[Samba] Unable to set SeDiskOperatorPrivilege (again)

John Gardeniers jgardeniers at integradev.com.au
Wed May 24 03:34:27 UTC 2017 

There was a thread on this topic back in January and as far as I can see 
it was never resolved.

I'm unable to set SeDiskOperatorPrivilege for the Domain Admins on our 
primary file server, so I set up a new samba server, following the 
directions at 
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member but 
still no success. I don't know if it's to do with the fact that we're 
using sssd or not.

Here are my (lack of) results, which are the same on both machines:

# net rpc rights grant SeDiskOperatorPrivilege "MYDOMAIN\Domain Admins" 
-U "MYDOMAIN\Administrator"
Enter MYDOMAIN\Administrator's password:
Failed to grant privileges for SeDiskOperatorPrivilege 
(NT_STATUS_NO_SUCH_USER)

# getent group "Domain Admins"
Domain Admins:*:512:Administrator,user1,user2,user3

# id Administrator
uid=10858(Administrator) gid=513(Domain Users) groups=513(Domain 
Users),512(Domain Admins),10102(Enterprise Admins)

# id "Domain Admins"
id: Domain Admins: No such user

# net rpc rights list accounts -UAdministrator
Enter Administrator's password:
BUILTIN\Print Operators
No privileges assigned

BUILTIN\Account Operators
No privileges assigned

BUILTIN\Backup Operators
No privileges assigned

BUILTIN\Server Operators
No privileges assigned

BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege

Everyone
No privileges assigned

As can be seen, only accounts in the BUILTIN OU are listed, despite sssd 
being configured to look up users and groups from the base OU on up.

Can someone shed any light on this?

regards,
John

More information about the samba mailing list