[Samba] Member Server SeDiskOperatorPrivilege

Rowland Penny rowlandpenny at googlemail.com
Fri Jan 9 08:44:28 MST 2015

On 09/01/15 15:40, Tim wrote:
> When I switch back to backend ad, getent passwd returns nothing - 
> getent group only returns by adding a dedicated group name.
> There is at least one user and one group with Id set in ad.

Yes, but do *any* of your AD users have a uidNumber attribute.


> Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny 
> <rowlandpenny at googlemail.com>:
>     On 09/01/15 15:19, Tim wrote:
>         I switched to rid module of idmapping and now winbind offers
>         all groups and I can set SeDiskOperatorPrivilege. getent group
>         and getent passwd are now working! Am 9. Januar 2015 15:21:32
>         MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>: On
>         09/01/15 13:47, Tim wrote: Hello all, I have a AD DC based on
>         CentOS7 with sernet samba 4.1.14 with rfc2307 and function
>         level 2008_R2. This one works so far and I can manage the AD
>         from a windows client. Now I setup a member server based on
>         CentOS7 with sernet samba 4.1.14 just like the wiki advises
>         with the same smb.conf (realm etc is configured to my needs. I
>         joined the AD and configured nsswitch. wbinfo works so far but
>         getent passwd or getent group doesn't list domain objects.
>         getent group testgroup1 works, but getent passwd testuser1
>         does not. I created a share in smb.conf. Now I want to set the
>         SeDiskOperatorPrivilege like the wiki advises. But it doesn't
>         work. It says that it can't connect to server
>         <> <>. I tried it with net rpc
>         rights grant 'DOM\Domain Admins' SeDiskOperatorPrivilege
>         -U'DOM\administrator' Now I can not access the server from
>         windows to set share permissions. What to do? The wiki told
>         nothing about kerberos so I did not do anything to it. Thanks
>         in advance Hi, you appear to be the second person in two days
>         having a similar, if not the same problem with the sernet
>         packages. I don't think it is a kerberos problem, can you
>         check if you have 'libnss_winbind.so <http://winbind.so>
>         <http://winbind.so>.2' anywhere. Rowland
>     I take it from this, that you do not have any uidNumber or gidNumber
>     attributes in AD.
>     Rowland

More information about the samba mailing list