MARTIN boris
2015-Oct-23 09:03 UTC
[Samba] no access to share permission on a domain member
hi all , i have a domain server with a test share on it. But i can't find the way to manage it via windows. when i try to modify something on the share permission part, i get a access deny error. if i put the server in debug mod i get _srvsvc_NetShareSetInfo: uid 10001 doesn't have the SeDiskOperatorPrivilege privilege needed to modify share demoshare uid 10001 being the uid of the administrator of the AD but if i do : wbinfo -i administrator administrator:*:10001:20000:Administrator:/home/Administrator:/bin/sh getent passwd | grep 10001 administrator:*:10001:20000:Administrator:/home/Administrator:/bin/sh net rpc rights list administrator -U 'XXXX\administrator' -I 'xxxx.bla.fr' i get : SeDiskOperatorPrivilege I have successfuly fix my trouble with this line : username map = /etc/samba/user.map that i have add to my smb.conf file with user map having the single line !root = XXXX\Administrator XXXX\administrator and doing the following command line : net rpc rights grant 'XXXX\Domain Admins' SeDiskOperatorPrivilege -U'administrator' so i have one question : 1) first is the SeDiskOperatorPrivilege a AD range flag, or a server range flag ? And a call to help cause i have reach the end of my own knowledge on samba. 2) why do i need to play with user.map when to my point of view winbind is supposed to do the job 3) is there a way to make thing working without playing with the username map command thanks for your help.
Rowland Penny
2015-Oct-23 09:48 UTC
[Samba] no access to share permission on a domain member
On 23/10/15 10:03, MARTIN boris wrote:> hi all , i have a domain server with a test share on it. > > But i can't find the way to manage it via windows. > > when i try to modify something on the share permission part, i get a access deny error. > > if i put the server in debug mod i get > > _srvsvc_NetShareSetInfo: uid 10001 doesn't have the SeDiskOperatorPrivilege privilege needed to modify share demoshare > > uid 10001 being the uid of the administrator of the AD > > but if i do : > > wbinfo -i administrator > administrator:*:10001:20000:Administrator:/home/Administrator:/bin/sh > getent passwd | grep 10001 > administrator:*:10001:20000:Administrator:/home/Administrator:/bin/sh > > net rpc rights list administrator -U 'XXXX\administrator' -I 'xxxx.bla.fr' > > i get : > > SeDiskOperatorPrivilege > > I have successfuly fix my trouble with this line : > > username map = /etc/samba/user.map > > that i have add to my smb.conf file with user map having the single line > > !root = XXXX\Administrator XXXX\administrator > > and doing the following command line : > > net rpc rights grant 'XXXX\Domain Admins' SeDiskOperatorPrivilege -U'administrator' > > so i have one question : > > 1) first is the SeDiskOperatorPrivilege a AD range flag, or a server range flag ? > > And a call to help cause i have reach the end of my own knowledge on samba. > > 2) why do i need to play with user.map when to my point of view winbind is supposed to do the job > > 3) is there a way to make thing working without playing with the username map command > > > > thanks for your help.Well, there are two things you could do here, you could either go to the share and change the ownership to 'Administrator', now that you have given it a uidNumber, or you could remove the uidNumber from the Administrator and allow Samba to map it to the Unix 'root' user. On a DC, this is done automatically, but on a domain member, you would have to use a 'user.map' Either way would give Administrator the required rights to change things on the Samba machine, but giving Administrator a uidNumber is a bit more inflexible, as it would have to be made to actually own the directories etc on the Samba machine. Rowland