I have sssd configured and working with my domain member server and I now wish to grant the SeDiskOperatorPrivilege to the "MYDOMAIN\Domain Admins" group. When I execute the command it appears to disregard the domain name and grant the privileges to the group "Unix Group\domain admins" net rpc rights list accounts -U'MYDOMAIN\administrator' Enter MYDOMAIN\administrator's password: ... Unix Group\domain admins No privileges assigned net rpc rights grant 'MYDOMAIN\Domain Admins' SeDiskOperatorPrivilege -U'MYDOMAIN\administrator' Enter MYDOMAIN\administrator's password: Successfully granted rights. net rpc rights list accounts -U'MYDOMAIN\administrator' Enter MYDOMAIN\administrator's password: ... Unix Group\domain admins SeDiskOperatorPrivilege net rpc rights revoke 'MYDOMAIN\Domain Admins' SeDiskOperatorPrivilege -U'MYDOMAIN\administrator' Enter MYDOMAIN\administrator's password: Successfully revoked rights. net rpc rights list accounts -U'MYDOMAIN\administrator' Enter MYDOMAIN\administrator's password: ... Unix Group\domain admins No privileges assigned Below I have completely removed the domain name from the command and still get the same outcome. net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege -U'MYDOMAIN\administrator' Enter MYDOMAIN\administrator's password: Successfully granted rights. net rpc rights list accounts -U'MYDOMAIN\administrator' Enter MYDOMAIN\administrator's password: ... Unix Group\domain admins SeDiskOperatorPrivilege Does this behaviour appear correct or am I missing something in my config that identifies the domain name?
On 19/01/16 19:34, Henry McLaughlin wrote:> I have sssd configured and working with my domain member server and I now > wish to grant the SeDiskOperatorPrivilege to the "MYDOMAIN\Domain Admins" > group. When I execute the command it appears to disregard the domain name > and grant the privileges to the group "Unix Group\domain admins" > > net rpc rights list accounts -U'MYDOMAIN\administrator' > Enter MYDOMAIN\administrator's password: > > ... > Unix Group\domain admins > No privileges assigned > > net rpc rights grant 'MYDOMAIN\Domain Admins' SeDiskOperatorPrivilege > -U'MYDOMAIN\administrator' > Enter MYDOMAIN\administrator's password: > Successfully granted rights. > > net rpc rights list accounts -U'MYDOMAIN\administrator' > Enter MYDOMAIN\administrator's password: > > ... > Unix Group\domain admins > SeDiskOperatorPrivilege > > net rpc rights revoke 'MYDOMAIN\Domain Admins' SeDiskOperatorPrivilege > -U'MYDOMAIN\administrator' > Enter MYDOMAIN\administrator's password: > Successfully revoked rights. > > net rpc rights list accounts -U'MYDOMAIN\administrator' > Enter MYDOMAIN\administrator's password: > > ... > Unix Group\domain admins > No privileges assigned > > > Below I have completely removed the domain name from the command and still > get the same outcome. > > net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege > -U'MYDOMAIN\administrator' > Enter MYDOMAIN\administrator's password: > Successfully granted rights. > > net rpc rights list accounts -U'MYDOMAIN\administrator' > Enter MYDOMAIN\administrator's password: > > ... > Unix Group\domain admins > SeDiskOperatorPrivilege > > Does this behaviour appear correct or am I missing something in my config > that identifies the domain name?I don't know, I cannot see your smb.conf from here. Rowland
On 20 January 2016 at 06:43, Rowland penny <rpenny at samba.org> wrote:> On 19/01/16 19:34, Henry McLaughlin wrote: > >> I have sssd configured and working with my domain member server and I now >> wish to grant the SeDiskOperatorPrivilege to the "MYDOMAIN\Domain Admins" >> group. When I execute the command it appears to disregard the domain name >> and grant the privileges to the group "Unix Group\domain admins" >> >> net rpc rights list accounts -U'MYDOMAIN\administrator' >> Enter MYDOMAIN\administrator's password: >> >> ... >> Unix Group\domain admins >> No privileges assigned >> >> net rpc rights grant 'MYDOMAIN\Domain Admins' SeDiskOperatorPrivilege >> -U'MYDOMAIN\administrator' >> Enter MYDOMAIN\administrator's password: >> Successfully granted rights. >> >> net rpc rights list accounts -U'MYDOMAIN\administrator' >> Enter MYDOMAIN\administrator's password: >> >> ... >> Unix Group\domain admins >> SeDiskOperatorPrivilege >> >> net rpc rights revoke 'MYDOMAIN\Domain Admins' SeDiskOperatorPrivilege >> -U'MYDOMAIN\administrator' >> Enter MYDOMAIN\administrator's password: >> Successfully revoked rights. >> >> net rpc rights list accounts -U'MYDOMAIN\administrator' >> Enter MYDOMAIN\administrator's password: >> >> ... >> Unix Group\domain admins >> No privileges assigned >> >> >> Below I have completely removed the domain name from the command and still >> get the same outcome. >> >> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege >> -U'MYDOMAIN\administrator' >> Enter MYDOMAIN\administrator's password: >> Successfully granted rights. >> >> net rpc rights list accounts -U'MYDOMAIN\administrator' >> Enter MYDOMAIN\administrator's password: >> >> ... >> Unix Group\domain admins >> SeDiskOperatorPrivilege >> >> Does this behaviour appear correct or am I missing something in my config >> that identifies the domain name? >> > > I don't know, I cannot see your smb.conf from here. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >cat /etc/samba/smb.conf [global] workgroup = MYDOMAIN client signing = yes client use spnego = yes kerberos method = secrets and keytab realm = AD.MYDOMAIN.COM.AU security = ads rpc_server:spoolss = external rpc_daemon:spoolssd = fork username map = /etc/samba/samba_usermapping [printers] path = /var/spool/samba/ printable = yes printing = CUPS [Administration] path = /mnt/disk-2/samba/Administration/ read only = no