[Samba] SeDiskOperatorPrivilege - NT_STATUS_NO_SUCH_PRIVILEGE

[Rowland Penny]

On 28/09/15 11:30, Steffen Weißgerber wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> after configuring kerberos and winbind for authentication against an AD
> (Window 2008 R2) and succesful launching getent passwd I followed the
> instructions https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
> for granting the SeDiskOperatorPrivilege.
> But I get a failure with a NT_STATUS_NO_SUCH_PRIVILEGE error.
>
> net rpc rights list accounts -U'<Domain>\Administrator' -I<AD-host>
> does not list the SeDiskOperatorPrivilege.
>
> Why this is missing?
>
> Nevertheless creating directories and granting access to these to
> other AD accounts works well.
>
> The global section of my smb.conf is as follows:
>
> [global]
>     workgroup = DKDB
>     server string = Samba Test
>     security = ads
>     realm = DKDB.KN
>     winbind use default domain = yes
>     winbind refresh tickets = yes
>     max protocol = SMB2
>     hide unreadable = yes
>     idmap config * : backend = rid
>     idmap config * : range = 10000-20000
>     #syslog only = yes
>     disable netbios = yes
>     log file = /var/log/samba/log.%m
>     log level = 3
>     max log size = 50
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
>
> Thanks
>
> Steffen
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iEYEARECAAYFAlYJFtoACgkQCrEAdFsLhMcDpACfUwrOhTV16672SoPvHRhpCSAV
> K0QAnjJSD0Oz8bSmvCtw7CReoXNWZOrK
> =DhYx
> -----END PGP SIGNATURE-----
>

I don't know if this is your problem, but you seem to have incorrect 
'idmap config' lines, I would expect to see something like this:

idmap config * : backend = tdb
idmap config * : range = 2000-9999
idmap config DKDB : backend = rid
idmap config DKDB : range = 10000-20000

Rowland