[Samba] SeDiskOperatorPrivilege and 2012 R2 domain

[Tom Söderlund]

Mark,

Below xxx.yyy. is my network prefix.

[global]
    workgroup = DOMAIN
    realm = DOMAIN.LOCAL
    server string = Server %v
    security = ADS
    client signing = auto
    client use spnego = yes
    kerberos method = secrets and keytab
    log file = /var/log/samba/log.%m
    log level = 3
    max log size = 50
    load printers = No
    printcap name = /dev/null
    idmap config * : backend = tdb
    hosts allow = 127., xxx.yyy.
    cups options = raw
    vfs objects = acl_xattr
    inherit acls = Yes
    map acl inherit = Yes
    store dos attributes = Yes
    browseable = Yes

Some trials below, getent for the group succeeds and mostly everything is
running fine, I can even log in with domain accounts and set file
permissions that include domain groups and accounts, and with valid file
rights MS terminals can see shares on this server. But giving this
privilege fails with a bit random results.

[me at server]$ getent group "DOMAIN\Domain Admins"
domain admins:*:978600512:me.user,administrator

[me at server]$ net rpc rights grant "DOMAIN\Domain Admins"
SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server
Enter DOMAIN\Administrator's password:
Could not connect to server server
Connection failed: NT_STATUS_LOCK_NOT_GRANTED

[me at server]$ net rpc rights grant "DOMAIN\Domain Admins"
SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server.domain.local
Enter DOMAIN\Administrator's password:
Failed to grant privileges for DOMAIN\Domain Admins
(NT_STATUS_ACCESS_DENIED)

[me at server]$ sudo net rpc rights grant "DOMAIN\Domain Admins"
SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server.domain.local
[sudo] password for me:
Enter DOMAIN\Administrator's password:
Failed to grant privileges for DOMAIN\Domain Admins
(NT_STATUS_ACCESS_DENIED)

-Tom

On Tue, Mar 24, 2015 at 6:10 PM, Marc Muehlfeld <mmuehlfeld at samba.org>
wrote:

> Hello Tom,
>
> Am 24.03.2015 um 08:49 schrieb Tom Söderlund:
>
>> $ net rpc rights grant 'DOMAIN\Domain Admins' SeDiskOperatorPrivilege
>> -UDOMAIN\\Administrator
>> Enter DOMAIN\Administrator's password:
>> Failed to grant privileges for DOMAIN\Domain Admins
>> (NT_STATUS_ACCESS_DENIED)
>>
>> $ net rpc rights grant 'DOMAIN\Unix-admins' SeDiskOperatorPrivilege
>> -UDOMAIN\\Administrator
>> Enter DOMAIN\Administrator's password:
>> Could not connect to server 127.0.0.1
>>
>
>
> * Is the group "DOMAIN\Domain Admins" local available? Check with
>   # getent group "DOMAIN\Domain Admins"
>
> * Is Samba listening on localhost? Check "interfaces" parameter
>   in your smb.conf. Or add "-S servername" to your "net" command.
>
> * Can you post the [global] section of your smb.conf, please?
>
>
>
> Regards,
> Marc
>