution.
My samba4.1 (running on FreeBSD10) is part of a larger network/AD where
I only have very restricted rights.
Our network consists of a "toplevel" AD-Domain (top.foo.bar) and several
"subdomains" (in my case: sub1.top.foo.bar), which have their own
domaincontrollers (MS Windows Server 2008R2).
I only have rights to add domainmembers to sub1.top.foo.bar. All user
accounts are top.foo.bar\users.
I followed this ( https://wiki.samba.org/index.php/Samba4/Domain_Member
) tutorial. Which worked perfectly with adding the server to the domain
and retrieving users/groups and so on. (via wbinfo) My samba server was
added to my AD-Subtree.
Now I wanted to add a share and followed this tutorial:
I tried to grant the SeDiskOperatorPrivilege to my domain user
TOP\myUser. First net rpc tried to connect to 127.0.0.1, so I added
-Smy-pdc.sub1.top.foo.bar which resulted in:
net rpc rights grant 'TOP\myUser' SeDiskOperatorPrivilege -U'TOP\myUser'
Failed to grant privileges for 'TOP\myUser' (NT_STATUS_ACCESS_DENIED)
Then I stumpled accross
Which suggested to add a local group, and add my domain user to that and
granting this group the privileges.
I tried this in several ways. I added a custom group and added my
domainuser, I added a domaingroup my user is member of. I added this
group and my user to BUILTIN\Administrators. granted Administrators, the
domaingroup and my domainuser all the privileges via net sam, which
seemed to work.
I still get a permission denied on my windows computer management.
I would be very happy for a hint in the right direction. Getting started
with samba4 seems to be a little bit more complicated than I first
Thanks and best regards
P.S. here is my smb.conf
netbiosname = marx-new
workgroup = SUB1
security = ADS
realm = TOP.FOO.BAR
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config FAK6:backend = ad
idmap config FAK6:schema_mode = rfc2307
idmap config FAK6:range = 500-40000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
nsupdate command = /usr/local/bin/samba-nsupdate -g
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 899 bytes
Desc: OpenPGP digital signature
More information about the samba