samba - Jan 2016 - net rpc rights list

On 20 January 2016 at 06:43, Rowland penny <rpenny at samba.org> wrote:
> On 19/01/16 19:34, Henry McLaughlin wrote:
>
>> I have sssd configured and working with my domain member server and I
now
>> wish to grant the SeDiskOperatorPrivilege to the "MYDOMAIN\Domain
Admins"
>> group. When I execute the command it appears to disregard the domain
name
>> and grant the privileges to the group "Unix Group\domain
admins"
>>
>> net rpc rights list accounts -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>>
>> ...
>> Unix Group\domain admins
>> No privileges assigned
>>
>> net rpc rights grant 'MYDOMAIN\Domain Admins'
SeDiskOperatorPrivilege
>> -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>> Successfully granted rights.
>>
>> net rpc rights list accounts -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>>
>> ...
>> Unix Group\domain admins
>> SeDiskOperatorPrivilege
>>
>> net rpc rights revoke 'MYDOMAIN\Domain Admins'
SeDiskOperatorPrivilege
>> -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>> Successfully revoked rights.
>>
>> net rpc rights list accounts -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>>
>> ...
>> Unix Group\domain admins
>> No privileges assigned
>>
>>
>> Below I have completely removed the domain name from the command and
still
>> get the same outcome.
>>
>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege
>> -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>> Successfully granted rights.
>>
>> net rpc rights list accounts -U'MYDOMAIN\administrator'
>> Enter MYDOMAIN\administrator's password:
>>
>> ...
>> Unix Group\domain admins
>> SeDiskOperatorPrivilege
>>
>> Does this behaviour appear correct or am I missing something in my
config
>> that identifies the domain name?
>>
>
> I don't know, I cannot see your smb.conf from here.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
cat /etc/samba/smb.conf
[global]
    workgroup = MYDOMAIN
    client signing = yes
    client use spnego = yes
    kerberos method = secrets and keytab
    realm = AD.MYDOMAIN.COM.AU
    security = ads

    rpc_server:spoolss = external
    rpc_daemon:spoolssd = fork
    username map = /etc/samba/samba_usermapping

[printers]
    path = /var/spool/samba/
    printable = yes
    printing = CUPS


[Administration]
    path = /mnt/disk-2/samba/Administration/
    read only = no

On 19/01/16 20:00, Henry McLaughlin wrote:
>
> On 20 January 2016 at 06:43, Rowland penny <rpenny at samba.org 
> <mailto:rpenny at samba.org>> wrote:
>
>     On 19/01/16 19:34, Henry McLaughlin wrote:
>
>         I have sssd configured and working with my domain member
>         server and I now
>         wish to grant the SeDiskOperatorPrivilege to the
>         "MYDOMAIN\Domain Admins"
>         group. When I execute the command it appears to disregard the
>         domain name
>         and grant the privileges to the group "Unix Group\domain
admins"
>
>         net rpc rights list accounts -U'MYDOMAIN\administrator'
>         Enter MYDOMAIN\administrator's password:
>
>         ...
>         Unix Group\domain admins
>         No privileges assigned
>
>         net rpc rights grant 'MYDOMAIN\Domain Admins'
>         SeDiskOperatorPrivilege
>         -U'MYDOMAIN\administrator'
>         Enter MYDOMAIN\administrator's password:
>         Successfully granted rights.
>
>         net rpc rights list accounts -U'MYDOMAIN\administrator'
>         Enter MYDOMAIN\administrator's password:
>
>         ...
>         Unix Group\domain admins
>         SeDiskOperatorPrivilege
>
>         net rpc rights revoke 'MYDOMAIN\Domain Admins'
>         SeDiskOperatorPrivilege
>         -U'MYDOMAIN\administrator'
>         Enter MYDOMAIN\administrator's password:
>         Successfully revoked rights.
>
>         net rpc rights list accounts -U'MYDOMAIN\administrator'
>         Enter MYDOMAIN\administrator's password:
>
>         ...
>         Unix Group\domain admins
>         No privileges assigned
>
>
>         Below I have completely removed the domain name from the
>         command and still
>         get the same outcome.
>
>         net rpc rights grant 'Domain Admins'
SeDiskOperatorPrivilege
>         -U'MYDOMAIN\administrator'
>         Enter MYDOMAIN\administrator's password:
>         Successfully granted rights.
>
>         net rpc rights list accounts -U'MYDOMAIN\administrator'
>         Enter MYDOMAIN\administrator's password:
>
>         ...
>         Unix Group\domain admins
>         SeDiskOperatorPrivilege
>
>         Does this behaviour appear correct or am I missing something
>         in my config
>         that identifies the domain name?
>
>
>     I don't know, I cannot see your smb.conf from here.
>
>     Rowland
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>
> cat /etc/samba/smb.conf
> [global]
>     workgroup = MYDOMAIN
>     client signing = yes
>     client use spnego = yes
>     kerberos method = secrets and keytab
>     realm = AD.MYDOMAIN.COM.AU <http://AD.MYDOMAIN.COM.AU>
>     security = ads
>
>     rpc_server:spoolss = external
>     rpc_daemon:spoolssd = fork
>     username map = /etc/samba/samba_usermapping
>
> [printers]
>     path = /var/spool/samba/
>     printable = yes
>     printing = CUPS
>
>
> [Administration]
>     path = /mnt/disk-2/samba/Administration/
>     read only = no
OK, I think you need to visit the sssd mailing list, if you were using 
winbind, you could add this:

