Steffen Weißgerber
2015-Oct-01 12:49 UTC
[Samba] SeDiskOperatorPrivilege - NT_STATUS_NO_SUCH_PRIVILEGE
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 28.09.2015 um 13:22 schrieb Rowland Penny:> On 28/09/15 11:30, Steffen Weißgerber wrote: > Hello, > > after configuring kerberos and winbind for authentication against an AD> (Window 2008 R2) and succesful launching getent passwd I followed the > instructions https://wiki.samba.org/index.php/Shares_with_Windows_ACLs > for granting the SeDiskOperatorPrivilege. > But I get a failure with a NT_STATUS_NO_SUCH_PRIVILEGE error. > > net rpc rights list accounts -U'<Domain>\Administrator' -I<AD-host> > does not list the SeDiskOperatorPrivilege. > > Why this is missing? > > Nevertheless creating directories and granting access to these to > other AD accounts works well. > > The global section of my smb.conf is as follows: > > [global] > workgroup = DKDB > server string = Samba Test > security = ads > realm = DKDB.KN > winbind use default domain = yes > winbind refresh tickets = yes > max protocol = SMB2 > hide unreadable = yes > idmap config * : backend = rid > idmap config * : range = 10000-20000 > #syslog only = yes > disable netbios = yes > log file = /var/log/samba/log.%m > log level = 3 > max log size = 50 > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > Thanks > > Steffen >> > > I don't know if this is your problem, but you seem to have incorrect > 'idmap config' lines, I would expect to see something like this: > > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > idmap config DKDB : backend = rid > idmap config DKDB : range = 10000-20000 > > Rowland > >Hi, I changed the global section to idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config DKDB : backend = rid idmap config DKDB : range = 10000-20000 and restartet samba (smbd, sinbind). But that did not change anything. Is the samba version I use (3.6.25) relevant for this? Regards Steffen -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlYNK9IACgkQCrEAdFsLhMeJnwCg30N9EO3mQQWQ8OnELVxlljCR epEAoOymVJzBBK/bnTHTDyCUccve53VW =kcIg -----END PGP SIGNATURE-----
mathias dufresne
2015-Oct-01 13:07 UTC
[Samba] SeDiskOperatorPrivilege - NT_STATUS_NO_SUCH_PRIVILEGE
As far as I understood this privilege is available only for domains which are Active Directory domains. As you are using Samba 3.6 you shouldn't have AD domain but NT4 domain. 2015-10-01 14:49 GMT+02:00 Steffen Weißgerber <steffen at weiszgerber.de>:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Am 28.09.2015 um 13:22 schrieb Rowland Penny: > > On 28/09/15 11:30, Steffen Weißgerber wrote: > > Hello, > > > > after configuring kerberos and winbind for authentication against an A > D > > (Window 2008 R2) and succesful launching getent passwd I followed the > > instructions https://wiki.samba.org/index.php/Shares_with_Windows_ACLs > > for granting the SeDiskOperatorPrivilege. > > But I get a failure with a NT_STATUS_NO_SUCH_PRIVILEGE error. > > > > net rpc rights list accounts -U'<Domain>\Administrator' -I<AD-host> > > does not list the SeDiskOperatorPrivilege. > > > > Why this is missing? > > > > Nevertheless creating directories and granting access to these to > > other AD accounts works well. > > > > The global section of my smb.conf is as follows: > > > > [global] > > workgroup = DKDB > > server string = Samba Test > > security = ads > > realm = DKDB.KN > > winbind use default domain = yes > > winbind refresh tickets = yes > > max protocol = SMB2 > > hide unreadable = yes > > idmap config * : backend = rid > > idmap config * : range = 10000-20000 > > #syslog only = yes > > disable netbios = yes > > log file = /var/log/samba/log.%m > > log level = 3 > > max log size = 50 > > vfs objects = acl_xattr > > map acl inherit = Yes > > store dos attributes = Yes > > > > Thanks > > > > Steffen > >> > > > > I don't know if this is your problem, but you seem to have incorrect > > 'idmap config' lines, I would expect to see something like this: > > > > idmap config * : backend = tdb > > idmap config * : range = 2000-9999 > > idmap config DKDB : backend = rid > > idmap config DKDB : range = 10000-20000 > > > > Rowland > > > > > > Hi, > > I changed the global section to > > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > idmap config DKDB : backend = rid > idmap config DKDB : range = 10000-20000 > > and restartet samba (smbd, sinbind). But that did not change anything. > Is the samba version I use (3.6.25) relevant for this? > > Regards > > Steffen > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iEYEARECAAYFAlYNK9IACgkQCrEAdFsLhMeJnwCg30N9EO3mQQWQ8OnELVxlljCR > epEAoOymVJzBBK/bnTHTDyCUccve53VW > =kcIg > -----END PGP SIGNATURE----- > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Steffen Weißgerber
