[Samba] samba join failed: LDAP_INSUFFICIENT_ACCESS_RIGHTS -- SeEnableDelegationPrivilege
Rowland Penny
rpenny at samba.org
Wed Apr 23 10:09:34 UTC 2025
On Wed, 23 Apr 2025 12:58:57 +0300
Sami Hulkko via samba <samba at lists.samba.org> wrote:
> Hi,
>
> One can in samba DC system add Administrator to sudo group if like
> Rowland Penny mentioned has the uid, gid, home folder and default
> shell settings set and therefore capable to login to samba system.
> samba-tool if I recollect right can add these attributes to user and
> with Windows 11 RSAT tools in 'Active directory Users and Computers'
> one needs to enable 'Advanced Features' from view menu to have access
> to 'Atribute Editor' where one can add them too. With sudo rights the
> Administrator can run commands with ease and no folder rights
> problems.
>
Yes you could do that, but that will just get you Administrator running
commands as root via sudo, so why bother ? Every Samba AD DC maps
Administrator to id '0' in idmap.ldb unless you give Administrator a
uidNumber.
In my opinion, you should only use Administrator on Windows and
Samba-AD DCs when running samba-tool, but even then, it would be better
to follow AD best practice and use a member of Domain Admins instead.
Rowland
More information about the samba
mailing list