[Samba] SeDiskOperatorPrivilege and 2012 R2 domain

Tim lists at kiuni.de
Tue Mar 24 11:40:49 MDT 2015


Hi Tom,

have a look at this:
https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting

I think this could resolve your problem by using a username mapping on your member server.

Regards
Tim

Am 24. März 2015 18:34:12 MEZ, schrieb "Tom Söderlund" <tom.k.soderlund at gmail.com>:
>Mark,
>
>Below xxx.yyy. is my network prefix.
>
>[global]
>    workgroup = DOMAIN
>    realm = DOMAIN.LOCAL
>    server string = Server %v
>    security = ADS
>    client signing = auto
>    client use spnego = yes
>    kerberos method = secrets and keytab
>    log file = /var/log/samba/log.%m
>    log level = 3
>    max log size = 50
>    load printers = No
>    printcap name = /dev/null
>    idmap config * : backend = tdb
>    hosts allow = 127., xxx.yyy.
>    cups options = raw
>    vfs objects = acl_xattr
>    inherit acls = Yes
>    map acl inherit = Yes
>    store dos attributes = Yes
>    browseable = Yes
>
>Some trials below, getent for the group succeeds and mostly everything
>is
>running fine, I can even log in with domain accounts and set file
>permissions that include domain groups and accounts, and with valid
>file
>rights MS terminals can see shares on this server. But giving this
>privilege fails with a bit random results.
>
>[me at server]$ getent group "DOMAIN\Domain Admins"
>domain admins:*:978600512:me.user,administrator
>
>[me at server]$ net rpc rights grant "DOMAIN\Domain Admins"
>SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server
>Enter DOMAIN\Administrator's password:
>Could not connect to server server
>Connection failed: NT_STATUS_LOCK_NOT_GRANTED
>
>[me at server]$ net rpc rights grant "DOMAIN\Domain Admins"
>SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server.domain.local
>Enter DOMAIN\Administrator's password:
>Failed to grant privileges for DOMAIN\Domain Admins
>(NT_STATUS_ACCESS_DENIED)
>
>[me at server]$ sudo net rpc rights grant "DOMAIN\Domain Admins"
>SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server.domain.local
>[sudo] password for me:
>Enter DOMAIN\Administrator's password:
>Failed to grant privileges for DOMAIN\Domain Admins
>(NT_STATUS_ACCESS_DENIED)
>
>-Tom
>
>On Tue, Mar 24, 2015 at 6:10 PM, Marc Muehlfeld <mmuehlfeld at samba.org>
>wrote:
>
>> Hello Tom,
>>
>> Am 24.03.2015 um 08:49 schrieb Tom Söderlund:
>>
>>> $ net rpc rights grant 'DOMAIN\Domain Admins'
>SeDiskOperatorPrivilege
>>> -UDOMAIN\\Administrator
>>> Enter DOMAIN\Administrator's password:
>>> Failed to grant privileges for DOMAIN\Domain Admins
>>> (NT_STATUS_ACCESS_DENIED)
>>>
>>> $ net rpc rights grant 'DOMAIN\Unix-admins' SeDiskOperatorPrivilege
>>> -UDOMAIN\\Administrator
>>> Enter DOMAIN\Administrator's password:
>>> Could not connect to server 127.0.0.1
>>>
>>
>>
>> * Is the group "DOMAIN\Domain Admins" local available? Check with
>>   # getent group "DOMAIN\Domain Admins"
>>
>> * Is Samba listening on localhost? Check "interfaces" parameter
>>   in your smb.conf. Or add "-S servername" to your "net" command.
>>
>> * Can you post the [global] section of your smb.conf, please?
>>
>>
>>
>> Regards,
>> Marc
>>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list