[Samba] SeDiskOperatorPrivilege and 2012 R2 domain
Tim
lists at kiuni.de
Tue Mar 24 11:40:49 MDT 2015
Hi Tom,
have a look at this:
https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting
I think this could resolve your problem by using a username mapping on your member server.
Regards
Tim
Am 24. März 2015 18:34:12 MEZ, schrieb "Tom Söderlund" <tom.k.soderlund at gmail.com>:
>Mark,
>
>Below xxx.yyy. is my network prefix.
>
>[global]
> workgroup = DOMAIN
> realm = DOMAIN.LOCAL
> server string = Server %v
> security = ADS
> client signing = auto
> client use spnego = yes
> kerberos method = secrets and keytab
> log file = /var/log/samba/log.%m
> log level = 3
> max log size = 50
> load printers = No
> printcap name = /dev/null
> idmap config * : backend = tdb
> hosts allow = 127., xxx.yyy.
> cups options = raw
> vfs objects = acl_xattr
> inherit acls = Yes
> map acl inherit = Yes
> store dos attributes = Yes
> browseable = Yes
>
>Some trials below, getent for the group succeeds and mostly everything
>is
>running fine, I can even log in with domain accounts and set file
>permissions that include domain groups and accounts, and with valid
>file
>rights MS terminals can see shares on this server. But giving this
>privilege fails with a bit random results.
>
>[me at server]$ getent group "DOMAIN\Domain Admins"
>domain admins:*:978600512:me.user,administrator
>
>[me at server]$ net rpc rights grant "DOMAIN\Domain Admins"
>SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server
>Enter DOMAIN\Administrator's password:
>Could not connect to server server
>Connection failed: NT_STATUS_LOCK_NOT_GRANTED
>
>[me at server]$ net rpc rights grant "DOMAIN\Domain Admins"
>SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server.domain.local
>Enter DOMAIN\Administrator's password:
>Failed to grant privileges for DOMAIN\Domain Admins
>(NT_STATUS_ACCESS_DENIED)
>
>[me at server]$ sudo net rpc rights grant "DOMAIN\Domain Admins"
>SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server.domain.local
>[sudo] password for me:
>Enter DOMAIN\Administrator's password:
>Failed to grant privileges for DOMAIN\Domain Admins
>(NT_STATUS_ACCESS_DENIED)
>
>-Tom
>
>On Tue, Mar 24, 2015 at 6:10 PM, Marc Muehlfeld <mmuehlfeld at samba.org>
>wrote:
>
>> Hello Tom,
>>
>> Am 24.03.2015 um 08:49 schrieb Tom Söderlund:
>>
>>> $ net rpc rights grant 'DOMAIN\Domain Admins'
>SeDiskOperatorPrivilege
>>> -UDOMAIN\\Administrator
>>> Enter DOMAIN\Administrator's password:
>>> Failed to grant privileges for DOMAIN\Domain Admins
>>> (NT_STATUS_ACCESS_DENIED)
>>>
>>> $ net rpc rights grant 'DOMAIN\Unix-admins' SeDiskOperatorPrivilege
>>> -UDOMAIN\\Administrator
>>> Enter DOMAIN\Administrator's password:
>>> Could not connect to server 127.0.0.1
>>>
>>
>>
>> * Is the group "DOMAIN\Domain Admins" local available? Check with
>> # getent group "DOMAIN\Domain Admins"
>>
>> * Is Samba listening on localhost? Check "interfaces" parameter
>> in your smb.conf. Or add "-S servername" to your "net" command.
>>
>> * Can you post the [global] section of your smb.conf, please?
>>
>>
>>
>> Regards,
>> Marc
>>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list