[Samba] SeDiskOperatorPrivilege and 2012 R2 domain

Wed Mar 25 13:40:29 MDT 2015

Don't be scared and take the challenge! :-)

Reduce your smb.conf to the minimum as seen in the member server wiki and try it again. It should work then.

Am 25. März 2015 14:47:16 MEZ, schrieb "Tom Söderlund" <tom.k.soderlund at gmail.com>:
>Tim,
>
>Thanks for the hint. Usermap for root applied, locally made requests
>fail
>now systematically with
>"Could not connect to server <server address>
>Connection failed: NT_STATUS_LOCK_NOT_GRANTED"
>
>It is kind of improvement :) Random things scare me.
>
>-Tom
>
>
>On Tue, Mar 24, 2015 at 7:40 PM, Tim <lists at kiuni.de> wrote:
>
>> Hi Tom,
>>
>> have a look at this:
>> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting
>>
>> I think this could resolve your problem by using a username mapping
>on
>> your member server.
>>
>> Regards
>> Tim
>>
>> Am 24. März 2015 18:34:12 MEZ, schrieb "Tom Söderlund" <
>> tom.k.soderlund at gmail.com>:
>>
>>> Mark,
>>>
>>> Below xxx.yyy. is my network prefix.
>>>
>>> [global]
>>>     workgroup = DOMAIN
>>>     realm = DOMAIN.LOCAL
>>>     server string = Server %v
>>>     security = ADS
>>>     client signing = auto
>>>     client use spnego = yes
>>>     kerberos method = secrets and keytab
>>>     log file = /var/log/samba/log.%m
>>>     log level = 3
>>>     max log size = 50
>>>     load printers = No
>>>     printcap name = /dev/null
>>>     idmap config * : backend = tdb
>>>     hosts allow = 127., xxx.yyy.
>>>     cups options = raw
>>>     vfs objects = acl_xattr
>>>     inherit acls = Yes
>>>     map acl inherit = Yes
>>>     store dos attributes = Yes
>>>     browseable = Yes
>>>
>>> Some trials below, getent for the group succeeds and mostly
>everything is
>>> running fine, I can even log in with domain accounts and set file
>>> permissions that include domain groups and accounts, and with valid
>file
>>> rights MS terminals
>>> can see shares on this server. But giving this
>>> privilege fails with a bit random results.
>>>
>>> [me at server]$ getent group "DOMAIN\Domain Admins"
>>> domain admins:*:978600512:me.user,administrator
>>>
>>> [me at server]$ net rpc rights grant "DOMAIN\Domain Admins"
>>> SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server
>>> Enter DOMAIN\Administrator's password:
>>> Could not connect to server server
>>> Connection failed: NT_STATUS_LOCK_NOT_GRANTED
>>>
>>> [me at server]$ net rpc rights grant "DOMAIN\Domain Admins"
>>> SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S
>server.domain.local
>>> Enter DOMAIN\Administrator's password:
>>> Failed to grant privileges for DOMAIN\Domain Admins
>>> (NT_STATUS_ACCESS_DENIED)
>>>
>>> [me at server]$ sudo net rpc rights grant "DOMAIN\Domain Admins"
>>> SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S
>server.domain.local
>>> [sudo] password for me:
>>> Enter DOMAIN\Administrator's password:
>>> Failed to grant
>>> privileges for DOMAIN\Domain Admins
>>> (NT_STATUS_ACCESS_DENIED)
>>>
>>> -Tom
>>>
>>> On Tue, Mar 24, 2015 at 6:10 PM, Marc Muehlfeld
><mmuehlfeld at samba.org>
>>> wrote:
>>>
>>>  Hello Tom,
>>>>
>>>>  Am 24.03.2015 um 08:49 schrieb Tom Söderlund:
>>>>
>>>>  $ net rpc rights grant 'DOMAIN\Domain Admins'
>SeDiskOperatorPrivilege
>>>>>  -UDOMAIN\\Administrator
>>>>>  Enter DOMAIN\Administrator's password:
>>>>>  Failed to grant privileges for DOMAIN\Domain Admins
>>>>>  (NT_STATUS_ACCESS_DENIED)
>>>>>
>>>>>  $ net rpc rights grant 'DOMAIN\Unix-admins'
>SeDiskOperatorPrivilege
>>>>>  -UDOMAIN\\Administrator
>>>>>  Enter DOMAIN\Administrator's password:
>>>>>  Could not connect to server 127.0.0.1
>>>>
>>>>
>>>>
>>>>
>>>>  * Is the group "DOMAIN\Domain Admins" local available? Check with
>>>>    # getent group "DOMAIN\Domain Admins"
>>>>
>>>>  * Is Samba listening on localhost? Check "interfaces" parameter
>>>>    in your smb.conf. Or add "-S servername" to your "net" command.
>>>>
>>>>  * Can you post the [global] section of your smb.conf, please?
>>>>
>>>>
>>>>
>>>>  Regards,
>>>>  Marc
>>>
>>>