Question regarding FQDN & SeDiskOperatorPrivilege

planet_jeroen · November 27, 2017, 4:09pm

NethServer Version: NethServer release 7.4.1708 (Final)
Module: DNS in combination with SAMBA

Hey all,

I’m trying to wrap my head around the implications for DNS of running SAMBA AD.
During installation, you are required to enter a FQDN.

Let us asume I take SERVER.DOMAIN.LOCAL

Next I install the account provider (after applying all pending updates) and I am required to enter the domain name. At this point, I would want to enter DOMAIN.LOCAL but I am not allowed as this name is already in use.

The proposed name becomes AD.DOMAIN.LOCAL

I accept that and aside from this annoyance, everything works. I proceed to join a member server, installed the same way (SERVER.DOMAIN.LOCAL as FQDN during install) However, when I enter hostname -f:

[root@gr115 ~]# hostname -f
server.domain.local

Hmz … did I not just join a domain ?

[root@server ~]# net ads testjoin
Join is OK
[root@server ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 host/server.domain.local@AD.DOMAIN.LOCAL
   3 host/server@AD.DOMAIN.LOCAL
   3 host/server.domain.local@AD.DOMAIN.LOCAL
   3 host/server@AD.DOMAIN.LOCAL
   3 host/server.domain.local@AD.DOMAIN.LOCAL
   3 host/server@AD.DOMAIN.LOCAL
   3 host/server.domain.local@AD.DOMAIN.LOCAL
   3 host/server@AD.DOMAIN.LOCAL
   3 host/server.domain.local@AD.DOMAIN.LOCAL
   3 host/server@AD.DOMAIN.LOCAL
   3 server$@AD.DOMAIN.LOCAL
   3 server$@AD.DOMAIN.LOCAL
   3 server$@AD.DOMAIN.LOCAL
   3 server$@AD.DOMAIN.LOCAL
   3 server$@AD.DOMAIN.LOCAL

…it seems I did, but what the #

[root@server~]# hostname -d
domain.local

That doesnt seem right. And it causes more issues:

[root@server ~]# getent group "domain admins"
domain admins@domain.local:*:425600512:administrator@domain.local,lms048@domain.local,admin@domain.local

So … my AD is AD.DOMAIN.LOCAL
My server FQDN seems to be server.domain.local
My groups and users are appended with @domain.local

Can someone strasighten me out and explain to me why my windows training is not helping me here ? What am I missing ?? What do I need to do to get proper FQDN’s ??

des · November 27, 2017, 5:24pm

I have do it like this:
during server setup:
server name: server.mydomain.local

during Account Provider setup (SambaAD):
domain name: mydomain.local
NETBIOS name: mydomain

and it is working

des · November 27, 2017, 5:33pm

i think i understand… i hope
during server install i have named my server SERVER.MYDOMAIN.LAN
and in Account Provider setup i have set this:

domain name: mydomain.local
NETBIOS name: mydomain

then it should work

planet_jeroen · November 27, 2017, 5:53pm

That is almost identical to what I ended up doing. Could you verify that hostname -f yields ‘server.mydomain.local’ and not, as I suspect, ‘server.mydomain.lan’ ?

Please, only when convenient … I can test in a bit.

des · November 27, 2017, 6:03pm

my output:

[root@jupiter ~]# hostname -f
jupiter.nwks.local
[root@jupiter ~]# hostname -d
nwks.local
[root@jupiter ~]# net ads testjoin
Join is OK
[root@jupiter ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/jupiter.nwks.local@NWKS.LOCAL
   2 host/JUPITER@NWKS.LOCAL
   2 host/jupiter.nwks.local@NWKS.LOCAL
   2 host/JUPITER@NWKS.LOCAL
   2 host/jupiter.nwks.local@NWKS.LOCAL
   2 host/JUPITER@NWKS.LOCAL
   2 host/jupiter.nwks.local@NWKS.LOCAL
   2 host/JUPITER@NWKS.LOCAL
   2 host/jupiter.nwks.local@NWKS.LOCAL
   2 host/JUPITER@NWKS.LOCAL
   2 JUPITER$@NWKS.LOCAL
   2 JUPITER$@NWKS.LOCAL
   2 JUPITER$@NWKS.LOCAL
   2 JUPITER$@NWKS.LOCAL
   2 JUPITER$@NWKS.LOCAL
[root@jupiter ~]# getent group "domain admins"
domain admins@nwks.local:*:513200512:administrator@nwks.local,admin@nwks.local

but now i have done test on my test env where FQDN was SERVER.MYDOMAIN.LOCAL
and setup AD with
domain name: mydomain.local
NETBIOS: mydomain

and it setup properly

planet_jeroen · November 27, 2017, 6:17pm

Well I’ll be …

I will test if that makes a difference. Thanks!

