On 20 January 2016 at 07:08, Rowland penny <rpenny at samba.org> wrote:> On 19/01/16 20:00, Henry McLaughlin wrote: > >> >> On 20 January 2016 at 06:43, Rowland penny <rpenny at samba.org <mailto: >> rpenny at samba.org>> wrote: >> >> On 19/01/16 19:34, Henry McLaughlin wrote: >> >> I have sssd configured and working with my domain member >> server and I now >> wish to grant the SeDiskOperatorPrivilege to the >> "MYDOMAIN\Domain Admins" >> group. When I execute the command it appears to disregard the >> domain name >> and grant the privileges to the group "Unix Group\domain admins" >> >> net rpc rights list accounts -U'MYDOMAIN\administrator' >> Enter MYDOMAIN\administrator's password: >> >> ... >> Unix Group\domain admins >> No privileges assigned >> >> net rpc rights grant 'MYDOMAIN\Domain Admins' >> SeDiskOperatorPrivilege >> -U'MYDOMAIN\administrator' >> Enter MYDOMAIN\administrator's password: >> Successfully granted rights. >> >> net rpc rights list accounts -U'MYDOMAIN\administrator' >> Enter MYDOMAIN\administrator's password: >> >> ... >> Unix Group\domain admins >> SeDiskOperatorPrivilege >> >> net rpc rights revoke 'MYDOMAIN\Domain Admins' >> SeDiskOperatorPrivilege >> -U'MYDOMAIN\administrator' >> Enter MYDOMAIN\administrator's password: >> Successfully revoked rights. >> >> net rpc rights list accounts -U'MYDOMAIN\administrator' >> Enter MYDOMAIN\administrator's password: >> >> ... >> Unix Group\domain admins >> No privileges assigned >> >> >> Below I have completely removed the domain name from the >> command and still >> get the same outcome. >> >> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege >> -U'MYDOMAIN\administrator' >> Enter MYDOMAIN\administrator's password: >> Successfully granted rights. >> >> net rpc rights list accounts -U'MYDOMAIN\administrator' >> Enter MYDOMAIN\administrator's password: >> >> ... >> Unix Group\domain admins >> SeDiskOperatorPrivilege >> >> Does this behaviour appear correct or am I missing something >> in my config >> that identifies the domain name? >> >> >> I don't know, I cannot see your smb.conf from here. >> >> Rowland >> >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> cat /etc/samba/smb.conf >> [global] >> workgroup = MYDOMAIN >> client signing = yes >> client use spnego = yes >> kerberos method = secrets and keytab >> realm = AD.MYDOMAIN.COM.AU <http://AD.MYDOMAIN.COM.AU> >> security = ads >> >> rpc_server:spoolss = external >> rpc_daemon:spoolssd = fork >> username map = /etc/samba/samba_usermapping >> >> [printers] >> path = /var/spool/samba/ >> printable = yes >> printing = CUPS >> >> >> [Administration] >> path = /mnt/disk-2/samba/Administration/ >> read only = no >> > > OK, I think you need to visit the sssd mailing list, if you were using > winbind, you could add this: > > winbind use default domain > > With this line, you lose the DOMAIN prefix i.e. Domain Admins instead of > DOMAIN\Domain Admins. > > Does sssd have a version of the above line? > > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >Not sure, I'm checking with the sssd list now. Does Samba care if the authentication is performed by sssd? Meaning if I can the the authentication working with sssd can I still get my samba shares working in Windows using Windows ACLs as per: https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
