[Samba] Member Server SeDiskOperatorPrivilege
Rowland Penny
rowlandpenny at googlemail.com
Fri Jan 9 09:09:19 MST 2015
On 09/01/15 15:45, Tim wrote:
> That's what I tried to say. I set the gid/uid attribs in Unix tab.
>
> Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland Penny
> <rowlandpenny at googlemail.com>:
>
> On 09/01/15 15:40, Tim wrote:
>> When I switch back to backend ad, getent passwd returns nothing -
>> getent group only returns by adding a dedicated group name.
>> There is at least one user and one group with Id set in ad.
>>
>
> Yes, but do *any* of your AD users have a uidNumber attribute.
>
> Rowland
>
>> Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny
>> <rowlandpenny at googlemail.com>:
>>
>> On 09/01/15 15:19, Tim wrote:
>>
>> I switched to rid module of idmapping and now winbind
>> offers all groups and I can set SeDiskOperatorPrivilege.
>> getent group and getent passwd are now working! Am 9.
>> Januar 2015 15:21:32 MEZ, schrieb Rowland Penny
>> <rowlandpenny at googlemail.com>: On 09/01/15 13:47, Tim
>> wrote: Hello all, I have a AD DC based on CentOS7 with
>> sernet samba 4.1.14 with rfc2307 and function level
>> 2008_R2. This one works so far and I can manage the AD
>> from a windows client. Now I setup a member server based
>> on CentOS7 with sernet samba 4.1.14 just like the wiki
>> advises with the same smb.conf (realm etc is configured
>> to my needs. I joined the AD and configured nsswitch.
>> wbinfo works so far but getent passwd or getent group
>> doesn't list domain objects. getent group testgroup1
>> works, but getent passwd testuser1 does not. I created a
>> share in smb.conf. Now I want to set the
>> SeDiskOperatorPrivilege like the wiki advises. But it
>> doesn't work. It says that it can't connect to server
>> 127.0.0.1 <http://127.0.0.1> <http://127.0.0.1>. I tried
>> it with net rpc rights grant 'DOM\Domain Admins'
>> SeDiskOperatorPrivilege -U'DOM\administrator' Now I can
>> not access the server from windows to set share
>> permissions. What to do? The wiki told nothing about
>> kerberos so I did not do anything to it. Thanks in
>> advance Hi, you appear to be the second person in two
>> days having a similar, if not the same problem with the
>> sernet packages. I don't think it is a kerberos problem,
>> can you check if you have 'libnss_winbind.so
>> <http://winbind.so> <http://winbind.so>.2' anywhere. Rowland
>>
>>
>>
>> I take it from this, that you do not have any uidNumber or gidNumber
>> attributes in AD.
>>
>> Rowland
>>
>
OK, then where they inside the range set in smb.conf i.e. idmap config
DOMAIN : range = 10000-999999
Rowland
More information about the samba
mailing list