[Samba] net rpc rights list
Rowland penny
rpenny at samba.org
Tue Jan 19 20:08:07 UTC 2016
On 19/01/16 20:00, Henry McLaughlin wrote:
>
> On 20 January 2016 at 06:43, Rowland penny <rpenny at samba.org
> <mailto:rpenny at samba.org>> wrote:
>
> On 19/01/16 19:34, Henry McLaughlin wrote:
>
> I have sssd configured and working with my domain member
> server and I now
> wish to grant the SeDiskOperatorPrivilege to the
> "MYDOMAIN\Domain Admins"
> group. When I execute the command it appears to disregard the
> domain name
> and grant the privileges to the group "Unix Group\domain admins"
>
> net rpc rights list accounts -U'MYDOMAIN\administrator'
> Enter MYDOMAIN\administrator's password:
>
> ...
> Unix Group\domain admins
> No privileges assigned
>
> net rpc rights grant 'MYDOMAIN\Domain Admins'
> SeDiskOperatorPrivilege
> -U'MYDOMAIN\administrator'
> Enter MYDOMAIN\administrator's password:
> Successfully granted rights.
>
> net rpc rights list accounts -U'MYDOMAIN\administrator'
> Enter MYDOMAIN\administrator's password:
>
> ...
> Unix Group\domain admins
> SeDiskOperatorPrivilege
>
> net rpc rights revoke 'MYDOMAIN\Domain Admins'
> SeDiskOperatorPrivilege
> -U'MYDOMAIN\administrator'
> Enter MYDOMAIN\administrator's password:
> Successfully revoked rights.
>
> net rpc rights list accounts -U'MYDOMAIN\administrator'
> Enter MYDOMAIN\administrator's password:
>
> ...
> Unix Group\domain admins
> No privileges assigned
>
>
> Below I have completely removed the domain name from the
> command and still
> get the same outcome.
>
> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege
> -U'MYDOMAIN\administrator'
> Enter MYDOMAIN\administrator's password:
> Successfully granted rights.
>
> net rpc rights list accounts -U'MYDOMAIN\administrator'
> Enter MYDOMAIN\administrator's password:
>
> ...
> Unix Group\domain admins
> SeDiskOperatorPrivilege
>
> Does this behaviour appear correct or am I missing something
> in my config
> that identifies the domain name?
>
>
> I don't know, I cannot see your smb.conf from here.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> cat /etc/samba/smb.conf
> [global]
> workgroup = MYDOMAIN
> client signing = yes
> client use spnego = yes
> kerberos method = secrets and keytab
> realm = AD.MYDOMAIN.COM.AU <http://AD.MYDOMAIN.COM.AU>
> security = ads
>
> rpc_server:spoolss = external
> rpc_daemon:spoolssd = fork
> username map = /etc/samba/samba_usermapping
>
> [printers]
> path = /var/spool/samba/
> printable = yes
> printing = CUPS
>
>
> [Administration]
> path = /mnt/disk-2/samba/Administration/
> read only = no
OK, I think you need to visit the sssd mailing list, if you were using
winbind, you could add this:
winbind use default domain
With this line, you lose the DOMAIN prefix i.e. Domain Admins instead of
DOMAIN\Domain Admins.
Does sssd have a version of the above line?
Rowland
More information about the samba
mailing list