[Samba] SeDiskOperatorPrivilege - NT_STATUS_NO_SUCH_PRIVILEGE
Steffen Weißgerber
steffen at weiszgerber.de
Thu Oct 1 13:32:05 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hmm why,
the guy at
https://raymii.org/s/tutorials/SAMBA_Share_with_Active_Directory_Login_o
n_Ubuntu_12.04.html
does exactly this.
Also the manpage e.g. for smb.conf describes the config for a connection
to an AD.
And after granting file rights to the share via
setfacl -m g:domänen-admins:rwx /var/samba/test
I can mkdir and granting rights to other users/groups from the security
tab on a windows client.
Maybe version 3.6 is not as full featured as the 4.x versions, but AD
integration should work.
Is there a way to monitor/log the net rpc call to check the availabilty
of the SeDiskOperatorPrivilege on AD side?
Regards
Steffen
Am 01.10.2015 um 15:07 schrieb mathias dufresne:
> As far as I understood this privilege is available only for domains wh
ich
> are Active Directory domains.
> As you are using Samba 3.6 you shouldn't have AD domain but NT4 domain
.
>
> 2015-10-01 14:49 GMT+02:00 Steffen Weißgerber <steffen at weiszgerber.de>
:
>
> Am 28.09.2015 um 13:22 schrieb Rowland Penny:
>>>> On 28/09/15 11:30, Steffen Weißgerber wrote:
>>>> Hello,
>>>>
>>>> after configuring kerberos and winbind for authentication against a
n A
> D
>>>> (Window 2008 R2) and succesful launching getent passwd I followed t
he
>>>> instructions https://wiki.samba.org/index.php/Shares_with_Windows_A
CLs
>>>> for granting the SeDiskOperatorPrivilege.
>>>> But I get a failure with a NT_STATUS_NO_SUCH_PRIVILEGE error.
>>>>
>>>> net rpc rights list accounts -U'<Domain>\Administrator' -I<AD-host>
>>>> does not list the SeDiskOperatorPrivilege.
>>>>
>>>> Why this is missing?
>>>>
>>>> Nevertheless creating directories and granting access to these to
>>>> other AD accounts works well.
>>>>
>>>> The global section of my smb.conf is as follows:
>>>>
>>>> [global]
>>>> workgroup = DKDB
>>>> server string = Samba Test
>>>> security = ads
>>>> realm = DKDB.KN
>>>> winbind use default domain = yes
>>>> winbind refresh tickets = yes
>>>> max protocol = SMB2
>>>> hide unreadable = yes
>>>> idmap config * : backend = rid
>>>> idmap config * : range = 10000-20000
>>>> #syslog only = yes
>>>> disable netbios = yes
>>>> log file = /var/log/samba/log.%m
>>>> log level = 3
>>>> max log size = 50
>>>> vfs objects = acl_xattr
>>>> map acl inherit = Yes
>>>> store dos attributes = Yes
>>>>
>>>> Thanks
>>>>
>>>> Steffen
>>>>>
>>>>
>>>> I don't know if this is your problem, but you seem to have incorrec
t
>>>> 'idmap config' lines, I would expect to see something like this:
>>>>
>>>> idmap config * : backend = tdb
>>>> idmap config * : range = 2000-9999
>>>> idmap config DKDB : backend = rid
>>>> idmap config DKDB : range = 10000-20000
>>>>
>>>> Rowland
>>>>
>>>>
>
> Hi,
>
> I changed the global section to
>
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
> idmap config DKDB : backend = rid
> idmap config DKDB : range = 10000-20000
>
> and restartet samba (smbd, sinbind). But that did not change anything.
> Is the samba version I use (3.6.25) relevant for this?
>
> Regards
>
> Steffen
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlYNNdQACgkQCrEAdFsLhMeM+QCgqWiI8Q2SRmkIYWk7ZQRmdqis
xCMAoPG1Inpewz9kavEqAHbN+mc5E/2z
=sHsG
-----END PGP SIGNATURE-----
More information about the samba
mailing list