[Samba] Unable to set SeDiskOperatorPrivilege

Rowland penny rpenny at samba.org
Sat Jan 16 13:50:42 UTC 2016 

On 16/01/16 13:26, Henry McLaughlin wrote:
>
>
> Kind regards,
>
> Henry McLaughlin
>
> 0411 444 363 <tel:0411%20444%20363> (Mobile)
>
> henry at incred.com.au <mailto:henry at incred.com.au>
>
> PO Box 329
> Romsey VIC 3434
>
> On 15 January 2016 at 23:24, Rowland penny <rpenny at samba.org 
> <mailto:rpenny at samba.org>> wrote:
>
>     On 15/01/16 12:08, Henry McLaughlin wrote:
>
>
>
>         On 15 January 2016 at 22:28, Rowland penny <rpenny at samba.org
>         <mailto:rpenny at samba.org> <mailto:rpenny at samba.org
>         <mailto:rpenny at samba.org>>> wrote:
>
>             On 15/01/16 11:12, Henry McLaughlin wrote:
>
>
>                     Have you by any chance given Administrator a
>         uidNumber ?
>
>
>                 Yes, 10000
>
>                 Was that wrong?
>
>
>
>
>             Well, in my opinion, yes. By giving Administrator a
>         uidNumber, you
>             have, as far as Unix is concerned, turned it into a normal
>         user
>             that doesn't have the rights to do anything.
>
>             Is this on a DC ? if so, remove the uidNumber and it
>         should start
>             working again, if it is a domain member, again remove the
>             uidNumber and add this line to smb.conf
>
>             username map = /etc/samba/samba_usermapping
>
>             Create the file '/etc/samba/samba_usermapping' with this
>         content:
>
>             !root = SAMDOM\Administrator SAMDOM\administrator
>
>             Replace 'SAMDOM' with your workgroup
>
>             This will map 'Administrator' to the Unix 'root' user
>
>             Rowland
>             --     To unsubscribe from this list go to the following
>         URL and read the
>             instructions: https://lists.samba.org/mailman/options/samba
>
>
>         Thanks Rowland this worked however I am totally confused as to
>         when a Windows User/Groups needs to be given a UNIX id in
>         ADUG. Is there a reference out the I can read, study & understand?
>
>
>     It is fairly simple, on a DC, users are mapped to (via idmap.ldb)
>     Unix automatically. On a domain member, you have a choice of
>     backends, but the two main ones are 'rid' & 'ad'. The 'rid'
>     backend works similar (from an initial view point) to the DC and
>     maps the users & groups to Unix. The 'ad' backend is different,
>     any user that you want to be visible to Unix must be given a
>     uidNumber attribute, this number must be inside the range that is
>     set in smb.conf, you must also give Domain Users (at least) a
>     gidNumber attribute, this must also be inside the range set in
>     smb.conf, if you want any other groups to be visible to Unix,
>     these also must be given a gidNumber.
>
>     Any user or group that is visible to Unix, works just like any
>     other Unix user or group and only has the permissions you assign
>     to them.
>
>     Rowland
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>
> When a now try to set SeDiskOperatorPrivilege to "DOMAIN\Domain 
> Admins" it is set for "Unix Group\domain admins"? Is this correct as I 
> had expected it to be "DOMAIN\Domain Admins"?
>
> root at aphrodite:~# net rpc rights grant 'DOMAIN\Domain Admins' 
> SeDiskOperatorPrivilege -U'DOMAIN\administrator'
> Enter DOMAIN\administrator's password:
> Successfully granted rights.
> root at aphrodite:~# net rpc rights list accounts -U'DOMAIN\administrator'
> Enter DOMAIN\administrator's password:
> BUILTIN\Print Operators
> No privileges assigned
>
> BUILTIN\Account Operators
> No privileges assigned
>
> BUILTIN\Backup Operators
> No privileges assigned
>
> BUILTIN\Server Operators
> No privileges assigned
>
> BUILTIN\Administrators
> SeMachineAccountPrivilege
> SeTakeOwnershipPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeRemoteShutdownPrivilege
> SePrintOperatorPrivilege
> SeAddUsersPrivilege
> SeDiskOperatorPrivilege
> SeSecurityPrivilege
> SeSystemtimePrivilege
> SeShutdownPrivilege
> SeDebugPrivilege
> SeSystemEnvironmentPrivilege
> SeSystemProfilePrivilege
> SeProfileSingleProcessPrivilege
> SeIncreaseBasePriorityPrivilege
> SeLoadDriverPrivilege
> SeCreatePagefilePrivilege
> SeIncreaseQuotaPrivilege
> SeChangeNotifyPrivilege
> SeUndockPrivilege
> SeManageVolumePrivilege
> SeImpersonatePrivilege
> SeCreateGlobalPrivilege
> SeEnableDelegationPrivilege
>
> Everyone
> No privileges assigned
>
> Unix Group\domain admins
> SeDiskOperatorPrivilege

Does Domain Admins have a gidNumber ?
It doesn't really matter what net shows for Domain Admins as long as it 
works, have you tried it ?

It works for me, but I get this on a domain member:

net rpc rights list accounts -Uadministrator
Enter administrator's password:
~~~~~~~~~~~~
S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-512
SeDiskOperatorPrivilege

whilst on a DC, I get this:
~~~~~~~~~~~~
SAMDOM\Domain Admins
SeDiskOperatorPrivilege

Rowland

More information about the samba mailing list