(Re-posting to list also.. Sorry forgot Cc. -Tom) Marc, Thanks for your help and clarifications. I was indeed addressing the domain controller (2012 R2) due to my misunderstanding. Addressing the request at the file server (Samba 4) to the file server fails too but with different errors. Rights list succeeds. $ net rpc rights list accounts -UDOMAIN\\Administrator Enter DOMAIN\Administrator's password: BUILTIN\Print Operators No privileges assigned BUILTIN\Account Operators No privileges assigned BUILTIN\Backup Operators No privileges assigned BUILTIN\Server Operators No privileges assigned BUILTIN\Administrators SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeSecurityPrivilege SeSystemtimePrivilege SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege Everyone No privileges assigned $ net rpc rights grant 'DOMAIN\Domain Admins' SeDiskOperatorPrivilege -UDOMAIN\\Administrator Enter DOMAIN\Administrator's password: Failed to grant privileges for DOMAIN\Domain Admins (NT_STATUS_ACCESS_DENIED) $ net rpc rights grant 'DOMAIN\Unix-admins' SeDiskOperatorPrivilege -UDOMAIN\\Administrator Enter DOMAIN\Administrator's password: Could not connect to server 127.0.0.1 Thanks for any info, -Tom On Mon, Mar 23, 2015 at 11:59 PM, Marc Muehlfeld <mmuehlfeld at samba.org> wrote:> Hello Tom, > > Am 23.03.2015 um 21:31 schrieb Tom S?derlund: > > Giving a domain user group privilege SeDiskOperatorPrivilege fails with >> NT_STATUS_NO_SUCH_PRIVILEGE. >> >> The domain is controlled by a MS 2012 R2 DC. Has this privilege been >> renamed or replaced with some other privilege? How to give the domain user >> group necessary rights for defining file share permission settings from MS >> environment? >> >> The RHEL 7 file server is running Samba 4.1.1-38 and the id management is >> done by SSSD 1.12.2. >> > > > The grant is done on the member server. So the privilege something on the > member server and not on the DC. > > Have you ensured, that "enable privleges" is not turned off somewhere in > your smb.conf? If it's not there, then it's enabled - that's the default. > > > What is the output of > # net rpc rights list accounts -U'SAMDOM\administrator' > > To grant the privilege to the Domain Admins group, for example, run: > # net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege > -U'SAMDOM\administrator' > > > Regards, > Marc > >
Hello Tom, Am 24.03.2015 um 08:49 schrieb Tom S?derlund:> $ net rpc rights grant 'DOMAIN\Domain Admins' SeDiskOperatorPrivilege > -UDOMAIN\\Administrator > Enter DOMAIN\Administrator's password: > Failed to grant privileges for DOMAIN\Domain Admins > (NT_STATUS_ACCESS_DENIED) > > $ net rpc rights grant 'DOMAIN\Unix-admins' SeDiskOperatorPrivilege > -UDOMAIN\\Administrator > Enter DOMAIN\Administrator's password: > Could not connect to server 127.0.0.1* Is the group "DOMAIN\Domain Admins" local available? Check with # getent group "DOMAIN\Domain Admins" * Is Samba listening on localhost? Check "interfaces" parameter in your smb.conf. Or add "-S servername" to your "net" command. * Can you post the [global] section of your smb.conf, please? Regards, Marc
Mark,
Below xxx.yyy. is my network prefix.
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
server string = Server %v
security = ADS
client signing = auto
client use spnego = yes
kerberos method = secrets and keytab
log file = /var/log/samba/log.%m
log level = 3
max log size = 50
load printers = No
printcap name = /dev/null
idmap config * : backend = tdb
hosts allow = 127., xxx.yyy.
cups options = raw
vfs objects = acl_xattr
inherit acls = Yes
map acl inherit = Yes
store dos attributes = Yes
browseable = Yes
Some trials below, getent for the group succeeds and mostly everything is
running fine, I can even log in with domain accounts and set file
permissions that include domain groups and accounts, and with valid file
rights MS terminals can see shares on this server. But giving this
privilege fails with a bit random results.
[me at server]$ getent group "DOMAIN\Domain Admins"
domain admins:*:978600512:me.user,administrator
[me at server]$ net rpc rights grant "DOMAIN\Domain Admins"
SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server
Enter DOMAIN\Administrator's password:
Could not connect to server server
Connection failed: NT_STATUS_LOCK_NOT_GRANTED
[me at server]$ net rpc rights grant "DOMAIN\Domain Admins"
SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server.domain.local
Enter DOMAIN\Administrator's password:
Failed to grant privileges for DOMAIN\Domain Admins
(NT_STATUS_ACCESS_DENIED)
[me at server]$ sudo net rpc rights grant "DOMAIN\Domain Admins"
SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server.domain.local
[sudo] password for me:
Enter DOMAIN\Administrator's password:
Failed to grant privileges for DOMAIN\Domain Admins
(NT_STATUS_ACCESS_DENIED)
-Tom
On Tue, Mar 24, 2015 at 6:10 PM, Marc Muehlfeld <mmuehlfeld at samba.org>
wrote:
> Hello Tom,
>
> Am 24.03.2015 um 08:49 schrieb Tom S?derlund:
>
>> $ net rpc rights grant 'DOMAIN\Domain Admins'
SeDiskOperatorPrivilege
>> -UDOMAIN\\Administrator
>> Enter DOMAIN\Administrator's password:
>> Failed to grant privileges for DOMAIN\Domain Admins
>> (NT_STATUS_ACCESS_DENIED)
>>
>> $ net rpc rights grant 'DOMAIN\Unix-admins'
SeDiskOperatorPrivilege
>> -UDOMAIN\\Administrator
>> Enter DOMAIN\Administrator's password:
>> Could not connect to server 127.0.0.1
>>
>
>
> * Is the group "DOMAIN\Domain Admins" local available? Check with
> # getent group "DOMAIN\Domain Admins"
>
> * Is Samba listening on localhost? Check "interfaces" parameter
> in your smb.conf. Or add "-S servername" to your
"net" command.
>
> * Can you post the [global] section of your smb.conf, please?
>
>
>
> Regards,
> Marc
>