[Samba] SeDiskOperatorPrivilege_Privilege

Luis Peromarta lperoma at icloud.com
Sun Jun 9 16:05:50 UTC 2024 

Update:

Even though the root map lines are in smb.conf , the user.map does not exist.

When I move the usual user.map file with !root = MAD\Administrator into /etc/samba, and restart smbd, then it works:

root at member:~# net rpc rights list privileges SeDiskOperatorPrivilege -Uadministrator
Password for [MAD\administrator]:
SeDiskOperatorPrivilege:
 BUILTIN\Administrators

Regards,

LP
On Jun 9, 2024 at 16:54 +0100, Luis Peromarta via samba <samba at lists.samba.org>, wrote:
> Mmm… strange ? Or is this what you were expecting ?
>
> root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -Uadministrator
> Password for [MAD\administrator]:
> Could not connect to server 127.0.0.1
> The username or password was not correct.
> Connection failed: NT_STATUS_LOGON_FAILURE
>
> root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -Uadministrator
> Password for [MAD\administrator]:
> Could not connect to server 127.0.0.1
> The username or password was not correct.
> Connection failed: NT_STATUS_LOGON_FAILURE
>
> root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -UAdministrator
> Password for [MAD\Administrator]:
> Could not connect to server 127.0.0.1
> The username or password was not correct.
> Connection failed: NT_STATUS_LOGON_FAILURE
>
> root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -U "MAD\Administrator"
> Password for [MAD\Administrator]:
> Could not connect to server 127.0.0.1
> The username or password was not correct.
> Connection failed: NT_STATUS_LOGON_FAILURE
>
> But then:
>
> root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -Uluis
> Password for [MAD\luis]:
> SeDiskOperatorPrivilege:
>  BUILTIN\Administrators
>
> Remember there is no root map via user.map - if it matters. And as FYI:
>
> root at member:/# cat /etc/hosts
> 127.0.0.1 localhost
> 192.168.3.1 member.mad.mater.int member
>
> root at member:/# cat /etc/samba/smb.conf
> # Global parameters
> [global]
>  security = ADS
>  workgroup = MAD
>  realm = MAD.MATER.INT
>  netbios name = MEMBER
>  server role = member server
>  log file = /var/log/samba/%m.log
>
> # Disable Netbios
>  disable netbios = yes
>
> # Enforce minimum protolo SMB3
> # server min protocol = SMB3
>
> # To enable Group Policy application in winbind,
>  apply group policies = yes
>
> # Default ID mapping configuration for local BUILTIN accounts
>
>  idmap config * : backend = tdb
>  idmap config * : range = 3000-7999
>
> # idmap config for the MAD domain
>
>  idmap config MAD : backend = ad
>  idmap config MAD : schema_mode = rfc2307
>  idmap config MAD : range = 10000-999999
>  idmap config MAD : unix_nss_info = yes
>
>
> # Read AD unix attributes to allow ssh login to server:
> # winbind nss info = rfc2307
>
> # winbind config:
>  winbind use default domain = yes
> # winbind enum users = yes
> # winbind enum groups = yes
>
> # renew the kerberos ticket
>
>  winbind refresh tickets = yes
>  dedicated keytab file = /etc/krb5.keytab
>  kerberos method = secrets and keytab
>
> # Map Administrator to root
>
>  username map = /etc/samba/user.map
>  min domain uid = 0
>
> # To configure shares using extended access control lists (ACL)
>  vfs objects = acl_xattr
>  map acl inherit = yes
>  acl_xattr:ignore system acls = yes
>
> [test]
>  hide unreadable = Yes
>  path = /test/
>  read only = No
>
>
>
> LP
> On Jun 9, 2024 at 15:02 +0100, Rowland Penny via samba <samba at lists.samba.org>, wrote:
> > On Sun, 9 Jun 2024 13:29:15 +0100
> > Luis Peromarta via samba <samba at lists.samba.org> wrote:
> >
> > > Hi there,
> > >
> > > I wonder if this is relevant on Active Directory or maybe is a thing
> > > of older NT4 style domains.
> > >
> > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege
> > >
> > > I have tried setting up a member server with ad-idmap, and used a
> > > user “luis” (with uidNumber) from the Unix Admins group (that has
> > > gidNumber).
> > >
> > > Unix Admins group is a member of the Domain Admins group, that has no
> > > gidNumber.
> > >
> > > The share looks like this:
> > >
> > > 8.0K drwxrwx---   2 luis unix admins 4.0K Jun  9 11:29 test
> > >
> > > I also used:
> > >
> > > vfs objects = acl_xattr
> > > acl_xattr:ignore system acls = yes
> > >
> > > I din’t need to grant any privilege(s). I just worked. Am I missing
> > > something ?
> > >
> > > Maybe I need to grant the rights to users that are not admins so they
> > > can set up shares / permissions? How is this reflected in the Windows
> > > “security” tab of the share if at all ?
> > >
> > > I wonder if these rights should be granted per server (like I have
> > > always done) ? Or else in a DC ?
> > >
> > > Thanks,
> > >
> > > LP
> >
> > You really are getting me thinking this weekend :-)
> >
> > what is the output of:
> >
> > net rpc rights list privileges SeDiskOperatorPrivilege -U administrator
> >
> > When run as 'root' on your Unix domain member.
> >
> > Depending on that, I think the wikipage may need amending.
> >
> > Rowland
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list