Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] SeDiskOperatorPrivilege and 2012 R2 domain

343 views
Skip to first unread message

Tom Söderlund

unread,
Mar 23, 2015, 4:40:04 PM3/23/15
to
Giving a domain user group privilege SeDiskOperatorPrivilege fails with
NT_STATUS_NO_SUCH_PRIVILEGE.

The domain is controlled by a MS 2012 R2 DC. Has this privilege been
renamed or replaced with some other privilege? How to give the domain user
group necessary rights for defining file share permission settings from MS
environment?

The RHEL 7 file server is running Samba 4.1.1-38 and the id management is
done by SSSD 1.12.2.

Thanks for any ideas,
-Tom
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Marc Muehlfeld

unread,
Mar 23, 2015, 6:10:04 PM3/23/15
to
Hello Tom,

Am 23.03.2015 um 21:31 schrieb Tom Söderlund:
> Giving a domain user group privilege SeDiskOperatorPrivilege fails with
> NT_STATUS_NO_SUCH_PRIVILEGE.
>
> The domain is controlled by a MS 2012 R2 DC. Has this privilege been
> renamed or replaced with some other privilege? How to give the domain user
> group necessary rights for defining file share permission settings from MS
> environment?
>
> The RHEL 7 file server is running Samba 4.1.1-38 and the id management is
> done by SSSD 1.12.2.


The grant is done on the member server. So the privilege something on
the member server and not on the DC.

Have you ensured, that "enable privleges" is not turned off somewhere in
your smb.conf? If it's not there, then it's enabled - that's the default.


What is the output of
# net rpc rights list accounts -U'SAMDOM\administrator'

To grant the privilege to the Domain Admins group, for example, run:
# net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege
-U'SAMDOM\administrator'


Regards,
Marc

Tom Söderlund

unread,
Mar 24, 2015, 4:00:05 AM3/24/15
to
(Re-posting to list also.. Sorry forgot Cc. -Tom)

Marc,

Thanks for your help and clarifications. I was indeed addressing the domain
controller (2012 R2) due to my misunderstanding. Addressing the request at
the file server (Samba 4) to the file server fails too but with different
errors. Rights list succeeds.

$ net rpc rights list accounts -UDOMAIN\\Administrator
Enter DOMAIN\Administrator's password:
BUILTIN\Print Operators
No privileges assigned

BUILTIN\Account Operators
No privileges assigned

BUILTIN\Backup Operators
No privileges assigned

BUILTIN\Server Operators
No privileges assigned

BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege

Everyone
No privileges assigned

$ net rpc rights grant 'DOMAIN\Domain Admins' SeDiskOperatorPrivilege
-UDOMAIN\\Administrator
Enter DOMAIN\Administrator's password:
Failed to grant privileges for DOMAIN\Domain Admins
(NT_STATUS_ACCESS_DENIED)

$ net rpc rights grant 'DOMAIN\Unix-admins' SeDiskOperatorPrivilege
-UDOMAIN\\Administrator
Enter DOMAIN\Administrator's password:
Could not connect to server 127.0.0.1

Thanks for any info,
-Tom


On Mon, Mar 23, 2015 at 11:59 PM, Marc Muehlfeld <mmueh...@samba.org>
wrote:

Marc Muehlfeld

unread,
Mar 24, 2015, 12:20:04 PM3/24/15
to
Hello Tom,

Am 24.03.2015 um 08:49 schrieb Tom Söderlund:
> $ net rpc rights grant 'DOMAIN\Domain Admins' SeDiskOperatorPrivilege
> -UDOMAIN\\Administrator
> Enter DOMAIN\Administrator's password:
> Failed to grant privileges for DOMAIN\Domain Admins
> (NT_STATUS_ACCESS_DENIED)
>
> $ net rpc rights grant 'DOMAIN\Unix-admins' SeDiskOperatorPrivilege
> -UDOMAIN\\Administrator
> Enter DOMAIN\Administrator's password:
> Could not connect to server 127.0.0.1


* Is the group "DOMAIN\Domain Admins" local available? Check with
# getent group "DOMAIN\Domain Admins"

* Is Samba listening on localhost? Check "interfaces" parameter
in your smb.conf. Or add "-S servername" to your "net" command.

