[Samba] Unable to set SeDiskOperatorPrivilege
Henry McLaughlin
henry at incred.com.au
Sat Jan 16 13:26:46 UTC 2016
Kind regards,
Henry McLaughlin
0411 444 363 (Mobile)
henry at incred.com.au
PO Box 329
Romsey VIC 3434
On 15 January 2016 at 23:24, Rowland penny <rpenny at samba.org> wrote:
> On 15/01/16 12:08, Henry McLaughlin wrote:
>
>>
>>
>> On 15 January 2016 at 22:28, Rowland penny <rpenny at samba.org <mailto:
>> rpenny at samba.org>> wrote:
>>
>> On 15/01/16 11:12, Henry McLaughlin wrote:
>>
>>
>> Have you by any chance given Administrator a uidNumber ?
>>
>>
>> Yes, 10000
>>
>> Was that wrong?
>>
>>
>>
>>
>> Well, in my opinion, yes. By giving Administrator a uidNumber, you
>> have, as far as Unix is concerned, turned it into a normal user
>> that doesn't have the rights to do anything.
>>
>> Is this on a DC ? if so, remove the uidNumber and it should start
>> working again, if it is a domain member, again remove the
>> uidNumber and add this line to smb.conf
>>
>> username map = /etc/samba/samba_usermapping
>>
>> Create the file '/etc/samba/samba_usermapping' with this content:
>>
>> !root = SAMDOM\Administrator SAMDOM\administrator
>>
>> Replace 'SAMDOM' with your workgroup
>>
>> This will map 'Administrator' to the Unix 'root' user
>>
>> Rowland
>> -- To unsubscribe from this list go to the following URL and read
>> the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>> Thanks Rowland this worked however I am totally confused as to when a
>> Windows User/Groups needs to be given a UNIX id in ADUG. Is there a
>> reference out the I can read, study & understand?
>>
>
> It is fairly simple, on a DC, users are mapped to (via idmap.ldb) Unix
> automatically. On a domain member, you have a choice of backends, but the
> two main ones are 'rid' & 'ad'. The 'rid' backend works similar (from an
> initial view point) to the DC and maps the users & groups to Unix. The 'ad'
> backend is different, any user that you want to be visible to Unix must be
> given a uidNumber attribute, this number must be inside the range that is
> set in smb.conf, you must also give Domain Users (at least) a gidNumber
> attribute, this must also be inside the range set in smb.conf, if you want
> any other groups to be visible to Unix, these also must be given a
> gidNumber.
>
> Any user or group that is visible to Unix, works just like any other Unix
> user or group and only has the permissions you assign to them.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
When a now try to set SeDiskOperatorPrivilege to "DOMAIN\Domain Admins" it
is set for "Unix Group\domain admins"? Is this correct as I had expected it
to be "DOMAIN\Domain Admins"?
root at aphrodite:~# net rpc rights grant 'DOMAIN\Domain Admins'
SeDiskOperatorPrivilege -U'DOMAIN\administrator'
Enter DOMAIN\administrator's password:
Successfully granted rights.
root at aphrodite:~# net rpc rights list accounts -U'DOMAIN\administrator'
Enter DOMAIN\administrator's password:
BUILTIN\Print Operators
No privileges assigned
BUILTIN\Account Operators
No privileges assigned
BUILTIN\Backup Operators
No privileges assigned
BUILTIN\Server Operators
No privileges assigned
BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
Everyone
No privileges assigned
Unix Group\domain admins
SeDiskOperatorPrivilege
More information about the samba
mailing list