winbind use default domain

With this line, you lose the DOMAIN prefix i.e. Domain Admins instead of 
DOMAIN\Domain Admins.

Does sssd have a version of the above line?

Rowland

On 20 January 2016 at 07:08, Rowland penny <rpenny at samba.org> wrote:
> On 19/01/16 20:00, Henry McLaughlin wrote:
>
>>
>> On 20 January 2016 at 06:43, Rowland penny <rpenny at samba.org
<mailto:
>> rpenny at samba.org>> wrote:
>>
>>     On 19/01/16 19:34, Henry McLaughlin wrote:
>>
>>         I have sssd configured and working with my domain member
>>         server and I now
>>         wish to grant the SeDiskOperatorPrivilege to the
>>         "MYDOMAIN\Domain Admins"
>>         group. When I execute the command it appears to disregard the
>>         domain name
>>         and grant the privileges to the group "Unix Group\domain
admins"
>>
>>         net rpc rights list accounts -U'MYDOMAIN\administrator'
>>         Enter MYDOMAIN\administrator's password:
>>
>>         ...
>>         Unix Group\domain admins
>>         No privileges assigned
>>
>>         net rpc rights grant 'MYDOMAIN\Domain Admins'
>>         SeDiskOperatorPrivilege
>>         -U'MYDOMAIN\administrator'
>>         Enter MYDOMAIN\administrator's password:
>>         Successfully granted rights.
>>
>>         net rpc rights list accounts -U'MYDOMAIN\administrator'
>>         Enter MYDOMAIN\administrator's password:
>>
>>         ...
>>         Unix Group\domain admins
>>         SeDiskOperatorPrivilege
>>
>>         net rpc rights revoke 'MYDOMAIN\Domain Admins'
>>         SeDiskOperatorPrivilege
>>         -U'MYDOMAIN\administrator'
>>         Enter MYDOMAIN\administrator's password:
>>         Successfully revoked rights.
>>
>>         net rpc rights list accounts -U'MYDOMAIN\administrator'
>>         Enter MYDOMAIN\administrator's password:
>>
>>         ...
>>         Unix Group\domain admins
>>         No privileges assigned
>>
>>
>>         Below I have completely removed the domain name from the
>>         command and still
>>         get the same outcome.
>>
>>         net rpc rights grant 'Domain Admins'
SeDiskOperatorPrivilege
>>         -U'MYDOMAIN\administrator'
>>         Enter MYDOMAIN\administrator's password:
>>         Successfully granted rights.
>>
>>         net rpc rights list accounts -U'MYDOMAIN\administrator'
>>         Enter MYDOMAIN\administrator's password:
>>
>>         ...
>>         Unix Group\domain admins
>>         SeDiskOperatorPrivilege
>>
>>         Does this behaviour appear correct or am I missing something
>>         in my config
>>         that identifies the domain name?
>>
>>
>>     I don't know, I cannot see your smb.conf from here.
>>
>>     Rowland
>>
>>     --     To unsubscribe from this list go to the following URL and
read
>> the
>>     instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>> cat /etc/samba/smb.conf
>> [global]
>>     workgroup = MYDOMAIN
>>     client signing = yes
>>     client use spnego = yes
>>     kerberos method = secrets and keytab
>>     realm = AD.MYDOMAIN.COM.AU <http://AD.MYDOMAIN.COM.AU>
>>     security = ads
>>
>>     rpc_server:spoolss = external
>>     rpc_daemon:spoolssd = fork
>>     username map = /etc/samba/samba_usermapping
>>
>> [printers]
>>     path = /var/spool/samba/
>>     printable = yes
>>     printing = CUPS
>>
>>
>> [Administration]
>>     path = /mnt/disk-2/samba/Administration/
>>     read only = no
>>
>
> OK, I think you need to visit the sssd mailing list, if you were using
> winbind, you could add this:
>
> winbind use default domain
>
> With this line, you lose the DOMAIN prefix i.e. Domain Admins instead of
> DOMAIN\Domain Admins.
>
> Does sssd have a version of the above line?
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
Not sure, I'm checking with the sssd list now.

Does Samba care if the authentication is performed by sssd? Meaning if I
can the the authentication working with sssd can I still get my samba
shares working in Windows using Windows ACLs as per:

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs