Kind regards, Henry McLaughlin 0411 444 363 (Mobile) henry at incred.com.au PO Box 329 Romsey VIC 3434 On 15 January 2016 at 23:24, Rowland penny <rpenny at samba.org> wrote:> On 15/01/16 12:08, Henry McLaughlin wrote: > >> >> >> On 15 January 2016 at 22:28, Rowland penny <rpenny at samba.org <mailto: >> rpenny at samba.org>> wrote: >> >> On 15/01/16 11:12, Henry McLaughlin wrote: >> >> >> Have you by any chance given Administrator a uidNumber ? >> >> >> Yes, 10000 >> >> Was that wrong? >> >> >> >> >> Well, in my opinion, yes. By giving Administrator a uidNumber, you >> have, as far as Unix is concerned, turned it into a normal user >> that doesn't have the rights to do anything. >> >> Is this on a DC ? if so, remove the uidNumber and it should start >> working again, if it is a domain member, again remove the >> uidNumber and add this line to smb.conf >> >> username map = /etc/samba/samba_usermapping >> >> Create the file '/etc/samba/samba_usermapping' with this content: >> >> !root = SAMDOM\Administrator SAMDOM\administrator >> >> Replace 'SAMDOM' with your workgroup >> >> This will map 'Administrator' to the Unix 'root' user >> >> Rowland >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> Thanks Rowland this worked however I am totally confused as to when a >> Windows User/Groups needs to be given a UNIX id in ADUG. Is there a >> reference out the I can read, study & understand? >> > > It is fairly simple, on a DC, users are mapped to (via idmap.ldb) Unix > automatically. On a domain member, you have a choice of backends, but the > two main ones are 'rid' & 'ad'. The 'rid' backend works similar (from an > initial view point) to the DC and maps the users & groups to Unix. The 'ad' > backend is different, any user that you want to be visible to Unix must be > given a uidNumber attribute, this number must be inside the range that is > set in smb.conf, you must also give Domain Users (at least) a gidNumber > attribute, this must also be inside the range set in smb.conf, if you want > any other groups to be visible to Unix, these also must be given a > gidNumber. > > Any user or group that is visible to Unix, works just like any other Unix > user or group and only has the permissions you assign to them. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >When a now try to set SeDiskOperatorPrivilege to "DOMAIN\Domain Admins" it is set for "Unix Group\domain admins"? Is this correct as I had expected it to be "DOMAIN\Domain Admins"? root at aphrodite:~# net rpc rights grant 'DOMAIN\Domain Admins' SeDiskOperatorPrivilege -U'DOMAIN\administrator' Enter DOMAIN\administrator's password: Successfully granted rights. root at aphrodite:~# net rpc rights list accounts -U'DOMAIN\administrator' Enter DOMAIN\administrator's password: BUILTIN\Print Operators No privileges assigned BUILTIN\Account Operators No privileges assigned BUILTIN\Backup Operators No privileges assigned BUILTIN\Server Operators No privileges assigned BUILTIN\Administrators SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeSecurityPrivilege SeSystemtimePrivilege SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege Everyone No privileges assigned Unix Group\domain admins SeDiskOperatorPrivilege
On 16/01/16 13:26, Henry McLaughlin wrote:> > > Kind regards, > > Henry McLaughlin > > 0411 444 363 <tel:0411%20444%20363> (Mobile) > > henry at incred.com.au <mailto:henry at incred.com.au> > > PO Box 329 > Romsey VIC 3434 > > On 15 January 2016 at 23:24, Rowland penny <rpenny at samba.org > <mailto:rpenny at samba.org>> wrote: > > On 15/01/16 12:08, Henry McLaughlin wrote: > > > > On 15 January 2016 at 22:28, Rowland penny <rpenny at samba.org > <mailto:rpenny at samba.org> <mailto:rpenny at samba.org > <mailto:rpenny at samba.org>>> wrote: > > On 15/01/16 11:12, Henry McLaughlin wrote: > > > Have you by any chance given Administrator a > uidNumber ? > > > Yes, 10000 > > Was that wrong? > > > > > Well, in my opinion, yes. By giving Administrator a > uidNumber, you > have, as far as Unix is concerned, turned it into a normal > user > that doesn't have the rights to do anything. > > Is this on a DC ? if so, remove the uidNumber and it > should start > working again, if it is a domain member, again remove the > uidNumber and add this line to smb.conf > > username map = /etc/samba/samba_usermapping > > Create the file '/etc/samba/samba_usermapping' with