[Samba] no access to share permission on a domain member
Rowland Penny
rowlandpenny241155 at gmail.com
Fri Oct 23 09:48:25 UTC 2015
On 23/10/15 10:03, MARTIN boris wrote:
> hi all , i have a domain server with a test share on it.
>
> But i can't find the way to manage it via windows.
>
> when i try to modify something on the share permission part, i get a access deny error.
>
> if i put the server in debug mod i get
>
> _srvsvc_NetShareSetInfo: uid 10001 doesn't have the SeDiskOperatorPrivilege privilege needed to modify share demoshare
>
> uid 10001 being the uid of the administrator of the AD
>
> but if i do :
>
> wbinfo -i administrator
> administrator:*:10001:20000:Administrator:/home/Administrator:/bin/sh
> getent passwd | grep 10001
> administrator:*:10001:20000:Administrator:/home/Administrator:/bin/sh
>
> net rpc rights list administrator -U 'XXXX\administrator' -I 'xxxx.bla.fr'
>
> i get :
>
> SeDiskOperatorPrivilege
>
> I have successfuly fix my trouble with this line :
>
> username map = /etc/samba/user.map
>
> that i have add to my smb.conf file with user map having the single line
>
> !root = XXXX\Administrator XXXX\administrator
>
> and doing the following command line :
>
> net rpc rights grant 'XXXX\Domain Admins' SeDiskOperatorPrivilege -U'administrator'
>
> so i have one question :
>
> 1) first is the SeDiskOperatorPrivilege a AD range flag, or a server range flag ?
>
> And a call to help cause i have reach the end of my own knowledge on samba.
>
> 2) why do i need to play with user.map when to my point of view winbind is supposed to do the job
>
> 3) is there a way to make thing working without playing with the username map command
>
>
>
> thanks for your help.
Well, there are two things you could do here, you could either go to the
share and change the ownership to 'Administrator', now that you have
given it a uidNumber, or you could remove the uidNumber from the
Administrator and allow Samba to map it to the Unix 'root' user. On a
DC, this is done automatically, but on a domain member, you would have
to use a 'user.map'
Either way would give Administrator the required rights to change things
on the Samba machine, but giving Administrator a uidNumber is a bit more
inflexible, as it would have to be made to actually own the directories
etc on the Samba machine.
Rowland
More information about the samba
mailing list