On 15 January 2016 at 21:32, Rowland penny <rpenny at samba.org> wrote:> On 15/01/16 09:07, Henry McLaughlin wrote: > >> root at aphrodite:/# net rpc rights list accounts -U'DOMAIN\administrator' >> Enter DOMAIN\administrator's password: >> BUILTIN\Print Operators >> No privileges assigned >> >> BUILTIN\Account Operators >> No privileges assigned >> >> BUILTIN\Backup Operators >> No privileges assigned >> >> BUILTIN\Server Operators >> No privileges assigned >> >> BUILTIN\Administrators >> SeMachineAccountPrivilege >> SeTakeOwnershipPrivilege >> SeBackupPrivilege >> SeRestorePrivilege >> SeRemoteShutdownPrivilege >> SePrintOperatorPrivilege >> SeAddUsersPrivilege >> SeDiskOperatorPrivilege >> SeSecurityPrivilege >> SeSystemtimePrivilege >> SeShutdownPrivilege >> SeDebugPrivilege >> SeSystemEnvironmentPrivilege >> SeSystemProfilePrivilege >> SeProfileSingleProcessPrivilege >> SeIncreaseBasePriorityPrivilege >> SeLoadDriverPrivilege >> SeCreatePagefilePrivilege >> SeIncreaseQuotaPrivilege >> SeChangeNotifyPrivilege >> SeUndockPrivilege >> SeManageVolumePrivilege >> SeImpersonatePrivilege >> SeCreateGlobalPrivilege >> SeEnableDelegationPrivilege >> >> Everyone >> No privileges assigned >> >> root at aphrodite:/# getent passwd administrator >> administrator:*:1904600500:1904600513:Administrator:/home/ >> AD.DOMAIN.COM.AU/administrator: >> >> root at aphrodite:/# getent group "Domain Admins" >> domain admins:*:1904600512:administrator >> >> root at aphrodite:/# net rpc rights grant 'DOMAIN\Domain Admins' >> SeDiskOperatorPrivilege -U'DOMAIN\administrator' >> Enter DOMAIN\administrator's password: >> Failed to grant privileges for DOMAIN\Domain Admins >> (NT_STATUS_ACCESS_DENIED) >> root at aphrodite:/# >> > > Have you by any chance given Administrator a uidNumber ? >Yes, 10000 Was that wrong?> > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 15/01/16 11:12, Henry McLaughlin wrote:> > Have you by any chance given Administrator a uidNumber ? > > > Yes, 10000 > > Was that wrong? > > >Well, in my opinion, yes. By giving Administrator a uidNumber, you have, as far as Unix is concerned, turned it into a normal user that doesn't have the rights to do anything. Is this on a DC ? if so, remove the uidNumber and it should start working again, if it is a domain member, again remove the uidNumber and add this line to smb.conf username map = /etc/samba/samba_usermapping Create the file '/etc/samba/samba_usermapping' with this content: !root = SAMDOM\Administrator SAMDOM\administrator Replace 'SAMDOM' with your workgroup This will map 'Administrator' to the Unix 'root' user Rowland
On 15 January 2016 at 23:08, Henry McLaughlin <henry at incred.solutions> wrote:> > > On 15 January 2016 at 22:28, Rowland penny <rpenny at samba.org> wrote: > >> On 15/01/16 11:12, Henry McLaughlin wrote: >> >>> >>> Have you by any chance given Administrator a uidNumber ? >>> >>> >>> Yes, 10000 >>> >>> Was that wrong? >>> >>> >>> >>> >> Well, in my opinion, yes. By giving Administrator a uidNumber, you have, >> as far as Unix is concerned, turned it into a normal user that doesn't have >> the rights to do anything. >> >> Is this on a DC ? if so, remove the uidNumber and it should start working >> again, if it is a domain member, again remove the uidNumber and add this >> line to smb.conf >> >> username map = /etc/samba/samba_usermapping >> >> Create the file '/etc/samba/samba_usermapping' with this content: >> >> !root = SAMDOM\Administrator SAMDOM\administrator >> >> Replace 'SAMDOM' with your workgroup >> >> This will map 'Administrator' to the Unix 'root' user >> >> Rowland >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > Thanks Rowland this worked however I am totally confused as to when a > Windows User/Groups needs to be given a UNIX id in ADUG. Is there a > reference out the I can read, study & understand? >
