samba - May 2017 - Unable to set SeDiskOperatorPrivilege (again)

There was a thread on this topic back in January and as far as I can see 
it was never resolved.

I'm unable to set SeDiskOperatorPrivilege for the Domain Admins on our 
primary file server, so I set up a new samba server, following the 
directions at 
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member but 
still no success. I don't know if it's to do with the fact that
we're
using sssd or not.

Here are my (lack of) results, which are the same on both machines:

# net rpc rights grant SeDiskOperatorPrivilege "MYDOMAIN\Domain
Admins"
-U "MYDOMAIN\Administrator"
Enter MYDOMAIN\Administrator's password:
Failed to grant privileges for SeDiskOperatorPrivilege 
(NT_STATUS_NO_SUCH_USER)

# getent group "Domain Admins"
Domain Admins:*:512:Administrator,user1,user2,user3

# id Administrator
uid=10858(Administrator) gid=513(Domain Users) groups=513(Domain 
Users),512(Domain Admins),10102(Enterprise Admins)

# id "Domain Admins"
id: Domain Admins: No such user

# net rpc rights list accounts -UAdministrator
Enter Administrator's password:
BUILTIN\Print Operators
No privileges assigned

BUILTIN\Account Operators
No privileges assigned

BUILTIN\Backup Operators
No privileges assigned

BUILTIN\Server Operators
No privileges assigned

BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege

Everyone
No privileges assigned

As can be seen, only accounts in the BUILTIN OU are listed, despite sssd 
being configured to look up users and groups from the base OU on up.

Can someone shed any light on this?

regards,
John

On Wed, 24 May 2017 13:34:27 +1000
John Gardeniers via samba <samba at lists.samba.org> wrote:
> There was a thread on this topic back in January and as far as I can
> see it was never resolved.
It has always worked for me, even when I used sssd.
But there is no need to use sssd on a Unix domain member
 
> # getent group "Domain Admins"
> Domain Admins:*:512:Administrator,user1,user2,user3
> 
> # id Administrator
> uid=10858(Administrator) gid=513(Domain Users) groups=513(Domain 
> Users),512(Domain Admins),10102(Enterprise Admins)
> 
> # id "Domain Admins"
> id: Domain Admins: No such user

You seem to be using very low numbers for 'Domain Users' &
'Domain
Admins'

'Domain Admins' is only a user on a DC (where it also a group)

'Administrator' shouldn't have a uidNumber, it should be mapped to
'root'

Can you post your smb.conf and are you willing to try using winbind.

Rowland

Hi Rowland,

Those low numbers you refer to are in fact the standard numbers assigned 
to those groups, so I fail to see the problem. As for mapping 
Administrator to root, I believe that's entirely optional, rather than 
required. Under normal circumstances we don't use the domain 
Administrator account at all. We have a root account we use instead.

In regard to winbind, we have never used it and there's a concern here 
that it may clash with our use of sssd, which is working great for all 
normal purposes. Using multiple authentication mechanisms against the 
same source can't be a good idea and, as you can see from my question, 
we have no trouble resolving users or groups normally.

Here's smb.conf from the test machine:

[global]
     security = ADS
     workgroup = MYDOMAIN
     realm = MYDOMAIN.COM.AU

     log file = /var/log/samba/%m.log
     log level = 1

     # Default ID mapping configuration for local BUILTIN accounts
     # and groups on a domain member. The default (*) domain:
     # - must not overlap with any domain ID mapping configuration!
     # - must use an read-write-enabled back end, such as tdb.
     idmap config * : backend = tdb
     idmap config * : range = 10000-19999

     vfs objects = acl_xattr
     map acl inherit = Yes
     store dos attributes = Yes

regards,
John


On 24/05/17 16:47, Rowland Penny via samba wrote:
> On Wed, 24 May 2017 13:34:27 +1000
> John Gardeniers via samba <samba at lists.samba.org> wrote:
>
>> There was a thread on this topic back in January and as far as I can
>> see it was never resolved.
> It has always worked for me, even when I used sssd.
> But there is no need to use sssd on a Unix domain member
>   
>> # getent group "Domain Admins"
>> Domain Admins:*:512:Administrator,user1,user2,user3
>>
>> # id Administrator
>> uid=10858(Administrator) gid=513(Domain Users) groups=513(Domain
>> Users),512(Domain Admins),10102(Enterprise Admins)
>>
>> # id "Domain Admins"
>> id: Domain Admins: No such user
>
> You seem to be using very low numbers for 'Domain Users' &
'Domain
> Admins'
>
> 'Domain Admins' is only a user on a DC (where it also a group)
>
> 'Administrator' shouldn't have a uidNumber, it should be mapped
to
> 'root'
>
> Can you post your smb.conf and are you willing to try using winbind.
>
> Rowland
>