[Samba] net rpc rights list

Rowland penny rpenny at samba.org
Tue Jan 19 20:08:07 UTC 2016 

On 19/01/16 20:00, Henry McLaughlin wrote:
>
> On 20 January 2016 at 06:43, Rowland penny <rpenny at samba.org 
> <mailto:rpenny at samba.org>> wrote:
>
>     On 19/01/16 19:34, Henry McLaughlin wrote:
>
>         I have sssd configured and working with my domain member
>         server and I now
>         wish to grant the SeDiskOperatorPrivilege to the
>         "MYDOMAIN\Domain Admins"
>         group. When I execute the command it appears to disregard the
>         domain name
>         and grant the privileges to the group "Unix Group\domain admins"
>
>         net rpc rights list accounts -U'MYDOMAIN\administrator'
>         Enter MYDOMAIN\administrator's password:
>
>         ...
>         Unix Group\domain admins
>         No privileges assigned
>
>         net rpc rights grant 'MYDOMAIN\Domain Admins'
>         SeDiskOperatorPrivilege
>         -U'MYDOMAIN\administrator'
>         Enter MYDOMAIN\administrator's password:
>         Successfully granted rights.
>
>         net rpc rights list accounts -U'MYDOMAIN\administrator'
>         Enter MYDOMAIN\administrator's password:
>
>         ...
>         Unix Group\domain admins
>         SeDiskOperatorPrivilege
>
>         net rpc rights revoke 'MYDOMAIN\Domain Admins'
>         SeDiskOperatorPrivilege
>         -U'MYDOMAIN\administrator'
>         Enter MYDOMAIN\administrator's password:
>         Successfully revoked rights.
>
>         net rpc rights list accounts -U'MYDOMAIN\administrator'
>         Enter MYDOMAIN\administrator's password:
>
>         ...
>         Unix Group\domain admins
>         No privileges assigned
>
>
>         Below I have completely removed the domain name from the
>         command and still
>         get the same outcome.
>
>         net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege
>         -U'MYDOMAIN\administrator'
>         Enter MYDOMAIN\administrator's password:
>         Successfully granted rights.
>
>         net rpc rights list accounts -U'MYDOMAIN\administrator'
>         Enter MYDOMAIN\administrator's password:
>
>         ...
>         Unix Group\domain admins
>         SeDiskOperatorPrivilege
>
>         Does this behaviour appear correct or am I missing something
>         in my config
>         that identifies the domain name?
>
>
>     I don't know, I cannot see your smb.conf from here.
>
>     Rowland
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>
> cat /etc/samba/smb.conf
> [global]
>     workgroup = MYDOMAIN
>     client signing = yes
>     client use spnego = yes
>     kerberos method = secrets and keytab
>     realm = AD.MYDOMAIN.COM.AU <http://AD.MYDOMAIN.COM.AU>
>     security = ads
>
>     rpc_server:spoolss = external
>     rpc_daemon:spoolssd = fork
>     username map = /etc/samba/samba_usermapping
>
> [printers]
>     path = /var/spool/samba/
>     printable = yes
>     printing = CUPS
>
>
> [Administration]
>     path = /mnt/disk-2/samba/Administration/
>     read only = no

OK, I think you need to visit the sssd mailing list, if you were using 
winbind, you could add this:

winbind use default domain

With this line, you lose the DOMAIN prefix i.e. Domain Admins instead of 
DOMAIN\Domain Admins.

Does sssd have a version of the above line?

Rowland

More information about the samba mailing list