Michael Lueck
2007-Apr-26 16:29 UTC
[Samba] 3.0.24 What commands must be executed by root verses ntgroup="Domain Admins"?
I found the solution, or at least a work around, for my posting: "Can not grant SeMachineAccountPrivilege on Debian Etch" I ended up: 1) ssh to Debian Etch as root 2) smbpasswd -a root 3) issue the "net rpc rights grant ..." command SUCCESS!!! So, that raises the question that what MUST be executed as user root verses a member of ntgroup="Domain Admins"? I suspect that since Samba does not prompt for a password when I execute the "net groupmap add ..." command, that Samba does not take seriously that I wish to have users of a group be just like the root user. Also, if I had configured Debian Etch not to use the root account, but sudo instead (Like the Ubuntu project) then how would that affect this condition? As far as I know, I would think that Samba would not be tricked into letting the user ID that is not literally "root" execute this command. I usually do not have user "root" set up in smbpasswd as there has not been need for the account to exist as far as Samba is concerned. Thanks! -- Michael Lueck Lueck Data Systems http://www.lueckdatasystems.com/
Nik Conwell
2007-May-01 17:55 UTC
[Samba] Re: 3.0.24 What commands must be executed by root verses ntgroup="Domain Admins"?
Michael Lueck <mlueck <at> lueckdatasystems.com> writes:> > I found the solution, or at least a work around, for my posting: "Can notgrant SeMachineAccountPrivilege> on Debian Etch" > > I ended up: > 1) ssh to Debian Etch as root > 2) smbpasswd -a root > 3) issue the "net rpc rights grant ..." command > SUCCESS!!! > > So, that raises the question that what MUST be executed as user root verses amember of ntgroup="Domain Admins"? Funny you should bring this up. I've been having the same problem but my system is security=ADS so I can't authenticate the local root user.>From the source _lsa_add_acct_rights() is supposed to allow grant to members ofDomain Admins (RID 512) but that's apparently not working. se_access_check() shows my account has a sid of [getlocalsid]-512 so I should be considered as a member of Domain Admins. Time to start the debugging... -nik nik@bu.edu