[Samba] samba4.1 as domain member in a domain I don't be admin

Sebastian Gabbert sebastian.gabbert at gmail.com
Thu Jun 12 12:26:04 MDT 2014


I bet this question was asked several times, but I'm honestly not able
to find a solution.

My samba4.1 (running on FreeBSD10) is part of a larger network/AD where
I only have very restricted rights.
Our network consists of a "toplevel" AD-Domain (top.foo.bar) and several
"subdomains" (in my case: sub1.top.foo.bar), which have their own
domaincontrollers (MS Windows Server 2008R2).

I only have rights to add domainmembers to sub1.top.foo.bar. All user
accounts are top.foo.bar\users.

I followed this ( https://wiki.samba.org/index.php/Samba4/Domain_Member
) tutorial. Which worked perfectly with adding the server to the domain
and retrieving users/groups and so on. (via wbinfo) My samba server was
added to my AD-Subtree.

Now I wanted to add a share and followed this tutorial:

I tried to grant the SeDiskOperatorPrivilege to my domain user
TOP\myUser. First net rpc tried to connect to, so I added
-Smy-pdc.sub1.top.foo.bar which resulted in:

net rpc rights grant 'TOP\myUser' SeDiskOperatorPrivilege -U'TOP\myUser'
Failed to grant privileges for 'TOP\myUser' (NT_STATUS_ACCESS_DENIED)

Then I stumpled accross

Which suggested to add a local group, and add my domain user to that and
granting this group the privileges.
I tried this in several ways. I added a custom group and added my
domainuser, I added a domaingroup my user is member of. I added this
group and my user to BUILTIN\Administrators. granted Administrators, the
domaingroup and my domainuser all the privileges via net sam, which
seemed to work.
I still get a permission denied on my windows computer management.

I would be very happy for a hint in the right direction. Getting started
with samba4 seems to be a little bit more complicated than I first
thought :)

Thanks and best regards

P.S. here is my smb.conf


  netbiosname = marx-new
  workgroup = SUB1
  security = ADS
  realm = TOP.FOO.BAR
  encrypt passwords = yes

  idmap config *:backend = tdb
  idmap config *:range = 70001-80000
  idmap config FAK6:backend = ad
  idmap config FAK6:schema_mode = rfc2307
  idmap config FAK6:range = 500-40000

  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users  = yes
  winbind enum groups = yes

  nsupdate command = /usr/local/bin/samba-nsupdate -g

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20140612/9852d0be/attachment.pgp>

More information about the samba mailing list