[Samba] net rpc rights grant fail to connect 127.0.0.1
Rowland penny
rpenny at samba.org
Mon Jul 13 18:03:41 UTC 2020
On 13/07/2020 18:50, Andrew Walker wrote:
>
>
> On Mon, Jul 13, 2020 at 1:26 PM Rowland penny via samba
> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>
> On 13/07/2020 18:18, Douglas G. Oechsler wrote:
> >
> > Hello!
> >
> > Ok! I switch the IP inside Member AD
> > > 127.0.0.1 localhost
> > *> 10.1.1.16 * E-PLANO.ad.mydomain.br
> <http://E-PLANO.ad.mydomain.br> <http://E-PLANO.ad.mydomain.br>
> > e-plano
> >
> > Only to clarify
> > 10.1.1.16 - AD Member - File server
> > 10.1.1.21 - Only AD-DC
> >
> > But, sorry!
> > Follow the wiki
> >
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >
> > The command:
> > # net rpc rights grant "SAMDOM\Unix Admins"
> SeDiskOperatorPrivilege -U "SAMDOM\administrator"
> > Enter SAMDOM\administrator's password:
> >
> > To grant rights, need to do it on the ad-dc side directly?
> >
> Did you miss the orange box containing:
>
> You need to grant the |SeDiskOperatorPrivilege| privilege on the
> Samba
> server that holds the share.
>
> Rowland
>
> For cases where I want to allow an AD group other than Domain Admins
> to do this stuff (and not bother with "net rpc" commands), I find it
> somewhat easier to find the SID of the group and then add it as a
> foreign group of BUILTIN\Administrators on the samba server with the
> shares a-la "net groupmap addmem S-1-5-32-544 <sid of group>". This
> will make members of the group local admins with all the benefits and
> dangers associated with it.
Problem is, if you are using the 'ad' backend, the group must be known
to Unix i.e. it must have a gidNumber attribute, which is why you cannot
use Domain Admins, if you use the 'rid' backend, none of this matters ;-)
Rowland
More information about the samba
mailing list