[Samba] Member Server SeDiskOperatorPrivilege

Tim rintimtim at gmx.net
Fri Jan 9 08:40:55 MST 2015


When I switch back to backend ad, getent passwd returns nothing - getent group only returns by adding a dedicated group name.
There is at least one user and one group with Id set in ad.

Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:
>On 09/01/15 15:19, Tim wrote:
>> I switched to rid module of idmapping and now winbind offers all 
>> groups and I can set SeDiskOperatorPrivilege.
>>
>> getent group and getent passwd are now working!
>>
>>
>>
>> Am 9. Januar 2015 15:21:32 MEZ, schrieb Rowland Penny 
>> <rowlandpenny at googlemail.com>:
>>
>>     On 09/01/15 13:47, Tim wrote:
>>
>>         Hello all, I have a AD DC based on CentOS7 with sernet samba
>>         4.1.14 with rfc2307 and function level 2008_R2. This one
>works
>>         so far and I can manage the AD from a windows client. Now I
>>         setup a member server based on CentOS7 with sernet samba
>>         4.1.14 just like the wiki advises with the same smb.conf
>>         (realm etc is configured to my needs. I joined the AD and
>>         configured nsswitch. wbinfo works so far but getent passwd or
>>         getent group doesn't list domain objects. getent group
>>         testgroup1 works, but getent passwd testuser1 does not. I
>>         created a share in smb.conf. Now I want to set the
>>         SeDiskOperatorPrivilege like the wiki advises. But it doesn't
>>         work. It says that it can't connect to server 127.0.0.1
>>         <http://127.0.0.1>. I tried it with net rpc rights grant
>>         'DOM\Domain Admins' SeDiskOperatorPrivilege
>>         -U'DOM\administrator' Now I can not access the server from
>>         windows to set share permissions. What to do? The wiki told
>>         nothing about kerberos so I did not do anything to it. Thanks
>>         in advance 
>>
>>
>>     Hi, you appear to be the second person in two days having a
>similar, if
>>     not the same problem with the sernet packages. I don't think it
>is a
>>     kerberos problem, can you check if you have 'libnss_winbind.so 
><http://winbind.so>.2' anywhere.
>>
>>     Rowland
>>
>
>I take it from this, that you do not have any uidNumber or gidNumber 
>attributes in AD.
>
>Rowland
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list