On 15/01/16 12:08, Henry McLaughlin wrote:> > > On 15 January 2016 at 22:28, Rowland penny <rpenny at samba.org > <mailto:rpenny at samba.org>> wrote: > > On 15/01/16 11:12, Henry McLaughlin wrote: > > > Have you by any chance given Administrator a uidNumber ? > > > Yes, 10000 > > Was that wrong? > > > > > Well, in my opinion, yes. By giving Administrator a uidNumber, you > have, as far as Unix is concerned, turned it into a normal user > that doesn't have the rights to do anything. > > Is this on a DC ? if so, remove the uidNumber and it should start > working again, if it is a domain member, again remove the > uidNumber and add this line to smb.conf > > username map = /etc/samba/samba_usermapping > > Create the file '/etc/samba/samba_usermapping' with this content: > > !root = SAMDOM\Administrator SAMDOM\administrator > > Replace 'SAMDOM' with your workgroup > > This will map 'Administrator' to the Unix 'root' user > > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > Thanks Rowland this worked however I am totally confused as to when a > Windows User/Groups needs to be given a UNIX id in ADUG. Is there a > reference out the I can read, study & understand?It is fairly simple, on a DC, users are mapped to (via idmap.ldb) Unix automatically. On a domain member, you have a choice of backends, but the two main ones are 'rid' & 'ad'. The 'rid' backend works similar (from an initial view point) to the DC and maps the users & groups to Unix. The 'ad' backend is different, any user that you want to be visible to Unix must be given a uidNumber attribute, this number must be inside the range that is set in smb.conf, you must also give Domain Users (at least) a gidNumber attribute, this must also be inside the range set in smb.conf, if you want any other groups to be visible to Unix, these also must be given a gidNumber. Any user or group that is visible to Unix, works just like any other Unix user or group and only has the permissions you assign to them. Rowland
Kind regards, Henry McLaughlin 0411 444 363 (Mobile) henry at incred.com.au PO Box 329 Romsey VIC 3434 On 15 January 2016 at 23:24, Rowland penny <rpenny at samba.org> wrote:> On 15/01/16 12:08, Henry McLaughlin wrote: > >> >> >> On 15 January 2016 at 22:28, Rowland penny <rpenny at samba.org <mailto: >> rpenny at samba.org>> wrote: >> >> On 15/01/16 11:12, Henry McLaughlin wrote: >> >> >> Have you by any chance given Administrator a uidNumber ? >> >> >> Yes, 10000 >> >> Was that wrong? >> >> >> >> >> Well, in my opinion, yes. By giving Administrator a uidNumber, you >> have, as far as Unix is concerned, turned it into a normal user >> that doesn't have the rights to do anything. >> >> Is this on a DC ? if so, remove the uidNumber and it should start >> working again, if it is a domain member, again remove the >> uidNumber and add this line to smb.conf >> >> username map = /etc/samba/samba_usermapping >> >> Create the file '/etc/samba/samba_usermapping' with this content: >> >> !root = SAMDOM\Administrator SAMDOM\administrator >> >> Replace 'SAMDOM' with your workgroup >> >> This will map 'Administrator' to the Unix 'root' user >> >> Rowland >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> Thanks Rowland this worked however I am totally confused as to when a >> Windows User/Groups needs to be given a UNIX id in ADUG. Is there a >> reference out the I can read, study & understand? >> > > It is fairly simple, on a DC, users are mapped to (via idmap.ldb) Unix > automatically. On a domain member, you have a choice of backends, but the > two main ones are 'rid' & 'ad'. The 'rid' backend works similar (from an > initial view point) to the DC and maps the users & groups to Unix. The 'ad' > backend is different, any user that you want to be visible to Unix must be > given a uidNumber attribute, this number must be inside the range that is > set in smb.conf, you must also give Domain Users (at least) a gidNumber > attribute, this must also be inside the range set in smb.conf, if you want > any other groups to be visible to Unix, these also must be given a > gidNumber. > > Any user or group that is visible to Unix, works just like any other Unix > user or group and only has the permissions you assign to them. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >When a now try to set SeDiskOperatorPrivilege to "DOMAIN\Domain Admins" it is set for "Unix Group\domain admins"? Is this correct as I had expected it to be "DOMAIN\Domain Admins"? root at aphrodite:~# net rpc rights grant 'DOMAIN\Domain Admins' SeDiskOperatorPrivilege -U'DOMAIN\administrator' Enter DOMAIN\administrator's password: Successfully granted rights. root at aphrodite:~# net rpc rights list accounts -U'DOMAIN\administrator' Enter DOMAIN\administrator's password: BUILTIN\Print Operators No privileges assigned BUILTIN\Account Operators No privileges assigned BUILTIN\Backup Operators No privileges assigned BUILTIN\Server Operators No privileges assigned BUILTIN\Administrators SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeSecurityPrivilege SeSystemtimePrivilege SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege Everyone No privileges assigned Unix Group\domain admins SeDiskOperatorPrivilege