mrmarkuz · November 27, 2017, 6:19pm

It’s like the AD is a subdomain of domain.local. In Windows the default is to use the network domain as AD (domain.local). In Nethserver it’s default to use a subdomain AD (ad.domain.local). Both NetBIOS domain names are DOMAIN in both cases. It irritated me at first so I did it like @des described but when unbinding/rebinding I forgot to remove the AD so I decided to get used to it and it never made problems. Both is working in DNS to map the server, servername.ad.domain.local and servername.domain.local. But it in the end it depends on your needs and your personal network design style.

It’s also possible and recommended on Windows for some scenarios(public domain is same as windows domain but having external website…):

https://social.technet.microsoft.com/Forums/en-US/6d8b5084-9e8a-4c8a-a4bf-72990417a469/active-directory-domain-naming-best-practice-com-subdomainmydomaincom-or-local?forum=winserverDS

planet_jeroen · November 27, 2017, 6:39pm

I went with best practices and created a sub domain, but it gives mixed results and I suspect my seDiskOperatorPrivilege command fails because of it.

I’m trying: (on the member server)

net sam rights grant "Domain Admins" seDiskOperatorPrivilege -U "domain\administrator" 
Or net rpc rights etc.

but it returns either access denied or user can’t be found.

planet_jeroen · November 27, 2017, 10:17pm

Funny results …

Step 1: do nothing on the SAMBA AD server nor it’s Nethserver host. Domain is ad.domain.COM ‘server name’ in nethserver gui is server.domain.COM

Step 2: unbind memberserver, rename to server.ad.domain.local, rebind to ad.domain.com

After this, the difference between FQDN and group names remains exactly the same. My groups and users show as “domain admins@ad.domain.local” and not the joined ad.domain.COM

getent group "Domain Admins"
returns: domain admins@ad.domain.local:*:3456343:administrator@ad.domain.local,admin@......

So, I know where to find the hostname …

vi /etc/hostname

i, change that local to com, :wq

reboot later (faster than restarting the services by hand ), nothing changed from ad perspective.
hostname -f now displays .com at the end.

When I do a

net sam rights list seDiskOperatorPrivilege (as root)

I only get ‘BUILTIN\Administrators’

When I do a

net sam rights grant "Domain Admins" (or "DOMAIN\Domain Admins") seDiskOperatorPrivilege (as root)

I get: ‘could not find Domain Admins’ … or whatever variation I try: Domain Admins@ad.domain.local @ad.domain.com … all the same. Can not find it.

Am I missing something stupid or just being stupid ?

performing these commands on the ad server itself corrects the displaying of the domain name to ‘test@ad.domain.com’, but setting seDiskOperatorPrivilege doesnt help.

mrmarkuz · November 28, 2017, 1:44am

Played around a little bit:

[root@server ~]# net rpc rights grant "blah blah" seDiskOperatorPrivilege -U admin
Enter admin's password:
Failed to grant privileges for domain adm (NT_STATUS_NO_SUCH_USER)
[root@server ~]# net rpc rights grant "domain admins" seDiskOperatorPrivilege -U admin
Enter admin's password:
Failed to grant privileges for domain admins (NT_STATUS_ACCESS_DENIED)

but this works:

[root@server ~]# net sam rights grant "Users" seDiskOperatorPrivilege
Granted seDiskOperatorPrivilege to BUILTIN\Users

See groups available:

