[Samba] RHEL 7.1 and Samba 4.1.12 partial success

Jay Bietz bietz at pasco.com
Fri May 22 09:43:41 MDT 2015 

I'm having issues with a couple of areas of Samba Setup.
I can see (from my Win 8.1 workstation) the shares for the server for my test share \\p30\download<file:///\\p30\download>   and \\p30\bietz<file:///\\p30\bietz>  my home folder.

I don't have permissions to access the folders and/or can't create or delete files.

I had an upgraded Active Directory domain from Windows server 2003 to Windows 2012 R2 AD domain controllers.
I also use   winmin Version 1.75 to admin Samba ...

In the document " Setup a Samba AD Member Server"  last release page ~8 -
 Setting up PAM Auth...
I see the addition below.
account  [default=bad success=ok user_unknown=ignore] pam_winbind.so  # <-- add this line
but my choices are for pam_windbind.so are in a drop down and my choices are.
Sufficient (Success authentication immediately on success)
Optional (Success or failure is ignored)
Required (Fail Authentication at end on failure)
Requisite (Fail Authentication Immediately on failure)

Nothing like the  [default=bad success=ok user_unknown=ignore] in the documentation.
Q - what is the correct value to use?

Also the line in the same PAM Auth area
account     required      pam_unix.so broken_shadow
I'm not allowed to add the broken_shadow   as a parameter
Q: Is this a problem?

In document " Setup_and_configure_file_shares_with_windows_ACL#Related_documentation"
Area  SeDiskOperatorPrivilege

I use the command for adding SeDiskOperatorPrivilege and when I run the command as seen below I have an error.


[root at p30 samba]# net rpc rights grant 'ROSEVILLE\Domain Admins' SeDiskOperatorPrivilege -U 'ROSEVILLE\admin' -I pas-vad01.roseville.pasco.com -d3

lp_load_ex: refreshing parameters

Initialising global parameters

rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)

params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"

Processing section "[global]"

WARNING: The "idmap gid" option is deprecated

WARNING: The "idmap uid" option is deprecated

WARNING: The "socket address" option is deprecated

WARNING: The "enable privileges" option is deprecated

interpret_interface: Adding interface 172.16.1.30/255.255.0.0

added interface 172.16.1.30/255 ip=172.16.1.30 bcast=172.16.255.255 netmask=255.255.0.0

Registered MSG_REQ_POOL_USAGE

Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED

Enter ROSEVILLE\adminp20's password:

Connecting to 172.16.0.24 at port 445

Doing spnego session setup (blob length=120)

got OID=1.3.6.1.4.1.311.2.2.30

got OID=1.2.840.48018.1.2.2

got OID=1.2.840.113554.1.2.2

got OID=1.2.840.113554.1.2.2.3

got OID=1.3.6.1.4.1.311.2.2.10

got principal=not_defined_in_RFC4178 at please_ignore

Got challenge flags:

Got NTLMSSP neg_flags=0x62898215

NTLMSSP: Set final flags:

Got NTLMSSP neg_flags=0x60088215

NTLMSSP Sign/Seal - Initialising with flags:

Got NTLMSSP neg_flags=0x60088215

Failed to grant privileges for ROSEVILLE\Domain Admins (NT_STATUS_NO_SUCH_PRIVILEGE)

rpc command function failed! (NT_STATUS_NO_SUCH_PRIVILEGE)

return code = -1



I do see that BUILTIN\Administrators has  SeDiskOperatorPrivilege listed so what am I doing wrong ?



[root at p30 samba]# net rpc rights list accounts -U'ROSEVILLE\adminp20'

Enter ROSEVILLE\adminp20's password:

BUILTIN\Print Operators

No privileges assigned



BUILTIN\Account Operators

No privileges assigned



BUILTIN\Backup Operators

No privileges assigned



BUILTIN\Server Operators

No privileges assigned



BUILTIN\Administrators

SeMachineAccountPrivilege

SeTakeOwnershipPrivilege

SeBackupPrivilege

SeRestorePrivilege

SeRemoteShutdownPrivilege

SePrintOperatorPrivilege

SeAddUsersPrivilege

SeDiskOperatorPrivilege

SeSecurityPrivilege

SeSystemtimePrivilege

SeShutdownPrivilege

SeDebugPrivilege

SeSystemEnvironmentPrivilege

SeSystemProfilePrivilege

SeProfileSingleProcessPrivilege

SeIncreaseBasePriorityPrivilege

SeLoadDriverPrivilege

SeCreatePagefilePrivilege

SeIncreaseQuotaPrivilege

SeChangeNotifyPrivilege

SeUndockPrivilege

SeManageVolumePrivilege

SeImpersonatePrivilege

SeCreateGlobalPrivilege

SeEnableDelegationPrivilege



Everyone

No privileges assigned

Thanks for your time
Jay Bietz
IT & Facilities Manager,
bietz at pasco.com

PASCO scientific
10101 Foothills Blvd
Roseville, CA  95747
916 786 3800 ext 8350 Direct
916 786 8905 Fax
www.pasco.com<http://www.pasco.com>
Celebrating 50 years of innovation in science education

NOTICE: The information contained in this email and any document attached hereto is intended only for the named recipient(s). If you are not the intended recipient, nor the employee or agent responsible for delivering this message in confidence to the intended recipient(s), you are hereby notified that you have received this transmittal in error, and any review, dissemination, distribution or copying of this transmittal or its attachments is strictly prohibited. If you have received this transmittal and/or attachments in error, please notify me immediately by reply e-mail and then delete this message, including any attachments.

More information about the samba mailing list