Michael Lueck
2007-Apr-25 20:08 UTC
[Samba] Can not grant SeMachineAccountPrivilege on Debian Etch
I am testing out Debian Etch, and ran into an issue granting SeMachineAccountPrivilege to an account... which granting that permission had been troublesome in the past. The command I am issuing is: net rpc rights grant LDS-DEMO\\ldsinst SeMachineAccountPrivilege And I try running the command with an account that is a member of the "Domain Admins" group. The command returns: Failed to grant privileges for LDS-DEMO\ldsinst (NT_STATUS_ACCESS_DENIED) In the past when this has failed, the "only" way to get it to work was to: 1) Stop Samba 2) rm /var/lib/samba/group_mapping.tdb 3) Start Samba 4) Rerun initGrps.sh which does... # Map Windows Domain Groups to UNIX groups net groupmap modify ntgroup="Domain Admins" unixgroup=domadmin net groupmap modify ntgroup="Domain Users" unixgroup=domusers net groupmap modify ntgroup="Domain Guests" unixgroup=domguest 5) Run the "net rpc rights..." command But not even that fixes it. Ideas? Thanks, -- Michael Lueck Lueck Data Systems http://www.lueckdatasystems.com/
Michael Lueck
2007-Apr-25 21:15 UTC
[Samba] Can not grant SeMachineAccountPrivilege on Debian Etch
Dale Schroeder wrote:> Michael, > > I believe Etch uses Samba 3.0.24.Thanks Dale for the quick response. That is correct, and also the version I have arrived at after several version upgrades. This is the first server I have installed at this level of Samba.> There were changes in 3.0.23 that > require "net groupmap add" rather than "net groupmap modify". > initGrps.sh will have to be modified accordingly. See: > http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html > > I hope that fixes things for you. > Good luck, > > Dale1) Running as root, I changed the script from "net groupmap modify" to "net groupmap add". 2) I stopped Samba 3) I deleted the file /var/lib/samba/group_mapping.tdb 4) I started Samba 5) I exited root back to my normal account 6) I ran the command: net rpc rights grant LDS-DEMO\\ldsinst SeMachineAccountPrivilege and unfortunately it failed with the same error. "So close..." Thanks! -- Michael Lueck Lueck Data Systems http://www.lueckdatasystems.com/
Michael Lueck
2007-Apr-25 21:24 UTC
[Samba] Re: Can not grant SeMachineAccountPrivilege on Debian Etch
Michael Lueck wrote: Oops...> 1) Running as root, I changed the script from "net groupmap modify" to > "net groupmap add". > 2) I stopped Samba > 3) I deleted the file /var/lib/samba/group_mapping.tdb > 4) I started Samba4.5) I ran the modified initGrps.sh # ./initGrps.sh No rid or sid specified, choosing a RID Got RID 5001 Successfully added group Domain Admins to the mapping db as a domain group No rid or sid specified, choosing a RID Got RID 5003 Successfully added group Domain Users to the mapping db as a domain group No rid or sid specified, choosing a RID Got RID 5005 Successfully added group Domain Guests to the mapping db as a domain group> 5) I exited root back to my normal account > 6) I ran the command: net rpc rights grant LDS-DEMO\\ldsinst > SeMachineAccountPrivilege > and unfortunately it failed with the same error.-- Michael Lueck Lueck Data Systems http://www.lueckdatasystems.com/
Seemingly Similar Threads
- Not seeing the expected group memberships with ifmember.exe /list
- Samba not listening on 127.0.0.1... hua???
- Q about net groupmap examples on samba.org
- Using SeMachineAccountPrivilege returns NT_STATUS_NO_SUCH_PRIVILEGE
- What file gets corrupted in Samba when perms stop working correctly?