[Samba] net rpc rights list
Henry McLaughlin
henry at incred.com.au
Tue Jan 19 22:29:01 UTC 2016
On 20 January 2016 at 08:25, Rowland penny <rpenny at samba.org> wrote:
> On 19/01/16 20:48, Henry McLaughlin wrote:
>
>>
>> On 20 January 2016 at 07:08, Rowland penny <rpenny at samba.org <mailto:
>> rpenny at samba.org>> wrote:
>>
>> On 19/01/16 20:00, Henry McLaughlin wrote:
>>
>>
>> On 20 January 2016 at 06:43, Rowland penny <rpenny at samba.org
>> <mailto:rpenny at samba.org> <mailto:rpenny at samba.org
>> <mailto:rpenny at samba.org>>> wrote:
>>
>> On 19/01/16 19:34, Henry McLaughlin wrote:
>>
>> I have sssd configured and working with my domain member
>> server and I now
>> wish to grant the SeDiskOperatorPrivilege to the
>> "MYDOMAIN\Domain Admins"
>> group. When I execute the command it appears to
>> disregard the
>> domain name
>> and grant the privileges to the group "Unix
>> Group\domain admins"
>>
>> net rpc rights list accounts -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>>
>> ...
>> Unix Group\domain admins
>> No privileges assigned
>>
>> net rpc rights grant 'MYDOMAIN\Domain Admins'
>> SeDiskOperatorPrivilege
>> -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>> Successfully granted rights.
>>
>> net rpc rights list accounts -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>>
>> ...
>> Unix Group\domain admins
>> SeDiskOperatorPrivilege
>>
>> net rpc rights revoke 'MYDOMAIN\Domain Admins'
>> SeDiskOperatorPrivilege
>> -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>> Successfully revoked rights.
>>
>> net rpc rights list accounts -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>>
>> ...
>> Unix Group\domain admins
>> No privileges assigned
>>
>>
>> Below I have completely removed the domain name from the
>> command and still
>> get the same outcome.
>>
>> net rpc rights grant 'Domain Admins'
>> SeDiskOperatorPrivilege
>> -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>> Successfully granted rights.
>>
>> net rpc rights list accounts -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>>
>> ...
>> Unix Group\domain admins
>> SeDiskOperatorPrivilege
>>
>> Does this behaviour appear correct or am I missing
>> something
>> in my config
>> that identifies the domain name?
>>
>>
>> I don't know, I cannot see your smb.conf from here.
>>
>> Rowland
>>
>> -- To unsubscribe from this list go to the following
>> URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>> cat /etc/samba/smb.conf
>> [global]
>> workgroup = MYDOMAIN
>> client signing = yes
>> client use spnego = yes
>> kerberos method = secrets and keytab
>> realm = AD.MYDOMAIN.COM.AU <http://AD.MYDOMAIN.COM.AU>
>> <http://AD.MYDOMAIN.COM.AU>
>> security = ads
>>
>> rpc_server:spoolss = external
>> rpc_daemon:spoolssd = fork
>> username map = /etc/samba/samba_usermapping
>>
>> [printers]
>> path = /var/spool/samba/
>> printable = yes
>> printing = CUPS
>>
>>
>> [Administration]
>> path = /mnt/disk-2/samba/Administration/
>> read only = no
>>
>>
>> OK, I think you need to visit the sssd mailing list, if you were
>> using winbind, you could add this:
>>
>> winbind use default domain
>>
>> With this line, you lose the DOMAIN prefix i.e. Domain Admins
>> instead of DOMAIN\Domain Admins.
>>
>> Does sssd have a version of the above line?
>>
>> Rowland
>> -- To unsubscribe from this list go to the following URL and read
>> the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>> Not sure, I'm checking with the sssd list now.
>>
>> Does Samba care if the authentication is performed by sssd? Meaning if I
>> can the the authentication working with sssd can I still get my samba
>> shares working in Windows using Windows ACLs as per:
>>
>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
>>
>
> Samba really needs winbind for some of its internal workings but will work
> with sssd especially if you are using a late enough version that includes
> its own version of libwbclient.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Sounds like sssd is getting too difficult and I need to get this working
today. I just googled and found the package version I have being 1.11.5 has
problems with Samba
https://lists.samba.org/archive/samba/2015-January/188338.html
I am looking at a single domain with a single AD DC and a single member
server.
So back to square 1...I'll implement:
https://wiki.samba.org/index.php/Idmap_config_ad
And just to be clear... I will assign UIDs & GIDs in ADUG to all users I
want to be visible to Linux except administratior :)
More information about the samba
mailing list