[Samba] net rpc rights list
Henry McLaughlin
henry at incred.com.au
Tue Jan 19 20:48:10 UTC 2016
On 20 January 2016 at 07:08, Rowland penny <rpenny at samba.org> wrote:
> On 19/01/16 20:00, Henry McLaughlin wrote:
>
>>
>> On 20 January 2016 at 06:43, Rowland penny <rpenny at samba.org <mailto:
>> rpenny at samba.org>> wrote:
>>
>> On 19/01/16 19:34, Henry McLaughlin wrote:
>>
>> I have sssd configured and working with my domain member
>> server and I now
>> wish to grant the SeDiskOperatorPrivilege to the
>> "MYDOMAIN\Domain Admins"
>> group. When I execute the command it appears to disregard the
>> domain name
>> and grant the privileges to the group "Unix Group\domain admins"
>>
>> net rpc rights list accounts -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>>
>> ...
>> Unix Group\domain admins
>> No privileges assigned
>>
>> net rpc rights grant 'MYDOMAIN\Domain Admins'
>> SeDiskOperatorPrivilege
>> -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>> Successfully granted rights.
>>
>> net rpc rights list accounts -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>>
>> ...
>> Unix Group\domain admins
>> SeDiskOperatorPrivilege
>>
>> net rpc rights revoke 'MYDOMAIN\Domain Admins'
>> SeDiskOperatorPrivilege
>> -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>> Successfully revoked rights.
>>
>> net rpc rights list accounts -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>>
>> ...
>> Unix Group\domain admins
>> No privileges assigned
>>
>>
>> Below I have completely removed the domain name from the
>> command and still
>> get the same outcome.
>>
>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege
>> -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>> Successfully granted rights.
>>
>> net rpc rights list accounts -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>>
>> ...
>> Unix Group\domain admins
>> SeDiskOperatorPrivilege
>>
>> Does this behaviour appear correct or am I missing something
>> in my config
>> that identifies the domain name?
>>
>>
>> I don't know, I cannot see your smb.conf from here.
>>
>> Rowland
>>
>> -- To unsubscribe from this list go to the following URL and read
>> the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>> cat /etc/samba/smb.conf
>> [global]
>> workgroup = MYDOMAIN
>> client signing = yes
>> client use spnego = yes
>> kerberos method = secrets and keytab
>> realm = AD.MYDOMAIN.COM.AU <http://AD.MYDOMAIN.COM.AU>
>> security = ads
>>
>> rpc_server:spoolss = external
>> rpc_daemon:spoolssd = fork
>> username map = /etc/samba/samba_usermapping
>>
>> [printers]
>> path = /var/spool/samba/
>> printable = yes
>> printing = CUPS
>>
>>
>> [Administration]
>> path = /mnt/disk-2/samba/Administration/
>> read only = no
>>
>
> OK, I think you need to visit the sssd mailing list, if you were using
> winbind, you could add this:
>
> winbind use default domain
>
> With this line, you lose the DOMAIN prefix i.e. Domain Admins instead of
> DOMAIN\Domain Admins.
>
> Does sssd have a version of the above line?
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Not sure, I'm checking with the sssd list now.
Does Samba care if the authentication is performed by sssd? Meaning if I
can the the authentication working with sssd can I still get my samba
shares working in Windows using Windows ACLs as per:
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
More information about the samba
mailing list