[Samba] net rpc rights list
Rowland penny
rpenny at samba.org
Tue Jan 19 21:25:22 UTC 2016
On 19/01/16 20:48, Henry McLaughlin wrote:
>
> On 20 January 2016 at 07:08, Rowland penny <rpenny at samba.org
> <mailto:rpenny at samba.org>> wrote:
>
> On 19/01/16 20:00, Henry McLaughlin wrote:
>
>
> On 20 January 2016 at 06:43, Rowland penny <rpenny at samba.org
> <mailto:rpenny at samba.org> <mailto:rpenny at samba.org
> <mailto:rpenny at samba.org>>> wrote:
>
> On 19/01/16 19:34, Henry McLaughlin wrote:
>
> I have sssd configured and working with my domain member
> server and I now
> wish to grant the SeDiskOperatorPrivilege to the
> "MYDOMAIN\Domain Admins"
> group. When I execute the command it appears to
> disregard the
> domain name
> and grant the privileges to the group "Unix
> Group\domain admins"
>
> net rpc rights list accounts -U'MYDOMAIN\administrator'
> Enter MYDOMAIN\administrator's password:
>
> ...
> Unix Group\domain admins
> No privileges assigned
>
> net rpc rights grant 'MYDOMAIN\Domain Admins'
> SeDiskOperatorPrivilege
> -U'MYDOMAIN\administrator'
> Enter MYDOMAIN\administrator's password:
> Successfully granted rights.
>
> net rpc rights list accounts -U'MYDOMAIN\administrator'
> Enter MYDOMAIN\administrator's password:
>
> ...
> Unix Group\domain admins
> SeDiskOperatorPrivilege
>
> net rpc rights revoke 'MYDOMAIN\Domain Admins'
> SeDiskOperatorPrivilege
> -U'MYDOMAIN\administrator'
> Enter MYDOMAIN\administrator's password:
> Successfully revoked rights.
>
> net rpc rights list accounts -U'MYDOMAIN\administrator'
> Enter MYDOMAIN\administrator's password:
>
> ...
> Unix Group\domain admins
> No privileges assigned
>
>
> Below I have completely removed the domain name from the
> command and still
> get the same outcome.
>
> net rpc rights grant 'Domain Admins'
> SeDiskOperatorPrivilege
> -U'MYDOMAIN\administrator'
> Enter MYDOMAIN\administrator's password:
> Successfully granted rights.
>
> net rpc rights list accounts -U'MYDOMAIN\administrator'
> Enter MYDOMAIN\administrator's password:
>
> ...
> Unix Group\domain admins
> SeDiskOperatorPrivilege
>
> Does this behaviour appear correct or am I missing
> something
> in my config
> that identifies the domain name?
>
>
> I don't know, I cannot see your smb.conf from here.
>
> Rowland
>
> -- To unsubscribe from this list go to the following
> URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> cat /etc/samba/smb.conf
> [global]
> workgroup = MYDOMAIN
> client signing = yes
> client use spnego = yes
> kerberos method = secrets and keytab
> realm = AD.MYDOMAIN.COM.AU <http://AD.MYDOMAIN.COM.AU>
> <http://AD.MYDOMAIN.COM.AU>
> security = ads
>
> rpc_server:spoolss = external
> rpc_daemon:spoolssd = fork
> username map = /etc/samba/samba_usermapping
>
> [printers]
> path = /var/spool/samba/
> printable = yes
> printing = CUPS
>
>
> [Administration]
> path = /mnt/disk-2/samba/Administration/
> read only = no
>
>
> OK, I think you need to visit the sssd mailing list, if you were
> using winbind, you could add this:
>
> winbind use default domain
>
> With this line, you lose the DOMAIN prefix i.e. Domain Admins
> instead of DOMAIN\Domain Admins.
>
> Does sssd have a version of the above line?
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> Not sure, I'm checking with the sssd list now.
>
> Does Samba care if the authentication is performed by sssd? Meaning if
> I can the the authentication working with sssd can I still get my
> samba shares working in Windows using Windows ACLs as per:
>
> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
Samba really needs winbind for some of its internal workings but will
work with sssd especially if you are using a late enough version that
includes its own version of libwbclient.
Rowland
More information about the samba
mailing list