Steffen Weißgerber
2015-Oct-01 13:32 UTC
[Samba] SeDiskOperatorPrivilege - NT_STATUS_NO_SUCH_PRIVILEGE
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hmm why, the guy at https://raymii.org/s/tutorials/SAMBA_Share_with_Active_Directory_Login_o n_Ubuntu_12.04.html does exactly this. Also the manpage e.g. for smb.conf describes the config for a connection to an AD. And after granting file rights to the share via setfacl -m g:domänen-admins:rwx /var/samba/test I can mkdir and granting rights to other users/groups from the security tab on a windows client. Maybe version 3.6 is not as full featured as the 4.x versions, but AD integration should work. Is there a way to monitor/log the net rpc call to check the availabilty of the SeDiskOperatorPrivilege on AD side? Regards Steffen Am 01.10.2015 um 15:07 schrieb mathias dufresne:> As far as I understood this privilege is available only for domains which> are Active Directory domains. > As you are using Samba 3.6 you shouldn't have AD domain but NT4 domain.> > 2015-10-01 14:49 GMT+02:00 Steffen Weißgerber <steffen at weiszgerber.de>:> > Am 28.09.2015 um 13:22 schrieb Rowland Penny: >>>> On 28/09/15 11:30, Steffen Weißgerber wrote: >>>> Hello, >>>> >>>> after configuring kerberos and winbind for authentication against an A> D >>>> (Window 2008 R2) and succesful launching getent passwd I followed the>>>> instructions https://wiki.samba.org/index.php/Shares_with_Windows_ACLs>>>> for granting the SeDiskOperatorPrivilege. >>>> But I get a failure with a NT_STATUS_NO_SUCH_PRIVILEGE error. >>>> >>>> net rpc rights list accounts -U'<Domain>\Administrator' -I<AD-host> >>>> does not list the SeDiskOperatorPrivilege. >>>> >>>> Why this is missing? >>>> >>>> Nevertheless creating directories and granting access to these to >>>> other AD accounts works well. >>>> >>>> The global section of my smb.conf is as follows: >>>> >>>> [global] >>>> workgroup = DKDB >>>> server string = Samba Test >>>> security = ads >>>> realm = DKDB.KN >>>> winbind use default domain = yes >>>> winbind refresh tickets = yes >>>> max protocol = SMB2 >>>> hide unreadable = yes >>>> idmap config * : backend = rid >>>> idmap config * : range = 10000-20000 >>>> #syslog only = yes >>>> disable netbios = yes >>>> log file = /var/log/samba/log.%m >>>> log level = 3 >>>> max log size = 50 >>>> vfs objects = acl_xattr >>>> map acl inherit = Yes >>>> store dos attributes = Yes >>>> >>>> Thanks >>>> >>>> Steffen >>>>> >>>> >>>> I don't know if this is your problem, but you seem to have incorrect>>>> 'idmap config' lines, I would expect to see something like this: >>>> >>>> idmap config * : backend = tdb >>>> idmap config * : range = 2000-9999 >>>> idmap config DKDB : backend = rid >>>> idmap config DKDB : range = 10000-20000 >>>> >>>> Rowland >>>> >>>> > > Hi, > > I changed the global section to > > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > idmap config DKDB : backend = rid > idmap config DKDB : range = 10000-20000 > > and restartet samba (smbd, sinbind). But that did not change anything. > Is the samba version I use (3.6.25) relevant for this? > > Regards > > Steffen >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlYNNdQACgkQCrEAdFsLhMeM+QCgqWiI8Q2SRmkIYWk7ZQRmdqis xCMAoPG1Inpewz9kavEqAHbN+mc5E/2z =sHsG -----END PGP SIGNATURE-----
Rowland Penny
2015-Oct-01 13:59 UTC
[Samba] SeDiskOperatorPrivilege - NT_STATUS_NO_SUCH_PRIVILEGE
On 01/10/15 14:32, Steffen Weißgerber wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hmm why, > > the guy at > https://raymii.org/s/tutorials/SAMBA_Share_with_Active_Directory_Login_o > n_Ubuntu_12.04.html > does exactly this. > > Also the manpage e.g. for smb.conf describes the config for a connection > to an AD. > > And after granting file rights to the share via > > setfacl -m g:domänen-admins:rwx /var/samba/test > > I can mkdir and granting rights to other users/groups from the security > tab on a windows client. > > Maybe version 3.6 is not as full featured as the 4.x versions, but AD > integration should work. > > Is there a way to monitor/log the net rpc call to check the availabilty > of the SeDiskOperatorPrivilege on AD side? > >Your best bet would be to install the last freely available Sernet Samba packages, this would get you version 4.2.4. Samba 3.6 is EOL (as is 4.0), so if you are hitting a bug (note: I am not saying you are) then you stand a chance of getting it fixed. If you don't want to do that, you could always upgrade to 14.04 and this would get you 4.1.6. Unless something very strange is going on, the SeDiskOperatorPrivilege should be available. Rowland
Steffen Weißgerber
2015-Oct-02 12:36 UTC
[Samba] SeDiskOperatorPrivilege - NT_STATUS_NO_SUCH_PRIVILEGE
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I got it. Sorry, my fault. When calling 'net rpc ...' I addressed a Server from the AD with the -I switch. Without this the privileges are listed correct and die SeDiskOperatorPrivilege can be granted. Regards Steffen Am 01.10.2015 um 15:59 schrieb Rowland Penny:> On 01/10/15 14:32, Steffen Weißgerber wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hmm why, >> >> the guy at >> https://raymii.org/s/tutorials/SAMBA_Share_with_Active_Directory_Login_o>> n_Ubuntu_12.04.html >> does exactly this. >> >> Also the manpage e.g. for smb.conf describes the config for a connection>> to an AD. >> >> And after granting file rights to the share via >> >> setfacl -m g:domänen-admins:rwx /var/samba/test >> >> I can mkdir and granting rights to other users/groups from the security>> tab on a windows client. >> >> Maybe version 3.6 is not as full featured as the 4.x versions, but AD >> integration should work. >> >> Is there a way to monitor/log the net rpc call to check the availabilty>> of the SeDiskOperatorPrivilege on AD side? >> >> > > Your best bet would be to install the last freely available Sernet Samba> packages, this would get you version 4.2.4. Samba 3.6 is EOL (as is > 4.0), so if you are hitting a bug (note: I am not saying you are) then > you stand a chance of getting it fixed. If you don't want to do that, > you could always upgrade to 14.04 and this would get you 4.1.6. > > Unless something very strange is going on, the SeDiskOperatorPrivilege > should be available. > > Rowland > >-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlYOelkACgkQCrEAdFsLhMfYKQCgrXA9TMRxtg8yHjo2lete9fJg WxMAnAnwtJNxJejICRmtlkXMXCQ8eedC =Axu/ -----END PGP SIGNATURE-----