[Samba] no access to share permission on a domain member

Rowland Penny rowlandpenny241155 at gmail.com
Fri Oct 23 09:48:25 UTC 2015


On 23/10/15 10:03, MARTIN boris wrote:
> hi all , i have a domain server with a test share on it.
>
> But i can't find the way to manage it via windows.
>
> when i try to modify something on the share permission part, i get a access deny error.
>
> if i put the server in debug mod i get
>
> _srvsvc_NetShareSetInfo: uid 10001 doesn't have the SeDiskOperatorPrivilege privilege needed to modify share demoshare
>
> uid 10001 being the uid of the administrator of the AD
>
> but if i do :
>
> wbinfo -i administrator
> administrator:*:10001:20000:Administrator:/home/Administrator:/bin/sh
> getent passwd | grep 10001
> administrator:*:10001:20000:Administrator:/home/Administrator:/bin/sh
>
> net rpc rights list administrator -U 'XXXX\administrator' -I 'xxxx.bla.fr'
>
> i get :
>
> SeDiskOperatorPrivilege
>
> I have successfuly fix my trouble with this line :
>
> username map = /etc/samba/user.map
>
> that i have add to my smb.conf file with user map having the single line
>
> !root = XXXX\Administrator XXXX\administrator
>
> and doing the following command line :
>
> net rpc rights grant 'XXXX\Domain Admins' SeDiskOperatorPrivilege -U'administrator'
>
> so i have one question :
>
> 1) first is the SeDiskOperatorPrivilege a AD range flag, or a server range flag ?
>
> And a call to help cause i have reach the end of my own knowledge on samba.
>
> 2) why do i need to play with user.map when to my point of view winbind is supposed to do the job
>
> 3) is there a way to make thing working without playing with the username map command
>
>
>
> thanks for your help.

Well, there are two things you could do here, you could either go to the 
share and change the ownership to 'Administrator', now that you have 
given it a uidNumber, or you could remove the uidNumber from the 
Administrator and allow Samba to map it to the Unix 'root' user. On a 
DC, this is done automatically, but on a domain member, you would have 
to use a 'user.map'
Either way would give Administrator the required rights to change things 
on the Samba machine, but giving Administrator a uidNumber is a bit more 
inflexible, as it would have to be made to actually own the directories 
etc on the Samba machine.

Rowland



More information about the samba mailing list