Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Domain Admins and SeDiskOperatorPrivilege
872 views
Skip to first unread message
Rowland Penny
Apr 3, 2014, 6:48:45 AM4/3/14
to
I am having trouble giving the Domain Admin group the
'SeDiskOperatorPrivilege' privilege on a member server.
Running 'net rpc rights list accounts -UAdministrator'
Results in this:
Enter Administrator's password:
BUILTIN\Print Operators
No privileges assigned
BUILTIN\Account Operators
No privileges assigned
BUILTIN\Backup Operators
No privileges assigned
BUILTIN\Server Operators
No privileges assigned
BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
Everyone
No privileges assigned
But, running 'net rpc rights grant HOME\\Domain\ Admins
SeDiskOperatorPrivilege -UAdministrator'
Results in:
Failed to grant privileges for HOME\Domain Admins (NT_STATUS_ACCESS_DENIED)
If I bump up debugging, 'net rpc rights grant HOME\\Domain\ Admins
SeDiskOperatorPrivilege -UAdministrator -d3'
Results in:
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface eth0 ip=192.168.0.25 bcast=192.168.0.255
netmask=255.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Enter Administrator's password:
Connecting to 127.0.0.1 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
Failed to grant privileges for HOME\Domain Admins (NT_STATUS_ACCESS_DENIED)
rpc command function failed! (NT_STATUS_ACCESS_DENIED)
return code = -1
The same command works if run on the Samba4 server, but you cannot
change the ACL's on a share on the member server from a windows machine,
it would seem that the 'Domain Admins' group needs the rights on the
member server.
So, is this a winbind bug, or something else.
Samba 4 AD server, self compiled version 4.1.4 running on ubuntu 12.04
Samba 4 client, debian wheezy with version 4.1.6-Debian from backports
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
'SeDiskOperatorPrivilege' privilege on a member server.
Running 'net rpc rights list accounts -UAdministrator'
Results in this:
Enter Administrator's password:
BUILTIN\Print Operators
No privileges assigned
BUILTIN\Account Operators
No privileges assigned
BUILTIN\Backup Operators
No privileges assigned
BUILTIN\Server Operators
No privileges assigned
BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
Everyone
No privileges assigned
But, running 'net rpc rights grant HOME\\Domain\ Admins
SeDiskOperatorPrivilege -UAdministrator'
Results in:
Failed to grant privileges for HOME\Domain Admins (NT_STATUS_ACCESS_DENIED)
If I bump up debugging, 'net rpc rights grant HOME\\Domain\ Admins
SeDiskOperatorPrivilege -UAdministrator -d3'
Results in:
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface eth0 ip=192.168.0.25 bcast=192.168.0.255
netmask=255.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Enter Administrator's password:
Connecting to 127.0.0.1 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
Failed to grant privileges for HOME\Domain Admins (NT_STATUS_ACCESS_DENIED)
rpc command function failed! (NT_STATUS_ACCESS_DENIED)
return code = -1
The same command works if run on the Samba4 server, but you cannot
change the ACL's on a share on the member server from a windows machine,
it would seem that the 'Domain Admins' group needs the rights on the
member server.
So, is this a winbind bug, or something else.
Samba 4 AD server, self compiled version 4.1.4 running on ubuntu 12.04
Samba 4 client, debian wheezy with version 4.1.6-Debian from backports
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Stéphane PURNELLE
Apr 3, 2014, 7:01:06 AM4/3/14
to
I know that the "Administrator" from DC is not a Administrator in member
server.
For resolve that, there are a workaround.
This workaround is to use a user_map parameter in smb.conf :
username map = path_to_filemap
And the filemap must contain in your case :
!root = HOME\Administrator HOME\administrator
My config use this workaround and it's work
have a nice day
-----------------------------------
Stéphane PURNELLE Admin. Systèmes et Réseaux
Service Informatique Corman S.A. Tel : 00 32 (0)87/342467
De : Rowland Penny <rowlan...@googlemail.com>
A : sambalist <sa...@lists.samba.org>,
Date : 03/04/2014 12:49
Objet : [Samba] Domain Admins and SeDiskOperatorPrivilege
Envoyé par : samba-...@lists.samba.org
server.
For resolve that, there are a workaround.
This workaround is to use a user_map parameter in smb.conf :
username map = path_to_filemap
And the filemap must contain in your case :
!root = HOME\Administrator HOME\administrator
My config use this workaround and it's work
have a nice day
-----------------------------------
Stéphane PURNELLE Admin. Systèmes et Réseaux
Service Informatique Corman S.A. Tel : 00 32 (0)87/342467
De : Rowland Penny <rowlan...@googlemail.com>
A : sambalist <sa...@lists.samba.org>,
Date : 03/04/2014 12:49
Objet : [Samba] Domain Admins and SeDiskOperatorPrivilege
Envoyé par : samba-...@lists.samba.org
Rowland Penny
Apr 3, 2014, 7:12:11 AM4/3/14
to
I bow down to superior knowledge, you are a genius, I did have
/etc/samba/smbusers, this contained: 'root = Administrator' and this did
not work, changed it for the line you supplied and 'Yahoo!!' it works.
Thank you very very much
Rowland
PS could the documentation team please add this to the wiki.
Denis Cardon
Apr 3, 2014, 12:05:26 PM4/3/14
to
Hi Rownland,
>> I know that the "Administrator" from DC is not a Administrator in member
>> server.
>>
>> For resolve that, there are a workaround.
