[Samba] Member Server SeDiskOperatorPrivilege

Rowland Penny rowlandpenny at googlemail.com
Fri Jan 9 09:56:59 MST 2015

On 09/01/15 16:48, Tim wrote:
> Definitely.
> With backend=ad only two user can be seen by getent passwd. Then 
> changing backend=rid, all users are resolved by getent passwd
> Am 9. Januar 2015 17:09:19 MEZ, schrieb Rowland Penny 
> <rowlandpenny at googlemail.com>:
>     On 09/01/15 15:45, Tim wrote:
>         That's what I tried to say. I set the gid/uid attribs in Unix
>         tab. Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland Penny
>         <rowlandpenny at googlemail.com>: On 09/01/15 15:40, Tim wrote:
>             When I switch back to backend ad, getent passwd returns
>             nothing - getent group only returns by adding a dedicated
>             group name. There is at least one user and one group with
>             Id set in ad.
>         Yes, but do *any* of your AD users have a uidNumber attribute.
>         Rowland
>             Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny
>             <rowlandpenny at googlemail.com>: On 09/01/15 15:19, Tim
>             wrote: I switched to rid module of idmapping and now
>             winbind offers all groups and I can set
>             SeDiskOperatorPrivilege. getent group and getent passwd
>             are now working! Am 9. Januar 2015 15:21:32 MEZ, schrieb
>             Rowland Penny <rowlandpenny at googlemail.com>: On 09/01/15
>             13:47, Tim wrote: Hello all, I have a AD DC based on
>             CentOS7 with sernet samba 4.1.14 with rfc2307 and function
>             level 2008_R2. This one works so far and I can manage the
>             AD from a windows client. Now I setup a member server
>             based on CentOS7 with sernet samba 4.1.14 just like the
>             wiki advises with the same smb.conf (realm etc is
>             configured to my needs. I joined the AD and configured
>             nsswitch. wbinfo works so far but getent passwd or getent
>             group doesn't list domain objects. getent group testgroup1
>             works, but getent passwd testuser1 does not. I created a
>             share in smb.conf. Now I want to set the
>             SeDiskOperatorPrivilege like the wiki advises. But it
>             doesn't work. It says that it can't connect to server
>    <> <>
>             <>. I tried it with net rpc rights grant
>             'DOM\Domain Admins' SeDiskOperatorPrivilege
>             -U'DOM\administrator' Now I can not access the server from
>             windows to set share permissions. What to do? The wiki
>             told nothing about kerberos so I did not do anything to
>             it. Thanks in advance Hi, you appear to be the second
>             person in two days having a similar, if not the same
>             problem with the sernet packages. I don't think it is a
>             kerberos problem, can you check if you have
>             'libnss_winbind.so <http://winbind.so> <http://winbind.so>
>             <http://winbind.so>.2' anywhere. Rowland I take it from
>             this, that you do not have any uidNumber or gidNumber
>             attributes in AD. Rowland
>     OK, then where they inside the range set in smb.conf i.e. idmap config
>     DOMAIN : range = 10000-999999
>     Rowland

That is strange, if you use the winbind 'ad' backend and have AD users 
with a uidNumber, then all the users with uidNumbers should be shown by 
getent passwd, but any users without a uidNumber will not be shown.

The 'rid' backend works differently, it allocates id numbers to each and 
every user.


More information about the samba mailing list