2015-Oct-01 13:32 UTC
[Samba] SeDiskOperatorPrivilege - NT_STATUS_NO_SUCH_PRIVILEGE
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hmm why, the guy at https://raymii.org/s/tutorials/SAMBA_Share_with_Active_Directory_Login_o n_Ubuntu_12.04.html does exactly this. Also the manpage e.g. for smb.conf describes the config for a connection to an AD. And after granting file rights to the share via setfacl -m g:domänen-admins:rwx /var/samba/test I can mkdir and granting rights to other users/groups from the security tab on a windows client. Maybe version 3.6 is not as full featured as the 4.x versions, but AD integration should work. Is there a way to monitor/log the net rpc call to check the availabilty of the SeDiskOperatorPrivilege on AD side? Regards Steffen Am 01.10.2015 um 15:07 schrieb mathias dufresne:> As far as I understood this privilege is available only for domains which> are Active Directory domains. > As you are using Samba 3.6 you shouldn't have AD domain but NT4 domain.> > 2015-10-01 14:49 GMT+02:00 Steffen Weißgerber <steffen at weiszgerber.de>:> > Am 28.09.2015 um 13:22 schrieb Rowland Penny: >>>> On 28/09/15 11:30, Steffen Weißgerber wrote: >>>> Hello, >>>> >>>> after configuring kerberos and winbind for authentication against an A> D >>>> (Window 2008 R2) and succesful launching getent passwd I followed the>>>> instructions https://wiki.samba.org/index.php/Shares_with_Windows_ACLs>>>> for granting the SeDiskOperatorPrivilege. >>>> But I get a failure with a NT_STATUS_NO_SUCH_PRIVILEGE error. >>>> >>>> net rpc rights list accounts -U'<Domain>\Administrator' -I<AD-host> >>>> does not list the SeDiskOperatorPrivilege. >>>> >>>> Why this is missing? >>>> >>>> Nevertheless creating directories and granting access to these to >>>> other AD accounts works well. >>>> >>>> The global section of my smb.conf is as follows: >>>> >>>> [global] >>>> workgroup = DKDB >>>> server string = Samba Test >>>> security = ads >>>> realm = DKDB.KN >>>> winbind use default domain = yes >>>> winbind refresh tickets = yes >>>> max protocol = SMB2 >>>> hide unreadable = yes >>>> idmap config * : backend = rid >>>> idmap config * : range = 10000-20000 >>>> #syslog only = yes >>>> disable netbios = yes >>>> log file = /var/log/samba/log.%m >>>> log level = 3 >>>> max log size = 50 >>>> vfs objects = acl_xattr >>>> map acl inherit = Yes >>>> store dos attributes = Yes >>>> >>>> Thanks >>>> >>>> Steffen >>>>> >>>> >>>> I don't know if this is your problem, but you seem to have incorrect>>>> 'idmap config' lines, I would expect to see something like this: >>>> >>>> idmap config * : backend = tdb >>>> idmap config * : range = 2000-9999 >>>> idmap config DKDB : backend = rid >>>> idmap config DKDB : range = 10000-20000 >>>> >>>> Rowland >>>> >>>> > > Hi, > > I changed the global section to > > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > idmap config DKDB : backend = rid > idmap config DKDB : range = 10000-20000 > > and restartet samba (smbd, sinbind). But that did not change anything. > Is the samba version I use (3.6.25) relevant for this? > > Regards > > Steffen >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlYNNdQACgkQCrEAdFsLhMeM+QCgqWiI8Q2SRmkIYWk7ZQRmdqis xCMAoPG1Inpewz9kavEqAHbN+mc5E/2z =sHsG -----END PGP SIGNATURE-----
Apparently Analagous Threads
- SeDiskOperatorPrivilege - NT_STATUS_NO_SUCH_PRIVILEGE
- SeDiskOperatorPrivilege - NT_STATUS_NO_SUCH_PRIVILEGE
- SeDiskOperatorPrivilege - NT_STATUS_NO_SUCH_PRIVILEGE
- Using SeMachineAccountPrivilege returns NT_STATUS_NO_SUCH_PRIVILEGE
- SeDiskOperatorPrivilege and 2012 R2 domain