[Samba] net rpc rights list

Henry McLaughlin henry at incred.com.au
Tue Jan 19 20:00:22 UTC 2016 

On 20 January 2016 at 06:43, Rowland penny <rpenny at samba.org> wrote:

> On 19/01/16 19:34, Henry McLaughlin wrote:
>
>> I have sssd configured and working with my domain member server and I now
>> wish to grant the SeDiskOperatorPrivilege to the "MYDOMAIN\Domain Admins"
>> group. When I execute the command it appears to disregard the domain name
>> and grant the privileges to the group "Unix Group\domain admins"
>>
>> net rpc rights list accounts -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>>
>> ...
>> Unix Group\domain admins
>> No privileges assigned
>>
>> net rpc rights grant 'MYDOMAIN\Domain Admins' SeDiskOperatorPrivilege
>> -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>> Successfully granted rights.
>>
>> net rpc rights list accounts -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>>
>> ...
>> Unix Group\domain admins
>> SeDiskOperatorPrivilege
>>
>> net rpc rights revoke 'MYDOMAIN\Domain Admins' SeDiskOperatorPrivilege
>> -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>> Successfully revoked rights.
>>
>> net rpc rights list accounts -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>>
>> ...
>> Unix Group\domain admins
>> No privileges assigned
>>
>>
>> Below I have completely removed the domain name from the command and still
>> get the same outcome.
>>
>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege
>> -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>> Successfully granted rights.
>>
>> net rpc rights list accounts -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>>
>> ...
>> Unix Group\domain admins
>> SeDiskOperatorPrivilege
>>
>> Does this behaviour appear correct or am I missing something in my config
>> that identifies the domain name?
>>
>
> I don't know, I cannot see your smb.conf from here.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

cat /etc/samba/smb.conf
[global]
    workgroup = MYDOMAIN
    client signing = yes
    client use spnego = yes
    kerberos method = secrets and keytab
    realm = AD.MYDOMAIN.COM.AU
    security = ads

    rpc_server:spoolss = external
    rpc_daemon:spoolssd = fork
    username map = /etc/samba/samba_usermapping

[printers]
    path = /var/spool/samba/
    printable = yes
    printing = CUPS


[Administration]
    path = /mnt/disk-2/samba/Administration/
    read only = no

More information about the samba mailing list