>>
>> This workaround is to use a user_map parameter in smb.conf :
>>
>> username map = path_to_filemap
>>
>> And the filemap must contain in your case :
>>
>> !root = HOME\Administrator HOME\administrator
>>
>> My config use this workaround and it's work
>>
>> have a nice day
>>
>>
>> -----------------------------------
>> Stéphane PURNELLE Admin. Systèmes et Réseaux
>> Service Informatique Corman S.A. Tel : 00 32 (0)87/342467
>>
>>
>>
>> De : Rowland Penny <rowlan...@googlemail.com>
>> A : sambalist <sa...@lists.samba.org>,
>> Date : 03/04/2014 12:49
>> Objet : [Samba] Domain Admins and SeDiskOperatorPrivilege
>> Envoyé par : samba-...@lists.samba.org
>>
>>
>>
>> I am having trouble giving the Domain Admin group the
>> 'SeDiskOperatorPrivilege' privilege on a member server.
>>
>> Running 'net rpc rights list accounts -UAdministrator'
>>
.....
working for me on a 4.1.6 :
[ro...@srvfichiers.tranq ~]# net sam rights grant "TRANQUILIT\\domain
admins" SeDiskOperatorPrivilege
Granted SeDiskOperatorPrivilege to TRANQUILIT\domain admins
[ro...@srvfichiers.tranq ~]# net rpc rights list accounts -U Administrator
Enter Administrator's password:
....
TRANQUILIT\domain admins
SeDiskOperatorPrivilege
Cheers,
Denis
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
>> I know that the "Administrator" from DC is not a Administrator in member
>> server.
>>
>> For resolve that, there are a workaround.
>>
>> This workaround is to use a user_map parameter in smb.conf :
>>
>> username map = path_to_filemap
>>
>> And the filemap must contain in your case :
>>
>> !root = HOME\Administrator HOME\administrator
>>
>> My config use this workaround and it's work
>>
>> have a nice day
>>
>>
>> -----------------------------------
>> Stéphane PURNELLE Admin. Systèmes et Réseaux
>> Service Informatique Corman S.A. Tel : 00 32 (0)87/342467
>>
>>
>>
>> De : Rowland Penny <rowlan...@googlemail.com>
>> A : sambalist <sa...@lists.samba.org>,
>> Date : 03/04/2014 12:49
>> Objet : [Samba] Domain Admins and SeDiskOperatorPrivilege
>> Envoyé par : samba-...@lists.samba.org
>>
>>
>>
>> I am having trouble giving the Domain Admin group the
>> 'SeDiskOperatorPrivilege' privilege on a member server.
>>
>> Running 'net rpc rights list accounts -UAdministrator'
>>
>>
>> Everyone
>> No privileges assigned
>>
>> But, running 'net rpc rights grant HOME\\Domain\ Admins
>> SeDiskOperatorPrivilege -UAdministrator'
>>
>> Results in:
>>
>> Failed to grant privileges for HOME\Domain Admins
>> (NT_STATUS_ACCESS_DENIED)
>>
>> If I bump up debugging, 'net rpc rights grant HOME\\Domain\ Admins
>> SeDiskOperatorPrivilege -UAdministrator -d3'
>>
...
>> Everyone
>> No privileges assigned
>>
>> But, running 'net rpc rights grant HOME\\Domain\ Admins
>> SeDiskOperatorPrivilege -UAdministrator'
>>
>> Results in:
>>
>> Failed to grant privileges for HOME\Domain Admins
>> (NT_STATUS_ACCESS_DENIED)
>>
>> If I bump up debugging, 'net rpc rights grant HOME\\Domain\ Admins
>> SeDiskOperatorPrivilege -UAdministrator -d3'
>>
>>
>> The same command works if run on the Samba4 server, but you cannot
>> change the ACL's on a share on the member server from a windows machine,
>> it would seem that the 'Domain Admins' group needs the rights on the
>> member server.
>>
>> So, is this a winbind bug, or something else.
>>
>> Samba 4 AD server, self compiled version 4.1.4 running on ubuntu 12.04
>> Samba 4 client, debian wheezy with version 4.1.6-Debian from backports
>>
>> Rowland
> Stephane,
> I bow down to superior knowledge, you are a genius, I did have
> /etc/samba/smbusers, this contained: 'root = Administrator' and this did
> not work, changed it for the line you supplied and 'Yahoo!!' it works.
>
> Thank you very very much
>
> Rowland
>
> PS could the documentation team please add this to the wiki.
I think the command line you typed is using a old syntax. This is
>> The same command works if run on the Samba4 server, but you cannot
>> change the ACL's on a share on the member server from a windows machine,
>> it would seem that the 'Domain Admins' group needs the rights on the
>> member server.
>>
>> So, is this a winbind bug, or something else.
>>
>> Samba 4 AD server, self compiled version 4.1.4 running on ubuntu 12.04
>> Samba 4 client, debian wheezy with version 4.1.6-Debian from backports
>>
>> Rowland
> Stephane,
> I bow down to superior knowledge, you are a genius, I did have
> /etc/samba/smbusers, this contained: 'root = Administrator' and this did
> not work, changed it for the line you supplied and 'Yahoo!!' it works.
>
> Thank you very very much
>
> Rowland
>
> PS could the documentation team please add this to the wiki.
working for me on a 4.1.6 :
[ro...@srvfichiers.tranq ~]# net sam rights grant "TRANQUILIT\\domain
admins" SeDiskOperatorPrivilege
Granted SeDiskOperatorPrivilege to TRANQUILIT\domain admins
[ro...@srvfichiers.tranq ~]# net rpc rights list accounts -U Administrator
Enter Administrator's password:
....
TRANQUILIT\domain admins
SeDiskOperatorPrivilege
Cheers,
Denis
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
0 new messages