[Samba] SeDiskOperatorPrivilege_Privilege
Luis Peromarta
lperoma at icloud.com
Sun Jun 9 15:53:30 UTC 2024
Mmm… strange ? Or is this what you were expecting ?
root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -Uadministrator
Password for [MAD\administrator]:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -Uadministrator
Password for [MAD\administrator]:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -UAdministrator
Password for [MAD\Administrator]:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -U "MAD\Administrator"
Password for [MAD\Administrator]:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
But then:
root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -Uluis
Password for [MAD\luis]:
SeDiskOperatorPrivilege:
BUILTIN\Administrators
Remember there is no root map via user.map - if it matters. And as FYI:
root at member:/# cat /etc/hosts
127.0.0.1 localhost
192.168.3.1 member.mad.mater.int member
root at member:/# cat /etc/samba/smb.conf
# Global parameters
[global]
security = ADS
workgroup = MAD
realm = MAD.MATER.INT
netbios name = MEMBER
server role = member server
log file = /var/log/samba/%m.log
# Disable Netbios
disable netbios = yes
# Enforce minimum protolo SMB3
# server min protocol = SMB3
# To enable Group Policy application in winbind,
apply group policies = yes
# Default ID mapping configuration for local BUILTIN accounts
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# idmap config for the MAD domain
idmap config MAD : backend = ad
idmap config MAD : schema_mode = rfc2307
idmap config MAD : range = 10000-999999
idmap config MAD : unix_nss_info = yes
# Read AD unix attributes to allow ssh login to server:
# winbind nss info = rfc2307
# winbind config:
winbind use default domain = yes
# winbind enum users = yes
# winbind enum groups = yes
# renew the kerberos ticket
winbind refresh tickets = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# Map Administrator to root
username map = /etc/samba/user.map
min domain uid = 0
# To configure shares using extended access control lists (ACL)
vfs objects = acl_xattr
map acl inherit = yes
acl_xattr:ignore system acls = yes
[test]
hide unreadable = Yes
path = /test/
read only = No
LP
On Jun 9, 2024 at 15:02 +0100, Rowland Penny via samba <samba at lists.samba.org>, wrote:
> On Sun, 9 Jun 2024 13:29:15 +0100
> Luis Peromarta via samba <samba at lists.samba.org> wrote:
>
> > Hi there,
> >
> > I wonder if this is relevant on Active Directory or maybe is a thing
> > of older NT4 style domains.
> >
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege
> >
> > I have tried setting up a member server with ad-idmap, and used a
> > user “luis” (with uidNumber) from the Unix Admins group (that has
> > gidNumber).
> >
> > Unix Admins group is a member of the Domain Admins group, that has no
> > gidNumber.
> >
> > The share looks like this:
> >
> > 8.0K drwxrwx--- 2 luis unix admins 4.0K Jun 9 11:29 test
> >
> > I also used:
> >
> > vfs objects = acl_xattr
> > acl_xattr:ignore system acls = yes
> >
> > I din’t need to grant any privilege(s). I just worked. Am I missing
> > something ?
> >
> > Maybe I need to grant the rights to users that are not admins so they
> > can set up shares / permissions? How is this reflected in the Windows
> > “security” tab of the share if at all ?
> >
> > I wonder if these rights should be granted per server (like I have
> > always done) ? Or else in a DC ?
> >
> > Thanks,
> >
> > LP
>
> You really are getting me thinking this weekend :-)
>
> what is the output of:
>
> net rpc rights list privileges SeDiskOperatorPrivilege -U administrator
>
> When run as 'root' on your Unix domain member.
>
> Depending on that, I think the wikipage may need amending.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list