[Samba] net rpc rights grant fail to connect 127.0.0.1

Andrew Walker walker.aj325 at gmail.com
Mon Jul 13 19:31:38 UTC 2020 

On Mon, Jul 13, 2020 at 2:04 PM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 13/07/2020 18:50, Andrew Walker wrote:
> >
> >
> > On Mon, Jul 13, 2020 at 1:26 PM Rowland penny via samba
> > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
> >
> >     On 13/07/2020 18:18, Douglas G. Oechsler wrote:
> >     >
> >     > Hello!
> >     >
> >     > Ok! I switch the IP inside Member AD
> >     > > 127.0.0.1 localhost
> >     > *> 10.1.1.16 * E-PLANO.ad.mydomain.br
> >     <http://E-PLANO.ad.mydomain.br> <http://E-PLANO.ad.mydomain.br>
> >     > e-plano
> >     >
> >     > Only to clarify
> >     > 10.1.1.16 - AD Member - File server
> >     > 10.1.1.21 - Only AD-DC
> >     >
> >     > But, sorry!
> >     > Follow the wiki
> >     >
> >
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >     >
> >     > The command:
> >     > # net rpc rights grant "SAMDOM\Unix Admins"
> >     SeDiskOperatorPrivilege -U "SAMDOM\administrator"
> >     > Enter SAMDOM\administrator's password:
> >     >
> >     > To grant rights, need to do it on the ad-dc side directly?
> >     >
> >     Did you miss the orange box containing:
> >
> >     You need to grant the |SeDiskOperatorPrivilege| privilege on the
> >     Samba
> >     server that holds the share.
> >
> >     Rowland
> >
> > For cases where I want to allow an AD group other than Domain Admins
> > to do this stuff (and not bother with "net rpc" commands), I find it
> > somewhat easier to find the SID of the group and then add it as a
> > foreign group of BUILTIN\Administrators on the samba server with the
> > shares a-la "net groupmap addmem S-1-5-32-544 <sid of group>". This
> > will make members of the group local admins with all the benefits and
> > dangers associated with it.
>
> Problem is, if you are using the 'ad' backend, the group must be known
> to Unix i.e. it must have a gidNumber attribute, which is why you cannot
> use Domain Admins, if you use the 'rid' backend, none of this matters ;-)
>
> Rowland
>
On an AD domain member, Domain Admins gets its privileges by virtue of
being a member of BUILTIN\Administrators. It is added to this group as a
part of post-processing in libnet join.
DOMAIN\domain admins is added to BUILTIN\administrators, DOMAIN\domain
users is added to BUILTIN\users, and DOMAIN\guests is added to
BUILTIN\guests. You can view
the foreign memberships of these groups via "net groupmap listmem" or by
using "tdbdump <state directory>/group_mapping.tdb". You can even do the
same with groupmap entries
for local Unix groups (make them members of BUILTIN\administrators,
granting access to "computer management").

More information about the samba mailing list