[Samba] builtin groups are not mapped by winbind
Rowland Penny
rpenny at samba.org
Fri May 20 10:35:50 UTC 2022
On Fri, 2022-05-20 at 09:31 +0100, Rowland Penny via samba wrote:
> On Fri, 2022-05-20 at 09:53 +0200, L. van Belle via samba wrote:
> > Good morning people around the world..
> >
> > @rowland, This script isnt running anymore, can you check/verify
> > it.
> > https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-SePrivile
> > ges.sh
> >
> > Can you have a check in it also.
> > This smells like a bug..
> >
> > All mentioned groups exists.. in the AD as Builtin\GroupNames and
> > should how
> > with above script.
> >
> > net rpc rights list privileges SeBackupPrivilege
> > -UADDOM\\Administrator
> > -S$(hostname -f)
> > Enter ADDOM\Administrator's password:
> > Could not connect to server server.internal.hostname.tld
> > Connection failed: NT_STATUS_INVALID_TOKEN
> >
> > If its all good. I get *( tested on a old old samba version
> > 4.6.16.)
> >
> > SeBackupPrivilege:
> > BUILTIN\Administrators
> >
> > So, I think there is more going on here..
> >
>
> I see what you mean, it doesn't work for myself, I will get back to
> you.
>
> Rowland
I had a dns error, now fixed, I changed this line in the script:
net rpc rights list privileges $sepriv -S $(hostname -f) -k
To:
net rpc rights list privileges $sepriv -S $(hostname -f) --use-
kerberos=required -N
Ran the script and got this:
rowland at devstation:~$ sudo bash ./samba-check-SePrivileges.sh
Password for Administrator at SAMDOM.EXAMPLE.COM:
SeMachineAccountPrivilege:
BUILTIN\Administrators
SeTakeOwnershipPrivilege:
BUILTIN\Administrators
SeBackupPrivilege:
BUILTIN\Administrators
SeRestorePrivilege:
BUILTIN\Administrators
SeRemoteShutdownPrivilege:
BUILTIN\Administrators
SePrintOperatorPrivilege:
BUILTIN\Administrators
SeAddUsersPrivilege:
BUILTIN\Administrators
SeDiskOperatorPrivilege:
SAMDOM\Administrator
BUILTIN\Administrators
SAMDOM\Unix Admins
SeSecurityPrivilege:
BUILTIN\Administrators
SeSystemtimePrivilege:
BUILTIN\Administrators
SeShutdownPrivilege:
BUILTIN\Administrators
SeDebugPrivilege:
BUILTIN\Administrators
SeSystemEnvironmentPrivilege:
BUILTIN\Administrators
SeSystemProfilePrivilege:
BUILTIN\Administrators
SeProfileSingleProcessPrivilege:
BUILTIN\Administrators
SeIncreaseBasePriorityPrivilege:
BUILTIN\Administrators
SeLoadDriverPrivilege:
BUILTIN\Administrators
SeCreatePagefilePrivilege:
BUILTIN\Administrators
SeIncreaseQuotaPrivilege:
BUILTIN\Administrators
SeChangeNotifyPrivilege:
BUILTIN\Administrators
SeUndockPrivilege:
BUILTIN\Administrators
SeManageVolumePrivilege:
BUILTIN\Administrators
SeImpersonatePrivilege:
BUILTIN\Administrators
SeCreateGlobalPrivilege:
BUILTIN\Administrators
SeEnableDelegationPrivilege:
BUILTIN\Administrators
Rowland
More information about the samba
mailing list