[Samba] net rpc rights grant fail to connect 127.0.0.1
Rowland penny
rpenny at samba.org
Mon Jul 13 19:53:43 UTC 2020
On 13/07/2020 20:31, Andrew Walker wrote:
>
>
> On Mon, Jul 13, 2020 at 2:04 PM Rowland penny via samba
> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>
> On 13/07/2020 18:50, Andrew Walker wrote:
> >
> >
> > On Mon, Jul 13, 2020 at 1:26 PM Rowland penny via samba
> > <samba at lists.samba.org <mailto:samba at lists.samba.org>
> <mailto:samba at lists.samba.org <mailto:samba at lists.samba.org>>> wrote:
> >
> > On 13/07/2020 18:18, Douglas G. Oechsler wrote:
> > >
> > > Hello!
> > >
> > > Ok! I switch the IP inside Member AD
> > > > 127.0.0.1 localhost
> > > *> 10.1.1.16 * E-PLANO.ad.mydomain.br
> <http://E-PLANO.ad.mydomain.br>
> > <http://E-PLANO.ad.mydomain.br> <http://E-PLANO.ad.mydomain.br>
> > > e-plano
> > >
> > > Only to clarify
> > > 10.1.1.16 - AD Member - File server
> > > 10.1.1.21 - Only AD-DC
> > >
> > > But, sorry!
> > > Follow the wiki
> > >
> >
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> > >
> > > The command:
> > > # net rpc rights grant "SAMDOM\Unix Admins"
> > SeDiskOperatorPrivilege -U "SAMDOM\administrator"
> > > Enter SAMDOM\administrator's password:
> > >
> > > To grant rights, need to do it on the ad-dc side directly?
> > >
> > Did you miss the orange box containing:
> >
> > You need to grant the |SeDiskOperatorPrivilege| privilege on the
> > Samba
> > server that holds the share.
> >
> > Rowland
> >
> > For cases where I want to allow an AD group other than Domain
> Admins
> > to do this stuff (and not bother with "net rpc" commands), I
> find it
> > somewhat easier to find the SID of the group and then add it as a
> > foreign group of BUILTIN\Administrators on the samba server with
> the
> > shares a-la "net groupmap addmem S-1-5-32-544 <sid of group>". This
> > will make members of the group local admins with all the
> benefits and
> > dangers associated with it.
>
> Problem is, if you are using the 'ad' backend, the group must be
> known
> to Unix i.e. it must have a gidNumber attribute, which is why you
> cannot
> use Domain Admins, if you use the 'rid' backend, none of this
> matters ;-)
>
> Rowland
>
> On an AD domain member, Domain Admins gets its privileges by virtue of
> being a member of BUILTIN\Administrators. It is added to this group as
> a part of post-processing in libnet join.
> DOMAIN\domain admins is added to BUILTIN\administrators, DOMAIN\domain
> users is added to BUILTIN\users, and DOMAIN\guests is added to
> BUILTIN\guests. You can view
> the foreign memberships of these groups via "net groupmap listmem" or
> by using "tdbdump <state directory>/group_mapping.tdb". You can even
> do the same with groupmap entries
> for local Unix groups (make them members of BUILTIN\administrators,
> granting access to "computer management").
The problem with Domain Admins is that it has to be able to 'own' things
in sysvol, to do this, it is mapped to 'ID_TYPE_BOTH' in idmap.ldb on
DC's. If you use the 'ad' backend on Unix domain members and give Domain
Admins a gidNumber attribute, this turns Domain Admins into just a group
and groups cannot own anything on Unix. My fix for this problem is to
create a group, add this group to Administrators (or Domain Admins) and
give this group a gidNumber. This allows Domain Admins to continue
owning things in sysvol and you use your new group on Unix wherever you
would normally use Domain Admins.
Rowland
More information about the samba
mailing list