Mmm? strange ? Or is this what you were expecting ? root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -Uadministrator Password for [MAD\administrator]: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -Uadministrator Password for [MAD\administrator]: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -UAdministrator Password for [MAD\Administrator]: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -U "MAD\Administrator" Password for [MAD\Administrator]: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE But then: root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -Uluis Password for [MAD\luis]: SeDiskOperatorPrivilege: ?BUILTIN\Administrators Remember there is no root map via user.map - if it matters. And as FYI: root at member:/# cat /etc/hosts 127.0.0.1 localhost 192.168.3.1 member.mad.mater.int member root at member:/# cat /etc/samba/smb.conf # Global parameters [global] ?security = ADS ?workgroup = MAD ?realm = MAD.MATER.INT ?netbios name = MEMBER ?server role = member server ?log file = /var/log/samba/%m.log # Disable Netbios ?disable netbios = yes # Enforce minimum protolo SMB3 # server min protocol = SMB3 # To enable Group Policy application in winbind, ?apply group policies = yes # Default ID mapping configuration for local BUILTIN accounts ?idmap config * : backend = tdb ?idmap config * : range = 3000-7999 # idmap config for the MAD domain ?idmap config MAD : backend = ad ?idmap config MAD : schema_mode = rfc2307 ?idmap config MAD : range = 10000-999999 ?idmap config MAD : unix_nss_info = yes # Read AD unix attributes to allow ssh login to server: # winbind nss info = rfc2307 # winbind config: ?winbind use default domain = yes # winbind enum users = yes # winbind enum groups = yes # renew the kerberos ticket ?winbind refresh tickets = yes ?dedicated keytab file = /etc/krb5.keytab ?kerberos method = secrets and keytab # Map Administrator to root ?username map = /etc/samba/user.map ?min domain uid = 0 # To configure shares using extended access control lists (ACL) ?vfs objects = acl_xattr ?map acl inherit = yes ?acl_xattr:ignore system acls = yes [test] ?hide unreadable = Yes ?path = /test/ ?read only = No LP On Jun 9, 2024 at 15:02 +0100, Rowland Penny via samba <samba at lists.samba.org>, wrote:> On Sun, 9 Jun 2024 13:29:15 +0100 > Luis Peromarta via samba <samba at lists.samba.org> wrote: > > > Hi there, > > > > I wonder if this is relevant on Active Directory or maybe is a thing > > of older NT4 style domains. > > > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege > > > > I have tried setting up a member server with ad-idmap, and used a > > user ?luis? (with uidNumber) from the Unix Admins group (that has > > gidNumber). > > > > Unix Admins group is a member of the Domain Admins group, that has no > > gidNumber. > > > > The share looks like this: > > > > 8.0K drwxrwx---? ?2 luis unix admins 4.0K Jun??9 11:29 test > > > > I also used: > > > > vfs objects = acl_xattr > > acl_xattr:ignore system acls = yes > > > > I din?t need to grant any privilege(s). I just worked. Am I missing > > something ? > > > > Maybe I need to grant the rights to users that are not admins so they > > can set up shares / permissions? How is this reflected in the Windows > > ?security? tab of the share if at all ? > > > > I wonder if these rights should be granted per server (like I have > > always done) ? Or else in a DC ? > > > > Thanks, > > > > LP > > You really are getting me thinking this weekend :-) > > what is the output of: > > net rpc rights list privileges SeDiskOperatorPrivilege -U administrator > > When run as 'root' on your Unix domain member. > > Depending on that, I think the wikipage may need amending. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Update: Even though the root map lines are in smb.conf , the user.map does not exist. When I move the usual user.map file with !root = MAD\Administrator into /etc/samba, and restart smbd, then it works: root at member:~# net rpc rights list privileges SeDiskOperatorPrivilege -Uadministrator Password for [MAD\administrator]: SeDiskOperatorPrivilege: ?BUILTIN\Administrators Regards, LP On Jun 9, 2024 at 16:54 +0100, Luis Peromarta via samba <samba at lists.samba.org>, wrote:> Mmm? strange ? Or is this what you were expecting ? > > root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -Uadministrator > Password for [MAD\administrator]: > Could not connect to server 127.0.0.1 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -Uadministrator > Password for [MAD\administrator]: > Could not connect to server 127.0.0.1 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -UAdministrator > Password for [MAD\Administrator]: > Could not connect to server 127.0.0.1 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -U "MAD\Administrator" > Password for [MAD\Administrator]: > Could not connect to server 127.0.0.1 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > But then: > > root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -Uluis > Password for [MAD\luis]: > SeDiskOperatorPrivilege: > ?BUILTIN\Administrators > > Remember there is no root map via user.map - if it matters. And as FYI: > > root at member:/# cat /etc/hosts > 127.0.0.1 localhost > 192.168.3.1 member.mad.mater.int member > > root at member:/# cat /etc/samba/smb.conf > # Global parameters > [global] > ?security = ADS > ?workgroup = MAD > ?realm = MAD.MATER.INT > ?netbios name = MEMBER > ?server role = member server > ?log file = /var/log/samba/%m.log > > # Disable Netbios > ?disable netbios = yes > > # Enforce minimum protolo SMB3 > # server min protocol = SMB3 > > # To enable Group Policy application in winbind, > ?apply group policies = yes > > # Default ID mapping configuration for local BUILTIN accounts > > ?idmap config * : backend = tdb > ?idmap config * : range = 3000-7999 > > # idmap config for the MAD domain > > ?idmap config MAD : backend = ad > ?idmap config MAD : schema_mode = rfc2307 > ?idmap config MAD : range = 10000-999999 > ?idmap config MAD : unix_nss_info = yes > > > # Read AD unix attributes to allow ssh login to server: > # winbind nss info = rfc2307 > > # winbind config: > ?winbind use default domain = yes > # winbind enum users = yes > # winbind enum groups = yes > > # renew the kerberos ticket > > ?winbind refresh tickets = yes > ?dedicated keytab file = /etc/krb5.keytab > ?kerberos method = secrets and keytab > > # Map Administrator to root > > ?username map = /etc/samba/user.map > ?min domain uid = 0 > > # To configure shares using extended access control lists (ACL) > ?vfs objects = acl_xattr > ?map acl inherit = yes > ?acl_xattr:ignore system acls = yes > > [test] > ?hide unreadable = Yes > ?path = /test/ > ?read only = No > > > > LP > On Jun 9, 2024 at 15:02 +0100, Rowland Penny via samba <samba at lists.samba.org>, wrote: > > On Sun, 9 Jun 2024 13:29:15 +0100 > > Luis Peromarta via samba <samba at lists.samba.org> wrote: > > > > > Hi there, > > > > > > I wonder if this is relevant on Active Directory or maybe is a thing > > > of older NT4 style domains. > > > > > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege > > > > > > I have tried setting up a member server with ad-idmap, and used a > > > user ?luis? (with uidNumber) from the Unix Admins group (that has > > > gidNumber). > > > > > > Unix Admins group is a member of the Domain Admins group, that has no > > > gidNumber. > > > > > > The share looks like this: > > > > > > 8.0K drwxrwx---? ?2 luis unix admins 4.0K Jun??9 11:29 test > > > > > > I also used: > > > > > > vfs objects = acl_xattr > > > acl_xattr:ignore system acls = yes > > > > > > I din?t need to grant any privilege(s). I just worked. Am I missing > > > something ? > > > > > > Maybe I need to grant the rights to users that are not admins so they > > > can set up shares / permissions? How is this reflected in the Windows > > > ?security? tab of the share if at all ? > > > > > > I wonder if these rights should be granted per server (like I have > > > always done) ? Or else in a DC ? > > > > > > Thanks, > > > > > > LP > > > > You really are getting me thinking this weekend :-) > > > > what is the output of: > > > > net rpc rights list privileges SeDiskOperatorPrivilege -U administrator > > > > When run as 'root' on your Unix domain member. > > > > Depending on that, I think the wikipage may need amending. > > > > Rowland > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Sun, 9 Jun 2024 16:53:30 +0100 Luis Peromarta via samba <samba at lists.samba.org> wrote:> Mmm? strange ? Or is this what you were expecting ?No> > root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege > -Uadministrator Password for [MAD\administrator]: > Could not connect to server 127.0.0.1 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege > -Uadministrator Password for [MAD\administrator]: > Could not connect to server 127.0.0.1 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege > -UAdministrator Password for [MAD\Administrator]: > Could not connect to server 127.0.0.1 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege > -U "MAD\Administrator" Password for [MAD\Administrator]: > Could not connect to server 127.0.0.1 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > But then: > > root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege > -Uluis Password for [MAD\luis]: > SeDiskOperatorPrivilege: > ?BUILTIN\AdministratorsBut that is !!! Before I say anything else, I would just like to point out two things: A) I didn't write the initial wikipage B) Perhaps things didn't work as they should have done when the wikipage was first written. OK, Windows has the concept of 'nested groups', which means that a group that is a member of another group inherits all the permissions and privileges of the group it is a member of. Now what does this mean ? As you have proved, by default, BUILTIN\Administrators has the SeDiskOperatorPrivilege and guess what group is a default member of BUILTIN\Administrators, yes, it's Domain Admins. this means you do not have to give Domain Admins the SeDiskOperatorPrivilege, it already gets it from BUILTIN\Administrators. I will update the wikipage. Rowland