On 19/01/16 20:48, Henry McLaughlin wrote:> > On 20 January 2016 at 07:08, Rowland penny <rpenny at samba.org > <mailto:rpenny at samba.org>> wrote: > > On 19/01/16 20:00, Henry McLaughlin wrote: > > > On 20 January 2016 at 06:43, Rowland penny <rpenny at samba.org > <mailto:rpenny at samba.org> <mailto:rpenny at samba.org > <mailto:rpenny at samba.org>>> wrote: > > On 19/01/16 19:34, Henry McLaughlin wrote: > > I have sssd configured and working with my domain member > server and I now > wish to grant the SeDiskOperatorPrivilege to the > "MYDOMAIN\Domain Admins" > group. When I execute the command it appears to > disregard the > domain name > and grant the privileges to the group "Unix > Group\domain admins" > > net rpc rights list accounts -U'MYDOMAIN\administrator' > Enter MYDOMAIN\administrator's password: > > ... > Unix Group\domain admins > No privileges assigned > > net rpc rights grant 'MYDOMAIN\Domain Admins' > SeDiskOperatorPrivilege > -U'MYDOMAIN\administrator' > Enter MYDOMAIN\administrator's password: > Successfully granted rights. > > net rpc rights list accounts -U'MYDOMAIN\administrator' > Enter MYDOMAIN\administrator's password: > > ... > Unix Group\domain admins > SeDiskOperatorPrivilege > > net rpc rights revoke 'MYDOMAIN\Domain Admins' > SeDiskOperatorPrivilege > -U'MYDOMAIN\administrator' > Enter MYDOMAIN\administrator's password: > Successfully revoked rights. > > net rpc rights list accounts -U'MYDOMAIN\administrator' > Enter MYDOMAIN\administrator's password: > > ... > Unix Group\domain admins > No privileges assigned > > > Below I have completely removed the domain name from the > command and still > get the same outcome. > > net rpc rights grant 'Domain Admins' > SeDiskOperatorPrivilege > -U'MYDOMAIN\administrator' > Enter MYDOMAIN\administrator's password: > Successfully granted rights. > > net rpc rights list accounts -U'MYDOMAIN\administrator' > Enter MYDOMAIN\administrator's password: > > ... > Unix Group\domain admins > SeDiskOperatorPrivilege > > Does this behaviour appear correct or am I missing > something > in my config > that identifies the domain name? > > > I don't know, I cannot see your smb.conf from here. > > Rowland > > -- To unsubscribe from this list go to the following > URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > cat /etc/samba/smb.conf > [global] > workgroup = MYDOMAIN > client signing = yes > client use spnego = yes > kerberos method = secrets and keytab > realm = AD.MYDOMAIN.COM.AU <http://AD.MYDOMAIN.COM.AU> > <http://AD.MYDOMAIN.COM.AU> > security = ads > > rpc_server:spoolss = external > rpc_daemon:spoolssd = fork > username map = /etc/samba/samba_usermapping > > [printers] > path = /var/spool/samba/ > printable = yes > printing = CUPS > > > [Administration] > path = /mnt/disk-2/samba/Administration/ > read only = no > > > OK, I think you need to visit the sssd mailing list, if you were > using winbind, you could add this: > > winbind use default domain > > With this line, you lose the DOMAIN prefix i.e. Domain Admins > instead of DOMAIN\Domain Admins. > > Does sssd have a version of the above line? > > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > Not sure, I'm checking with the sssd list now. > > Does Samba care if the authentication is performed by sssd? Meaning if > I can the the authentication working with sssd can I still get my > samba shares working in Windows using Windows ACLs as per: > > https://wiki.samba.org/index.php/Shares_with_Windows_ACLsSamba really needs winbind for some of its internal workings but will work with sssd especially if you are using a late enough version that includes its own version of libwbclient. Rowland
On 20 January 2016 at 08:25, Rowland penny <rpenny at samba.org> wrote:> On 19/01/16 20:48, Henry McLaughlin wrote: > >> >> On 20 January 2016 at 07:08, Rowland penny <rpenny at samba.org <mailto: >> rpenny at samba.org>> wrote: >> >> On 19/01/16 20:00, Henry McLaughlin wrote: >> >> >> On 20 January 2016 at 06:43, Rowland penny <rpenny at samba.org >> <mailto:rpenny at samba.org> <mailto:rpenny at samba.org >> <mailto:rpenny at samba.org>>> wrote: >> >> On 19/01/16 19:34, Henry McLaughlin wrote: >> >> I have sssd configured and working with my domain member >> server and I now >> wish to grant the SeDiskOperatorPrivilege to the >> "MYDOMAIN\Domain Admins" >> group. When I execute the command it appears to >> disregard the >> domain name >> and grant the privileges to the group "Unix >> Group\domain admins" >> >> net rpc rights list accounts -U'MYDOMAIN\administrator' >> Enter MYDOMAIN\administrator's password: >> >> ... >> Unix Group\domain admins >> No privileges assigned >> >> net rpc rights grant 'MYDOMAIN\Domain Admins' >> SeDiskOperatorPrivilege >> -U'MYDOMAIN\administrator' >> Enter MYDOMAIN\administrator's password: >> Successfully granted rights. >> >> net rpc rights list accounts -U'MYDOMAIN\administrator' >> Enter MYDOMAIN\administrator's password: >> >> ... >> Unix Group\domain admins >> SeDiskOperatorPrivilege >> >> net rpc rights revoke 'MYDOMAIN\Domain Admins' >> SeDiskOperatorPrivilege >> -U'MYDOMAIN\administrator' >> Enter MYDOMAIN\administrator's password: >> Successfully revoked rights. >> >> net rpc rights list accounts -U'MYDOMAIN\administrator' >> Enter MYDOMAIN\administrator's password: >> >> ... >> Unix Group\domain admins >> No privileges assigned >> >> >> Below I have completely removed the domain name from the >> command and still >> get the same outcome. >> >> net rpc rights grant 'Domain Admins' >> SeDiskOperatorPrivilege >> -U'MYDOMAIN\administrator' >> Enter MYDOMAIN\administrator's password: >> Successfully granted rights. >> >> net rpc rights list accounts -U'MYDOMAIN\administrator' >> Enter MYDOMAIN\administrator's password: >> >> ... >> Unix Group\domain admins >> SeDiskOperatorPrivilege >> >> Does this behaviour appear correct or am I missing >> something >> in my config >> that identifies the domain name? >> >> >> I don't know, I cannot see your smb.conf from here. >> >> Rowland >> >> -- To unsubscribe from this list go to the following >> URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> cat /etc/samba/smb.conf >> [global] >> workgroup = MYDOMAIN >> client signing = yes >> client use spnego = yes >> kerberos method = secrets and keytab >> realm = AD.MYDOMAIN.COM.AU <http://AD.MYDOMAIN.COM.AU> >> <http://AD.MYDOMAIN.COM.AU> >> security = ads >> >> rpc_server:spoolss = external >> rpc_daemon:spoolssd = fork >> username map = /etc/samba/samba_usermapping >> >> [printers] >> path = /var/spool/samba/ >> printable = yes >> printing = CUPS >> >> >> [Administration] >> path = /mnt/disk-2/samba/Administration/ >> read only = no >> >> >> OK, I think you need to visit the sssd mailing list, if you were >> using winbind, you could add this: >> >> winbind use default domain >> >> With this line, you lose the DOMAIN prefix i.e. Domain Admins >> instead of DOMAIN\Domain Admins. >> >> Does sssd have a version of the above line? >> >> Rowland >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> Not sure, I'm checking with the sssd list now. >> >> Does Samba care if the authentication is performed by sssd? Meaning if I >> can the the authentication working with sssd can I still get my samba >> shares working in Windows using Windows ACLs as per: >> >> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs >> > > Samba really needs winbind for some of its internal workings but will work > with sssd especially if you are using a late enough version that includes > its own version of libwbclient. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >Sounds like sssd is getting too difficult and I need to get this working today. I just googled and found the package version I have being 1.11.5 has problems with Samba https://lists.samba.org/archive/samba/2015-January/188338.html I am looking at a single domain with a single AD DC and a single member server. So back to square 1...I'll implement: https://wiki.samba.org/index.php/Idmap_config_ad And just to be clear... I will assign UIDs & GIDs in ADUG to all users I want to be visible to Linux except administratior :)