[Samba] SeDiskOperatorPrivilege and 2012 R2 domain

Tom Söderlund tom.k.soderlund at gmail.com
Tue Mar 24 01:49:28 MDT 2015 

(Re-posting to list also.. Sorry forgot Cc. -Tom)

Marc,

Thanks for your help and clarifications. I was indeed addressing the domain
controller (2012 R2) due to my misunderstanding. Addressing the request at
the file server (Samba 4) to the file server fails too but with different
errors. Rights list succeeds.

$ net rpc rights list accounts -UDOMAIN\\Administrator
Enter DOMAIN\Administrator's password:
BUILTIN\Print Operators
No privileges assigned

BUILTIN\Account Operators
No privileges assigned

BUILTIN\Backup Operators
No privileges assigned

BUILTIN\Server Operators
No privileges assigned

BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege

Everyone
No privileges assigned

$ net rpc rights grant 'DOMAIN\Domain Admins' SeDiskOperatorPrivilege
-UDOMAIN\\Administrator
Enter DOMAIN\Administrator's password:
Failed to grant privileges for DOMAIN\Domain Admins
(NT_STATUS_ACCESS_DENIED)

$ net rpc rights grant 'DOMAIN\Unix-admins' SeDiskOperatorPrivilege
-UDOMAIN\\Administrator
Enter DOMAIN\Administrator's password:
Could not connect to server 127.0.0.1

Thanks for any info,
-Tom


On Mon, Mar 23, 2015 at 11:59 PM, Marc Muehlfeld <mmuehlfeld at samba.org>
wrote:

> Hello Tom,
>
> Am 23.03.2015 um 21:31 schrieb Tom Söderlund:
>
>  Giving a domain user group privilege SeDiskOperatorPrivilege fails with
>> NT_STATUS_NO_SUCH_PRIVILEGE.
>>
>> The domain is controlled by a MS 2012 R2 DC. Has this privilege been
>> renamed or replaced with some other privilege? How to give the domain user
>> group necessary rights for defining file share permission settings from MS
>> environment?
>>
>> The RHEL 7 file server is running Samba 4.1.1-38 and the id management is
>> done by SSSD 1.12.2.
>>
>
>
> The grant is done on the member server. So the privilege something on the
> member server and not on the DC.
>
> Have you ensured, that "enable privleges" is not turned off somewhere in
> your smb.conf? If it's not there, then it's enabled - that's the default.
>
>
> What is the output of
> # net rpc rights list accounts -U'SAMDOM\administrator'
>
> To grant the privilege to the Domain Admins group, for example, run:
> # net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege
> -U'SAMDOM\administrator'
>
>
> Regards,
> Marc
>
>

More information about the samba mailing list