Benjamin.Oeltze@fujitsu-siemens.com
2005-Sep-15 13:10 UTC
[Samba] net rpc rights problem with groups
Hello List, I have tried to grant SeMachineAccountPrivilege to an extra group. Users in this group should not have Admin rights but they should be able to join workstations to the domain. My first try was to grant the right to a single user wich is working as expected. net rpc rights grant "TOPTEST\toptest.r" SeMachineAccountPrivilege -U domainadmin net rpc rights shows: hgest3201:~ # net rpc rights list accounts -Udomainadmin Password: TOPTEST\toptest.r SeMachineAccountPrivilege The user can join workstations to TOPTEST. But when I create a group named wksadd and grant SeMachineAccountPrivilege to the group the users of this group cant join workstations. net help rpc rights grant "TOPTEST\wksadd" SeMachineAccountPrivilege -U domainadmin hgest3201:~ # net rpc rights list accounts -Udomainadmin Password: TOPTEST\wksadd SeMachineAccountPrivilege Is this a bug ?? Benny
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Benjamin.Oeltze@fujitsu-siemens.com wrote: | net rpc rights grant "TOPTEST\toptest.r" \ | SeMachineAccountPrivilege -U domainadmin | | net rpc rights shows: | hgest3201:~ # net rpc rights list accounts -Udomainadmin | Password: | TOPTEST\toptest.r | SeMachineAccountPrivilege | | The user can join workstations to TOPTEST. | But when I create a group named wksadd and grant | SeMachineAccountPrivilege to the group the users | of this group cant join workstations. | | net help rpc rights grant "TOPTEST\wksadd" \ | SeMachineAccountPrivilege -U domainadmin | | hgest3201:~ # net rpc rights list accounts -Udomainadmin | Password: | TOPTEST\wksadd | SeMachineAccountPrivilege | | Is this a bug ?? Works fine here. What group mapping do have setup for TOPTEST\wksadd? cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDM/07IR7qMdg1EfYRAoQLAJ99Dn7FilutE7/M7dmnbcznvuXDbACgiya3 tjlCiMVQ0OWJgVThsPLNBeI=DQYM -----END PGP SIGNATURE-----
Dirk.Laurenz@fujitsu-siemens.com
2005-Sep-23 19:28 UTC
[Samba] net rpc rights problem with groups
Hello Jerry, here's the avtive group mapping: hgest3201:~ # net groupmap list Domain Admins (S-1-5-21-3768962547-785479325-491471131-512) -> Domain Admins Domain Users (S-1-5-21-3768962547-785479325-491471131-513) -> Domain Users Domain Guests (S-1-5-21-3768962547-785479325-491471131-514) -> Domain Guests Domain Computers (S-1-5-21-3768962547-785479325-491471131-515) -> Domain Computers Administrators (S-1-5-32-544) -> Administrators Account Operators (S-1-5-32-548) -> Account Operators Print Operators (S-1-5-32-550) -> Print Operators Backup Operators (S-1-5-32-551) -> Backup Operators Replicators (S-1-5-32-552) -> Replicators wksadd (S-1-5-21-3768962547-785479325-491471131-10213) -> wksadd Subversion Admins (S-1-5-21-3768962547-785479325-491471131-10198) -> Subversion Admins GES_BT (S-1-5-21-3768962547-785479325-491471131-10199) -> GES_BT GES_BT-SN (S-1-5-21-3768962547-785479325-491471131-10200) -> GES_BT-SN schreiben (S-1-5-21-3768962547-785479325-491471131-3007) -> schreiben zugriff (S-1-5-21-3768962547-785479325-491471131-3011) -> zugriff efsefewf (S-1-5-21-3768962547-785479325-491471131-10219) -> efsefewf fcvxcvxcvxcvxcv (S-1-5-21-3768962547-785479325-491471131-10223) -> fcvxcvxcvxcvxcv f2 (S-1-5-21-3768962547-785479325-491471131-10224) -> f2 hgest3201:~ # getent group | grep wksadd wksadd:x:10213:laurenz.d,mathias Mit freundlichem Gru?, Dirk Laurenz Systems Engineer Fujitsu Siemens Computers S CE DE SE PS N/O Sales Central Europe Deutschland Professional Service Nord / Ost Hildesheimer Strasse 25 30880 Laatzen Germany Telephone: +49 (511) 84 89 - 18 08 Telefax: +49 (511) 84 89 - 25 18 08 Mobile: +49 (170) 22 10 781 Email: mailto:dirk.laurenz@fujitsu-siemens.com Internet: http://www.fujitsu-siemens.com http://www.fujitsu-siemens.de/services/index.html ******************************************************************************************************************* -| -----Original Message----- -| From: Gerald (Jerry) Carter [mailto:jerry@samba.org] -| Sent: Friday, September 23, 2005 3:04 PM -| To: Oeltze, Benjamin -| Cc: samba@lists.samba.org; Laurenz, Dirk -| Subject: Re: [Samba] net rpc rights problem with groups -| -| -----BEGIN PGP SIGNED MESSAGE----- -| Hash: SHA1 -| -| Benjamin.Oeltze@fujitsu-siemens.com wrote: -| -| | net rpc rights grant "TOPTEST\toptest.r" \ -| | SeMachineAccountPrivilege -U domainadmin -| | -| | net rpc rights shows: -| | hgest3201:~ # net rpc rights list accounts -Udomainadmin -| | Password: -| | TOPTEST\toptest.r -| | SeMachineAccountPrivilege -| | -| | The user can join workstations to TOPTEST. -| | But when I create a group named wksadd and grant -| | SeMachineAccountPrivilege to the group the users -| | of this group cant join workstations. -| | -| | net help rpc rights grant "TOPTEST\wksadd" \ -| | SeMachineAccountPrivilege -U domainadmin -| | -| | hgest3201:~ # net rpc rights list accounts -Udomainadmin -| | Password: -| | TOPTEST\wksadd -| | SeMachineAccountPrivilege -| | -| | Is this a bug ?? -| -| Works fine here. What group mapping do have setup -| for TOPTEST\wksadd? -| -| -| -| -| -| -| cheers, jerry -| -----BEGIN PGP SIGNATURE----- -| Version: GnuPG v1.4.0 (GNU/Linux) -| Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org -| -| iD8DBQFDM/07IR7qMdg1EfYRAoQLAJ99Dn7FilutE7/M7dmnbcznvuXDbACgiya3 -| tjlCiMVQ0OWJgVThsPLNBeI-| =DQYM -| -----END PGP SIGNATURE----- -|
Seemingly Similar Threads
- WINBIND idmap and tdbfiles while upgrading to 3.0.20a
- nmbd registering itself als DMB is not working
- nmbd as wins server
- Dovecot not handling r/o mailboxes completely, and problem with ACL as a workaround
- Discussion: Samba Virtual Server Setup w/ LDAP Backend