[Samba] net rpc rights list

Henry McLaughlin henry at incred.com.au
Tue Jan 19 22:29:01 UTC 2016 

On 20 January 2016 at 08:25, Rowland penny <rpenny at samba.org> wrote:

> On 19/01/16 20:48, Henry McLaughlin wrote:
>
>>
>> On 20 January 2016 at 07:08, Rowland penny <rpenny at samba.org <mailto:
>> rpenny at samba.org>> wrote:
>>
>>     On 19/01/16 20:00, Henry McLaughlin wrote:
>>
>>
>>         On 20 January 2016 at 06:43, Rowland penny <rpenny at samba.org
>>         <mailto:rpenny at samba.org> <mailto:rpenny at samba.org
>>         <mailto:rpenny at samba.org>>> wrote:
>>
>>             On 19/01/16 19:34, Henry McLaughlin wrote:
>>
>>                 I have sssd configured and working with my domain member
>>                 server and I now
>>                 wish to grant the SeDiskOperatorPrivilege to the
>>                 "MYDOMAIN\Domain Admins"
>>                 group. When I execute the command it appears to
>>         disregard the
>>                 domain name
>>                 and grant the privileges to the group "Unix
>>         Group\domain admins"
>>
>>                 net rpc rights list accounts -U'MYDOMAIN\administrator'
>>                 Enter MYDOMAIN\administrator's password:
>>
>>                 ...
>>                 Unix Group\domain admins
>>                 No privileges assigned
>>
>>                 net rpc rights grant 'MYDOMAIN\Domain Admins'
>>                 SeDiskOperatorPrivilege
>>                 -U'MYDOMAIN\administrator'
>>                 Enter MYDOMAIN\administrator's password:
>>                 Successfully granted rights.
>>
>>                 net rpc rights list accounts -U'MYDOMAIN\administrator'
>>                 Enter MYDOMAIN\administrator's password:
>>
>>                 ...
>>                 Unix Group\domain admins
>>                 SeDiskOperatorPrivilege
>>
>>                 net rpc rights revoke 'MYDOMAIN\Domain Admins'
>>                 SeDiskOperatorPrivilege
>>                 -U'MYDOMAIN\administrator'
>>                 Enter MYDOMAIN\administrator's password:
>>                 Successfully revoked rights.
>>
>>                 net rpc rights list accounts -U'MYDOMAIN\administrator'
>>                 Enter MYDOMAIN\administrator's password:
>>
>>                 ...
>>                 Unix Group\domain admins
>>                 No privileges assigned
>>
>>
>>                 Below I have completely removed the domain name from the
>>                 command and still
>>                 get the same outcome.
>>
>>                 net rpc rights grant 'Domain Admins'
>>         SeDiskOperatorPrivilege
>>                 -U'MYDOMAIN\administrator'
>>                 Enter MYDOMAIN\administrator's password:
>>                 Successfully granted rights.
>>
>>                 net rpc rights list accounts -U'MYDOMAIN\administrator'
>>                 Enter MYDOMAIN\administrator's password:
>>
>>                 ...
>>                 Unix Group\domain admins
>>                 SeDiskOperatorPrivilege
>>
>>                 Does this behaviour appear correct or am I missing
>>         something
>>                 in my config
>>                 that identifies the domain name?
>>
>>
>>             I don't know, I cannot see your smb.conf from here.
>>
>>             Rowland
>>
>>             --     To unsubscribe from this list go to the following
>>         URL and read the
>>             instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>         cat /etc/samba/smb.conf
>>         [global]
>>             workgroup = MYDOMAIN
>>             client signing = yes
>>             client use spnego = yes
>>             kerberos method = secrets and keytab
>>             realm = AD.MYDOMAIN.COM.AU <http://AD.MYDOMAIN.COM.AU>
>>         <http://AD.MYDOMAIN.COM.AU>
>>             security = ads
>>
>>             rpc_server:spoolss = external
>>             rpc_daemon:spoolssd = fork
>>             username map = /etc/samba/samba_usermapping
>>
>>         [printers]
>>             path = /var/spool/samba/
>>             printable = yes
>>             printing = CUPS
>>
>>
>>         [Administration]
>>             path = /mnt/disk-2/samba/Administration/
>>             read only = no
>>
>>
>>     OK, I think you need to visit the sssd mailing list, if you were
>>     using winbind, you could add this:
>>
>>     winbind use default domain
>>
>>     With this line, you lose the DOMAIN prefix i.e. Domain Admins
>>     instead of DOMAIN\Domain Admins.
>>
>>     Does sssd have a version of the above line?
>>
>>     Rowland
>>     --     To unsubscribe from this list go to the following URL and read
>> the
>>     instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>> Not sure, I'm checking with the sssd list now.
>>
>> Does Samba care if the authentication is performed by sssd? Meaning if I
>> can the the authentication working with sssd can I still get my samba
>> shares working in Windows using Windows ACLs as per:
>>
>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
>>
>
> Samba really needs winbind for some of its internal workings but will work
> with sssd especially if you are using a late enough version that includes
> its own version of libwbclient.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Sounds like sssd is getting too difficult and I need to get this working
today. I just googled and found the package version I have being 1.11.5 has
problems with Samba
https://lists.samba.org/archive/samba/2015-January/188338.html

I am looking at a single domain with a single AD DC and a single member
server.

So back to square 1...I'll implement:
https://wiki.samba.org/index.php/Idmap_config_ad

And just to be clear... I will assign UIDs & GIDs in ADUG to all users I
want to be visible to Linux except administratior :)

More information about the samba mailing list