I know that the "Administrator" from DC is not a Administrator in
member
server.
For resolve that, there are a workaround.
This workaround is to use a user_map parameter in smb.conf :
username map = path_to_filemap
And the filemap must contain in your case :
!root = HOME\Administrator HOME\administrator
My config use this workaround and it's work
have a nice day
-----------------------------------
St?phane PURNELLE Admin. Syst?mes et R?seaux
Service Informatique Corman S.A. Tel : 00 32 (0)87/342467
De : Rowland Penny <rowlandpenny at googlemail.com>
A : sambalist <samba at lists.samba.org>,
Date : 03/04/2014 12:49
Objet : [Samba] Domain Admins and SeDiskOperatorPrivilege
Envoy? par : samba-bounces at lists.samba.org
I am having trouble giving the Domain Admin group the
'SeDiskOperatorPrivilege' privilege on a member server.
Running 'net rpc rights list accounts -UAdministrator'
Results in this:
Enter Administrator's password:
BUILTIN\Print Operators
No privileges assigned
BUILTIN\Account Operators
No privileges assigned
BUILTIN\Backup Operators
No privileges assigned
BUILTIN\Server Operators
No privileges assigned
BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
Everyone
No privileges assigned
But, running 'net rpc rights grant HOME\\Domain\ Admins
SeDiskOperatorPrivilege -UAdministrator'
Results in:
Failed to grant privileges for HOME\Domain Admins
(NT_STATUS_ACCESS_DENIED)
If I bump up debugging, 'net rpc rights grant HOME\\Domain\ Admins
SeDiskOperatorPrivilege -UAdministrator -d3'
Results in:
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
added interface eth0 ip=192.168.0.25 bcast=192.168.0.255
netmask=255.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Enter Administrator's password:
Connecting to 127.0.0.1 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
Failed to grant privileges for HOME\Domain Admins
(NT_STATUS_ACCESS_DENIED)
rpc command function failed! (NT_STATUS_ACCESS_DENIED)
return code = -1
The same command works if run on the Samba4 server, but you cannot
change the ACL's on a share on the member server from a windows machine,
it would seem that the 'Domain Admins' group needs the rights on the
member server.
So, is this a winbind bug, or something else.
Samba 4 AD server, self compiled version 4.1.4 running on ubuntu 12.04
Samba 4 client, debian wheezy with version 4.1.6-Debian from backports
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba