[Samba] Member Server SeDiskOperatorPrivilege
BISI
d3r3kshaw at gmail.com
Fri Jan 9 22:58:07 MST 2015
On 15-01-09 09:19 AM, Tim wrote:
> It's definitely a problem with backend ad. I don't know what, but with ad backend I also cannot list rpc rights on the server because it cannot find the user. With rid: no problem.
>
> Bug?
I appear to be about 12 hours behind Tim, except that I am using Debian
7.7, and (now) following Louis van Belle's script for making a member
server with the sernet repos (smbd reports Version
4.1.14-SerNet-Debian-9.wheezy)
The script is at
https://secure.bazuin.nl/scripts/4-setup-sernet-samba4-MEMBER-wheezy.sh
Louis' script hangs up at line 406
> echo {$PASSWORD} | net rpc rights list accounts -UAdministrator
with
Enter Administrator's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
I chose to set up PAMauth in the script, based on the comment
> ########## pam autheristation modifications.
> ## the original files /etc/pam.d/samba and sshd wil be backuped to *.original
> ## set to 1 if you want winbindd to work.
unfortunately for me, Louis is off enjoying himself on a ski hill somewhere.
any guidance would be greatly appreciated.
BTW - script and sernet packages do not make the links in /lib64 that
the wiki calls for, but the script does replace the default krb5.conf file.
also the DC in this case is a windows 2008 R2 server running at server
2003 forest and domain functional level
And before he left, he also mentioned assigning UID/GID to users/groups
in the AD -- what UID and GID numbers would I assign to a windows DC,
and to which users? The reference he gave didn't really shed any light
on the subject for me.
Thanks in advance!
Derek.
>
>
> Am 9. Januar 2015 17:56:59 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:
>> On 09/01/15 16:48, Tim wrote:
>>> Definitely.
>>>
>>> With backend=ad only two user can be seen by getent passwd. Then
>>> changing backend=rid, all users are resolved by getent passwd
>>>
>>> Am 9. Januar 2015 17:09:19 MEZ, schrieb Rowland Penny
>>> <rowlandpenny at googlemail.com>:
>>>
>>> On 09/01/15 15:45, Tim wrote:
>>>
>>> That's what I tried to say. I set the gid/uid attribs in Unix
>>> tab. Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland Penny
>>> <rowlandpenny at googlemail.com>: On 09/01/15 15:40, Tim wrote:
>>>
>>> When I switch back to backend ad, getent passwd returns
>>> nothing - getent group only returns by adding a dedicated
>>> group name. There is at least one user and one group with
>>> Id set in ad.
>>>
>>> Yes, but do *any* of your AD users have a uidNumber
>> attribute.
>>> Rowland
>>>
>>> Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny
>>> <rowlandpenny at googlemail.com>: On 09/01/15 15:19, Tim
>>> wrote: I switched to rid module of idmapping and now
>>> winbind offers all groups and I can set
>>> SeDiskOperatorPrivilege. getent group and getent passwd
>>> are now working! Am 9. Januar 2015 15:21:32 MEZ, schrieb
>>> Rowland Penny <rowlandpenny at googlemail.com>: On 09/01/15
>>> 13:47, Tim wrote: Hello all, I have a AD DC based on
>>> CentOS7 with sernet samba 4.1.14 with rfc2307 and
>> function
>>> level 2008_R2. This one works so far and I can manage the
>>> AD from a windows client. Now I setup a member server
>>> based on CentOS7 with sernet samba 4.1.14 just like the
>>> wiki advises with the same smb.conf (realm etc is
>>> configured to my needs. I joined the AD and configured
>>> nsswitch. wbinfo works so far but getent passwd or getent
>>> group doesn't list domain objects. getent group
>> testgroup1
>>> works, but getent passwd testuser1 does not. I created a
>>> share in smb.conf. Now I want to set the
>>> SeDiskOperatorPrivilege like the wiki advises. But it
>>> doesn't work. It says that it can't connect to server
>>> 127.0.0.1 <http://127.0.0.1> <http://127.0.0.1>
>>> <http://127.0.0.1>. I tried it with net rpc rights grant
>>> 'DOM\Domain Admins' SeDiskOperatorPrivilege
>>> -U'DOM\administrator' Now I can not access the server
>> from
>>> windows to set share permissions. What to do? The wiki
>>> told nothing about kerberos so I did not do anything to
>>> it. Thanks in advance Hi, you appear to be the second
>>> person in two days having a similar, if not the same
>>> problem with the sernet packages. I don't think it is a
>>> kerberos problem, can you check if you have
>>> 'libnss_winbind.so <http://winbind.so>
>> <http://winbind.so>
>>> <http://winbind.so>.2' anywhere. Rowland I take it from
>>> this, that you do not have any uidNumber or gidNumber
>>> attributes in AD. Rowland
>>>
>>>
>>> OK, then where they inside the range set in smb.conf i.e. idmap
>> config
>>> DOMAIN : range = 10000-999999
>>>
>>> Rowland
>>>
>>
>> That is strange, if you use the winbind 'ad' backend and have AD users
>> with a uidNumber, then all the users with uidNumbers should be shown by
>>
>> getent passwd, but any users without a uidNumber will not be shown.
>>
>> The 'rid' backend works differently, it allocates id numbers to each
>> and
>> every user.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list