On Sun, 9 Jun 2024 16:53:30 +0100 Luis Peromarta via samba <samba at lists.samba.org> wrote:> Mmm? strange ? Or is this what you were expecting ?No> > root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege > -Uadministrator Password for [MAD\administrator]: > Could not connect to server 127.0.0.1 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege > -Uadministrator Password for [MAD\administrator]: > Could not connect to server 127.0.0.1 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege > -UAdministrator Password for [MAD\Administrator]: > Could not connect to server 127.0.0.1 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege > -U "MAD\Administrator" Password for [MAD\Administrator]: > Could not connect to server 127.0.0.1 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > But then: > > root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege > -Uluis Password for [MAD\luis]: > SeDiskOperatorPrivilege: > ?BUILTIN\AdministratorsBut that is !!! Before I say anything else, I would just like to point out two things: A) I didn't write the initial wikipage B) Perhaps things didn't work as they should have done when the wikipage was first written. OK, Windows has the concept of 'nested groups', which means that a group that is a member of another group inherits all the permissions and privileges of the group it is a member of. Now what does this mean ? As you have proved, by default, BUILTIN\Administrators has the SeDiskOperatorPrivilege and guess what group is a default member of BUILTIN\Administrators, yes, it's Domain Admins. this means you do not have to give Domain Admins the SeDiskOperatorPrivilege, it already gets it from BUILTIN\Administrators. I will update the wikipage. Rowland
Update: I have revoked the privilege to BUILIN\Administratos. As before, no root mapping. root at member:/# net rpc rights revoke "BUILTIN\Administrators" SeDiskOperatorPrivilege -U "MAD\luis" Password for [MAD\luis]: Successfully revoked rights. root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege -Uluis Password for [MAD\luis]: SeDiskOperatorPrivilege: Reboot. Or else 'net cache flush && /etc/init.d/winbind restart && /etc/init.d/smbd restart' I have delete and re-created the folder for there share (/test), chown luis:?unix admins?, and chmod 0770 I still can set up the share from Windows no problem. LP On Jun 9, 2024 at 17:13 +0100, Rowland Penny via samba <samba at lists.samba.org>, wrote:> > > Now what does this mean ? As you have proved, by default, > BUILTIN\Administrators has the SeDiskOperatorPrivilege and guess what > group is a default member of BUILTIN\Administrators, yes, it's Domain > Admins. this means you do not have to give Domain Admins the > SeDiskOperatorPrivilege, it already gets it from BUILTIN\Administrators. > > I will update the wikipage. > >