this > content: > > !root = SAMDOM\Administrator SAMDOM\administrator > > Replace 'SAMDOM' with your workgroup > > This will map 'Administrator' to the Unix 'root' user > > Rowland > -- To unsubscribe from this list go to the following > URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > Thanks Rowland this worked however I am totally confused as to > when a Windows User/Groups needs to be given a UNIX id in > ADUG. Is there a reference out the I can read, study & understand? > > > It is fairly simple, on a DC, users are mapped to (via idmap.ldb) > Unix automatically. On a domain member, you have a choice of > backends, but the two main ones are 'rid' & 'ad'. The 'rid' > backend works similar (from an initial view point) to the DC and > maps the users & groups to Unix. The 'ad' backend is different, > any user that you want to be visible to Unix must be given a > uidNumber attribute, this number must be inside the range that is > set in smb.conf, you must also give Domain Users (at least) a > gidNumber attribute, this must also be inside the range set in > smb.conf, if you want any other groups to be visible to Unix, > these also must be given a gidNumber. > > Any user or group that is visible to Unix, works just like any > other Unix user or group and only has the permissions you assign > to them. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > When a now try to set SeDiskOperatorPrivilege to "DOMAIN\Domain > Admins" it is set for "Unix Group\domain admins"? Is this correct as I > had expected it to be "DOMAIN\Domain Admins"? > > root at aphrodite:~# net rpc rights grant 'DOMAIN\Domain Admins' > SeDiskOperatorPrivilege -U'DOMAIN\administrator' > Enter DOMAIN\administrator's password: > Successfully granted rights. > root at aphrodite:~# net rpc rights list accounts -U'DOMAIN\administrator' > Enter DOMAIN\administrator's password: > BUILTIN\Print Operators > No privileges assigned > > BUILTIN\Account Operators > No privileges assigned > > BUILTIN\Backup Operators > No privileges assigned > > BUILTIN\Server Operators > No privileges assigned > > BUILTIN\Administrators > SeMachineAccountPrivilege > SeTakeOwnershipPrivilege > SeBackupPrivilege > SeRestorePrivilege > SeRemoteShutdownPrivilege > SePrintOperatorPrivilege > SeAddUsersPrivilege > SeDiskOperatorPrivilege > SeSecurityPrivilege > SeSystemtimePrivilege > SeShutdownPrivilege > SeDebugPrivilege > SeSystemEnvironmentPrivilege > SeSystemProfilePrivilege > SeProfileSingleProcessPrivilege > SeIncreaseBasePriorityPrivilege > SeLoadDriverPrivilege > SeCreatePagefilePrivilege > SeIncreaseQuotaPrivilege > SeChangeNotifyPrivilege > SeUndockPrivilege > SeManageVolumePrivilege > SeImpersonatePrivilege > SeCreateGlobalPrivilege > SeEnableDelegationPrivilege > > Everyone > No privileges assigned > > Unix Group\domain admins > SeDiskOperatorPrivilegeDoes Domain Admins have a gidNumber ? It doesn't really matter what net shows for Domain Admins as long as it works, have you tried it ? It works for me, but I get this on a domain member: net rpc rights list accounts -Uadministrator Enter administrator's password: ~~~~~~~~~~~~ S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-512 SeDiskOperatorPrivilege whilst on a DC, I get this: ~~~~~~~~~~~~ SAMDOM\Domain Admins SeDiskOperatorPrivilege Rowland
On 17 January 2016 at 00:50, Rowland penny <rpenny at samba.org> wrote:> On 16/01/16 13:26, Henry McLaughlin wrote: > >> >> On 15 January 2016 at 23:24, Rowland penny <rpenny at samba.org <mailto: >> rpenny at samba.org>> wrote: >> >> On 15/01/16 12:08, Henry McLaughlin wrote: >> >> >> >> On 15 January 2016 at 22:28, Rowland penny <rpenny at samba.org >> <mailto:rpenny at samba.org> <mailto:rpenny at samba.org >> <mailto:rpenny at samba.org>>> wrote: >> >> On 15/01/16 11:12, Henry McLaughlin wrote: >> >> >> Have you by any chance given Administrator a >> uidNumber ? >> >> >> Yes, 10000 >> >> Was that wrong? >> >> >> >> >> Well, in my opinion, yes. By giving Administrator a >> uidNumber, you >> have, as far as Unix is concerned, turned it into a normal >> user >> that doesn't have the rights to do anything. >> >> Is this on a DC ? if so, remove the uidNumber and it >> should start >> working again, if it is a domain member, again remove the >> uidNumber and add this line to smb.conf >> >> username map = /etc/samba/samba_usermapping >> >> Create the file '/etc/samba/samba_usermapping' with this >> content: >> >> !root = SAMDOM\Administrator SAMDOM\administrator >> >> Replace 'SAMDOM' with your workgroup >> >> This will map 'Administrator' to the Unix 'root' user >> >> Rowland >> -- To unsubscribe from this list go to the following >> URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> Thanks Rowland this worked however I am totally confused as to >> when a Windows User/Groups needs to be given a UNIX id in >> ADUG. Is there a reference out the I can read, study & understand? >> >> >> It is fairly simple, on a DC, users are mapped to (via idmap.ldb) >> Unix automatically. On a domain member, you have a choice of >> backends, but the two main ones are 'rid' & 'ad'. The 'rid' >> backend works similar (from an initial view point) to the DC and >> maps the users & groups to Unix. The 'ad' backend is different, >> any user that you want to be visible to Unix must be given a >> uidNumber attribute, this number must be inside the range that is >> set in smb.conf, you must also give Domain Users (at least) a >> gidNumber attribute, this must also be inside the range set in >> smb.conf, if you want any other groups to be visible to Unix, >> these also must be given a gidNumber. >> >> Any user or group that is visible to Unix, works just like any >> other Unix user or group and only has the permissions you assign >> to them. >> >> Rowland >> >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> When a now try to set SeDiskOperatorPrivilege to "DOMAIN\Domain Admins" >> it is set for "Unix Group\domain admins"? Is this correct as I had expected >> it to be "DOMAIN\Domain Admins"? >> >> root at aphrodite:~# net rpc rights grant 'DOMAIN\Domain Admins' >> SeDiskOperatorPrivilege -U'DOMAIN\administrator' >> Enter DOMAIN\administrator's password: >> Successfully granted rights. >> root at aphrodite:~# net rpc rights list accounts -U'DOMAIN\administrator' >> Enter DOMAIN\administrator's password: >> BUILTIN\Print Operators >> No privileges assigned >> >> BUILTIN\Account Operators >> No privileges assigned >> >> BUILTIN\Backup Operators >> No privileges assigned >> >> BUILTIN\Server Operators >> No privileges assigned >> >> BUILTIN\Administrators >> SeMachineAccountPrivilege >> SeTakeOwnershipPrivilege >> SeBackupPrivilege >> SeRestorePrivilege >> SeRemoteShutdownPrivilege >> SePrintOperatorPrivilege >> SeAddUsersPrivilege >> SeDiskOperatorPrivilege >> SeSecurityPrivilege >> SeSystemtimePrivilege >> SeShutdownPrivilege >> SeDebugPrivilege >> SeSystemEnvironmentPrivilege >> SeSystemProfilePrivilege >> SeProfileSingleProcessPrivilege >> SeIncreaseBasePriorityPrivilege >> SeLoadDriverPrivilege >> SeCreatePagefilePrivilege >> SeIncreaseQuotaPrivilege >> SeChangeNotifyPrivilege >> SeUndockPrivilege >> SeManageVolumePrivilege >> SeImpersonatePrivilege >> SeCreateGlobalPrivilege >> SeEnableDelegationPrivilege >> >> Everyone >> No privileges assigned >> >> Unix Group\domain admins >> SeDiskOperatorPrivilege >> > > Does Domain Admins have a gidNumber ? > It doesn't really matter what net shows for Domain Admins as long as it > works, have you tried it ? > > It works for me, but I get this on a domain member: > > net rpc rights list accounts -Uadministrator > Enter administrator's password: > ~~~~~~~~~~~~ > S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-512 > SeDiskOperatorPrivilege > > whilst on a DC, I get this: > ~~~~~~~~~~~~ > SAMDOM\Domain Admins > SeDiskOperatorPrivilege > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >Domain Admins is the only AD User/Group I have assigned a Unix ID to. (Can this be verified?) After the following on the member server: net rpc rights revoke 'DOMAIN\Domain Admins' SeDiskOperatorPrivilege -U'DOMAIN\administrator' Enter DOMAIN\administrator's password: Successfully revoked rights. net rpc rights list accounts -Uadministrator Enter administrator's password: ... Unix Group\domain admins No privileges assigned After the following on the member server: net rpc rights grant 'DOMAIN\Domain Admins' SeDiskOperatorPrivilege -U'DOMAIN\administrator' Enter DOMAIN\administrator's password: Successfully granted rights. net rpc rights list accounts -Uadministrator Enter administrator's password: ... Unix Group\domain admins SeDiskOperatorPrivilege There is no mention of the Domain Admins group when I run "net rpc rights list accounts -Uadministrator" on the DC.