* Can you post the [global] section of your smb.conf, please?

Tom Söderlund

unread,
Mar 24, 2015, 1:40:05 PM3/24/15
to
Mark,

Below xxx.yyy. is my network prefix.

[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
server string = Server %v
security = ADS
client signing = auto
client use spnego = yes
kerberos method = secrets and keytab
log file = /var/log/samba/log.%m
log level = 3
max log size = 50
load printers = No
printcap name = /dev/null
idmap config * : backend = tdb
hosts allow = 127., xxx.yyy.
cups options = raw
vfs objects = acl_xattr
inherit acls = Yes
map acl inherit = Yes
store dos attributes = Yes
browseable = Yes

Some trials below, getent for the group succeeds and mostly everything is
running fine, I can even log in with domain accounts and set file
permissions that include domain groups and accounts, and with valid file
rights MS terminals can see shares on this server. But giving this
privilege fails with a bit random results.

[me@server]$ getent group "DOMAIN\Domain Admins"
domain admins:*:978600512:me.user,administrator

[me@server]$ net rpc rights grant "DOMAIN\Domain Admins"
SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server


Enter DOMAIN\Administrator's password:

Could not connect to server server
Connection failed: NT_STATUS_LOCK_NOT_GRANTED

[me@server]$ net rpc rights grant "DOMAIN\Domain Admins"
SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server.domain.local


Enter DOMAIN\Administrator's password:
Failed to grant privileges for DOMAIN\Domain Admins
(NT_STATUS_ACCESS_DENIED)

[me@server]$ sudo net rpc rights grant "DOMAIN\Domain Admins"
SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server.domain.local
[sudo] password for me:


Enter DOMAIN\Administrator's password:
Failed to grant privileges for DOMAIN\Domain Admins
(NT_STATUS_ACCESS_DENIED)

-Tom

On Tue, Mar 24, 2015 at 6:10 PM, Marc Muehlfeld <mmueh...@samba.org>
wrote:

> Hello Tom,

Tim

unread,
Mar 24, 2015, 1:50:03 PM3/24/15
to
Hi Tom,

have a look at this:
https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting

I think this could resolve your problem by using a username mapping on your member server.

Regards
Tim

Tom Söderlund

unread,
Mar 25, 2015, 9:50:05 AM3/25/15
to
Tim,

Thanks for the hint. Usermap for root applied, locally made requests fail
now systematically with
"Could not connect to server <server address>
Connection failed: NT_STATUS_LOCK_NOT_GRANTED"

It is kind of improvement :) Random things scare me.

-Tom

Tim

unread,
Mar 25, 2015, 3:50:03 PM3/25/15
to
Don't be scared and take the challenge! :-)

Reduce your smb.conf to the minimum as seen in the member server wiki and try it again. It should work then.

Rowland Penny

unread,
Mar 25, 2015, 4:10:03 PM3/25/15
to

Possibly not, I think the OP is using sssd, it might help if we could
see the exact command the OP is running and if he is running it as 'root'

Rowland

Tom Söderlund

unread,
Mar 28, 2015, 1:10:04 PM3/28/15
to
Got it sorted out; it was a SELinux problem. Had to put it into permissive
mode as it caused other problems as well that were too nasty to fix with
it. Now that SeDiskOperatorPrivilege permission was possible to grant. I
still had that root user map in place and the actual command was:

sudo net rpc rights grant "DOMAIN\Domain Admins" SeDiskOperatorPrivilege -U

"DOMAIN\Administrator"

Big thanks to you all of you who tried to help. Your work is really
valuable to the community.

Regards,
-Tom

0 new messages