[Samba] builtin groups are not mapped by winbind

Rowland Penny rpenny at samba.org
Fri May 20 10:35:50 UTC 2022 

On Fri, 2022-05-20 at 09:31 +0100, Rowland Penny via samba wrote:
> On Fri, 2022-05-20 at 09:53 +0200, L. van Belle via samba wrote:
> > Good morning people around the world.. 
> > 
> > @rowland, This script isnt running anymore, can you check/verify
> > it. 
> > https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-SePrivile
> > ges.sh 
> > 
> > Can you have a check in it also.  
> > This smells like a bug.. 
> > 
> > All mentioned groups exists.. in the AD as Builtin\GroupNames and
> > should how
> > with above script. 
> > 
> > net rpc rights list privileges SeBackupPrivilege
> > -UADDOM\\Administrator
> > -S$(hostname -f)
> > Enter ADDOM\Administrator's password:
> > Could not connect to server server.internal.hostname.tld
> > Connection failed: NT_STATUS_INVALID_TOKEN
> > 
> > If its all good. I get *( tested on a old old samba version
> > 4.6.16.) 
> > 
> > SeBackupPrivilege:
> >   BUILTIN\Administrators
> > 
> > So, I think there is more going on here.. 
> > 
> 
> I see what you mean, it doesn't work for myself, I will get back to
> you.
> 
> Rowland

I had a dns error, now fixed, I changed this line in the script:

net rpc rights list privileges $sepriv -S $(hostname -f) -k

To:

net rpc rights list privileges $sepriv -S $(hostname -f) --use-
kerberos=required -N

Ran the script and got this:

rowland at devstation:~$ sudo bash ./samba-check-SePrivileges.sh
Password for Administrator at SAMDOM.EXAMPLE.COM: 
SeMachineAccountPrivilege:
  BUILTIN\Administrators
SeTakeOwnershipPrivilege:
  BUILTIN\Administrators
SeBackupPrivilege:
  BUILTIN\Administrators
SeRestorePrivilege:
  BUILTIN\Administrators
SeRemoteShutdownPrivilege:
  BUILTIN\Administrators
SePrintOperatorPrivilege:
  BUILTIN\Administrators
SeAddUsersPrivilege:
  BUILTIN\Administrators
SeDiskOperatorPrivilege:
  SAMDOM\Administrator
  BUILTIN\Administrators
  SAMDOM\Unix Admins
SeSecurityPrivilege:
  BUILTIN\Administrators
SeSystemtimePrivilege:
  BUILTIN\Administrators
SeShutdownPrivilege:
  BUILTIN\Administrators
SeDebugPrivilege:
  BUILTIN\Administrators
SeSystemEnvironmentPrivilege:
  BUILTIN\Administrators
SeSystemProfilePrivilege:
  BUILTIN\Administrators
SeProfileSingleProcessPrivilege:
  BUILTIN\Administrators
SeIncreaseBasePriorityPrivilege:
  BUILTIN\Administrators
SeLoadDriverPrivilege:
  BUILTIN\Administrators
SeCreatePagefilePrivilege:
  BUILTIN\Administrators
SeIncreaseQuotaPrivilege:
  BUILTIN\Administrators
SeChangeNotifyPrivilege:
  BUILTIN\Administrators
SeUndockPrivilege:
  BUILTIN\Administrators
SeManageVolumePrivilege:
  BUILTIN\Administrators
SeImpersonatePrivilege:
  BUILTIN\Administrators
SeCreateGlobalPrivilege:
  BUILTIN\Administrators
SeEnableDelegationPrivilege:
  BUILTIN\Administrators

Rowland

More information about the samba mailing list