[Samba] SeDiskOperatorPrivilege and 2012 R2 domain

[Tom Söderlund]

Tim,

Thanks for the hint. Usermap for root applied, locally made requests fail
now systematically with
"Could not connect to server <server address>
Connection failed: NT_STATUS_LOCK_NOT_GRANTED"

It is kind of improvement :) Random things scare me.

-Tom


On Tue, Mar 24, 2015 at 7:40 PM, Tim <lists at kiuni.de> wrote:

> Hi Tom,
>
> have a look at this:
> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting
>
> I think this could resolve your problem by using a username mapping on
> your member server.
>
> Regards
> Tim
>
> Am 24. März 2015 18:34:12 MEZ, schrieb "Tom Söderlund" <
> tom.k.soderlund at gmail.com>:
>
>> Mark,
>>
>> Below xxx.yyy. is my network prefix.
>>
>> [global]
>>     workgroup = DOMAIN
>>     realm = DOMAIN.LOCAL
>>     server string = Server %v
>>     security = ADS
>>     client signing = auto
>>     client use spnego = yes
>>     kerberos method = secrets and keytab
>>     log file = /var/log/samba/log.%m
>>     log level = 3
>>     max log size = 50
>>     load printers = No
>>     printcap name = /dev/null
>>     idmap config * : backend = tdb
>>     hosts allow = 127., xxx.yyy.
>>     cups options = raw
>>     vfs objects = acl_xattr
>>     inherit acls = Yes
>>     map acl inherit = Yes
>>     store dos attributes = Yes
>>     browseable = Yes
>>
>> Some trials below, getent for the group succeeds and mostly everything is
>> running fine, I can even log in with domain accounts and set file
>> permissions that include domain groups and accounts, and with valid file
>> rights MS terminals
>> can see shares on this server. But giving this
>> privilege fails with a bit random results.
>>
>> [me at server]$ getent group "DOMAIN\Domain Admins"
>> domain admins:*:978600512:me.user,administrator
>>
>> [me at server]$ net rpc rights grant "DOMAIN\Domain Admins"
>> SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server
>> Enter DOMAIN\Administrator's password:
>> Could not connect to server server
>> Connection failed: NT_STATUS_LOCK_NOT_GRANTED
>>
>> [me at server]$ net rpc rights grant "DOMAIN\Domain Admins"
>> SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server.domain.local
>> Enter DOMAIN\Administrator's password:
>> Failed to grant privileges for DOMAIN\Domain Admins
>> (NT_STATUS_ACCESS_DENIED)
>>
>> [me at server]$ sudo net rpc rights grant "DOMAIN\Domain Admins"
>> SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server.domain.local
>> [sudo] password for me:
>> Enter DOMAIN\Administrator's password:
>> Failed to grant
>> privileges for DOMAIN\Domain Admins
>> (NT_STATUS_ACCESS_DENIED)
>>
>> -Tom
>>
>> On Tue, Mar 24, 2015 at 6:10 PM, Marc Muehlfeld <mmuehlfeld at samba.org>
>> wrote:
>>
>>  Hello Tom,
>>>
>>>  Am 24.03.2015 um 08:49 schrieb Tom Söderlund:
>>>
>>>  $ net rpc rights grant 'DOMAIN\Domain Admins' SeDiskOperatorPrivilege
>>>>  -UDOMAIN\\Administrator
>>>>  Enter DOMAIN\Administrator's password:
>>>>  Failed to grant privileges for DOMAIN\Domain Admins
>>>>  (NT_STATUS_ACCESS_DENIED)
>>>>
>>>>  $ net rpc rights grant 'DOMAIN\Unix-admins' SeDiskOperatorPrivilege
>>>>  -UDOMAIN\\Administrator
>>>>  Enter DOMAIN\Administrator's password:
>>>>  Could not connect to server 127.0.0.1
>>>
>>>
>>>
>>>
>>>  * Is the group "DOMAIN\Domain Admins" local available? Check with
>>>    # getent group "DOMAIN\Domain Admins"
>>>
>>>  * Is Samba listening on localhost? Check "interfaces" parameter
>>>    in your smb.conf. Or add "-S servername" to your "net" command.
>>>
>>>  * Can you post the [global] section of your smb.conf, please?
>>>
>>>
>>>
>>>  Regards,
>>>  Marc
>>
>>