[Samba] Unable to set SeDiskOperatorPrivilege
Rowland penny
rpenny at samba.org
Sat Jan 16 13:50:42 UTC 2016
On 16/01/16 13:26, Henry McLaughlin wrote:
>
>
> Kind regards,
>
> Henry McLaughlin
>
> 0411 444 363 <tel:0411%20444%20363> (Mobile)
>
> henry at incred.com.au <mailto:henry at incred.com.au>
>
> PO Box 329
> Romsey VIC 3434
>
> On 15 January 2016 at 23:24, Rowland penny <rpenny at samba.org
> <mailto:rpenny at samba.org>> wrote:
>
> On 15/01/16 12:08, Henry McLaughlin wrote:
>
>
>
> On 15 January 2016 at 22:28, Rowland penny <rpenny at samba.org
> <mailto:rpenny at samba.org> <mailto:rpenny at samba.org
> <mailto:rpenny at samba.org>>> wrote:
>
> On 15/01/16 11:12, Henry McLaughlin wrote:
>
>
> Have you by any chance given Administrator a
> uidNumber ?
>
>
> Yes, 10000
>
> Was that wrong?
>
>
>
>
> Well, in my opinion, yes. By giving Administrator a
> uidNumber, you
> have, as far as Unix is concerned, turned it into a normal
> user
> that doesn't have the rights to do anything.
>
> Is this on a DC ? if so, remove the uidNumber and it
> should start
> working again, if it is a domain member, again remove the
> uidNumber and add this line to smb.conf
>
> username map = /etc/samba/samba_usermapping
>
> Create the file '/etc/samba/samba_usermapping' with this
> content:
>
> !root = SAMDOM\Administrator SAMDOM\administrator
>
> Replace 'SAMDOM' with your workgroup
>
> This will map 'Administrator' to the Unix 'root' user
>
> Rowland
> -- To unsubscribe from this list go to the following
> URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> Thanks Rowland this worked however I am totally confused as to
> when a Windows User/Groups needs to be given a UNIX id in
> ADUG. Is there a reference out the I can read, study & understand?
>
>
> It is fairly simple, on a DC, users are mapped to (via idmap.ldb)
> Unix automatically. On a domain member, you have a choice of
> backends, but the two main ones are 'rid' & 'ad'. The 'rid'
> backend works similar (from an initial view point) to the DC and
> maps the users & groups to Unix. The 'ad' backend is different,
> any user that you want to be visible to Unix must be given a
> uidNumber attribute, this number must be inside the range that is
> set in smb.conf, you must also give Domain Users (at least) a
> gidNumber attribute, this must also be inside the range set in
> smb.conf, if you want any other groups to be visible to Unix,
> these also must be given a gidNumber.
>
> Any user or group that is visible to Unix, works just like any
> other Unix user or group and only has the permissions you assign
> to them.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> When a now try to set SeDiskOperatorPrivilege to "DOMAIN\Domain
> Admins" it is set for "Unix Group\domain admins"? Is this correct as I
> had expected it to be "DOMAIN\Domain Admins"?
>
> root at aphrodite:~# net rpc rights grant 'DOMAIN\Domain Admins'
> SeDiskOperatorPrivilege -U'DOMAIN\administrator'
> Enter DOMAIN\administrator's password:
> Successfully granted rights.
> root at aphrodite:~# net rpc rights list accounts -U'DOMAIN\administrator'
> Enter DOMAIN\administrator's password:
> BUILTIN\Print Operators
> No privileges assigned
>
> BUILTIN\Account Operators
> No privileges assigned
>
> BUILTIN\Backup Operators
> No privileges assigned
>
> BUILTIN\Server Operators
> No privileges assigned
>
> BUILTIN\Administrators
> SeMachineAccountPrivilege
> SeTakeOwnershipPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeRemoteShutdownPrivilege
> SePrintOperatorPrivilege
> SeAddUsersPrivilege
> SeDiskOperatorPrivilege
> SeSecurityPrivilege
> SeSystemtimePrivilege
> SeShutdownPrivilege
> SeDebugPrivilege
> SeSystemEnvironmentPrivilege
> SeSystemProfilePrivilege
> SeProfileSingleProcessPrivilege
> SeIncreaseBasePriorityPrivilege
> SeLoadDriverPrivilege
> SeCreatePagefilePrivilege
> SeIncreaseQuotaPrivilege
> SeChangeNotifyPrivilege
> SeUndockPrivilege
> SeManageVolumePrivilege
> SeImpersonatePrivilege
> SeCreateGlobalPrivilege
> SeEnableDelegationPrivilege
>
> Everyone
> No privileges assigned
>
> Unix Group\domain admins
> SeDiskOperatorPrivilege
Does Domain Admins have a gidNumber ?
It doesn't really matter what net shows for Domain Admins as long as it
works, have you tried it ?
It works for me, but I get this on a domain member:
net rpc rights list accounts -Uadministrator
Enter administrator's password:
~~~~~~~~~~~~
S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-512
SeDiskOperatorPrivilege
whilst on a DC, I get this:
~~~~~~~~~~~~
SAMDOM\Domain Admins
SeDiskOperatorPrivilege
Rowland
More information about the samba
mailing list