[root@server ~]# net ads group -U admin
Enter admin's password:
Allowed RODC Password Replication Group
Enterprise Read-Only Domain Controllers
Denied RODC Password Replication Group
Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
Certificate Service DCOM Access
Network Configuration Operators
Terminal Server License Servers
Incoming Forest Trust Builders
Read-Only Domain Controllers
Group Policy Creator Owners
Performance Monitor Users
Cryptographic Operators
Distributed COM Users
Performance Log Users
Remote Desktop Users
Account Operators
Event Log Readers
RAS and IAS Servers
Backup Operators
Domain Controllers
Server Operators
Enterprise Admins
Print Operators
Administrators
Domain Computers
Cert Publishers
DnsUpdateProxy
Domain Admins
Domain Guests
Schema Admins
Domain Users
Replicator
jabberadmins
IIS_IUSRS
DnsAdmins
Guests
Users

You may set the right to “Administrators” instead to “domain admins”, which are member of Administrators. It seems to work only with BUILTIN…

[root@server ~]# net sam rights grant "Domain Admins" seDiskOperatorPrivilege
Could not find name Domain Admins
[root@server ~]# net sam rights grant "Enterprise Admins" seDiskOperatorPrivilege
Could not find name Enterprise Admins
[root@server ~]# net sam rights grant "Domain Guests" seDiskOperatorPrivilege
Could not find name Domain Guests
[root@server ~]# net sam rights grant "Domain Users" seDiskOperatorPrivilege
Could not find name Domain Users
[root@server ~]# net sam rights grant "Users" seDiskOperatorPrivilege
Granted seDiskOperatorPrivilege to BUILTIN\Users
[root@server ~]# net sam rights grant Administrators seDiskOperatorPrivilege
Granted seDiskOperatorPrivilege to BUILTIN\Administrators

On Nethserver I have:

[root@server ~]# getent group "Domain Admins"
domain admins@cmb.local:*:1682800512:administrator@cmb.local,admin@cmb.local

and on joined Nethserver I have:

[root@nethvm2 ~]# getent group "domain admins"
domain admins@domain.local:*:1682800512:administrator@domain.local,admin@domain.local

After unbinding AD on my remote nethvm2, setting server name to “nethvm2.cmb.local” instead of “nethvm2.domain.local” and joining AD ad.cmb.local again, it worked:

[root@nethvm2 ~]# getent group "domain admins"
domain admins@cmb.local:*:1682800512:administrator@cmb.local,admin@cmb.local

m.traeumner · November 28, 2017, 8:05am

Hi to all,
I think I don’t have a subdomain or an other domain for ad. Can you have a look please?

[root@groupware ~]# hostname -d
jonas.de
[root@groupware ~]# hostname -f
groupware.jonas.de
[root@groupware ~]# net ads testjoin
Join is OK
[root@groupware ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 host/groupware.jonas.de@JONAS.DE
   3 host/groupware.jonas.de@JONAS.DE
   3 host/groupware.jonas.de@JONAS.DE
   3 host/groupware.jonas.de@JONAS.DE
   3 host/groupware.jonas.de@JONAS.DE
   3 host/GROUPWARE@JONAS.DE
   3 host/GROUPWARE@JONAS.DE
   3 host/GROUPWARE@JONAS.DE
   3 host/GROUPWARE@JONAS.DE
   3 host/GROUPWARE@JONAS.DE
   3 smtp/groupware.jonas.de@JONAS.DE
   3 smtp/groupware.jonas.de@JONAS.DE
   3 smtp/groupware.jonas.de@JONAS.DE
   3 smtp/groupware.jonas.de@JONAS.DE
   3 smtp/groupware.jonas.de@JONAS.DE
   3 smtp/GROUPWARE@JONAS.DE
   3 smtp/GROUPWARE@JONAS.DE
   3 smtp/GROUPWARE@JONAS.DE
   3 smtp/GROUPWARE@JONAS.DE
   3 smtp/GROUPWARE@JONAS.DE
   3 pop/groupware.jonas.de@JONAS.DE
   3 pop/groupware.jonas.de@JONAS.DE
   3 pop/groupware.jonas.de@JONAS.DE
   3 pop/groupware.jonas.de@JONAS.DE
   3 pop/groupware.jonas.de@JONAS.DE
   3 pop/GROUPWARE@JONAS.DE
   3 pop/GROUPWARE@JONAS.DE
   3 pop/GROUPWARE@JONAS.DE
   3 pop/GROUPWARE@JONAS.DE
   3 pop/GROUPWARE@JONAS.DE
   3 imap/groupware.jonas.de@JONAS.DE
   3 imap/groupware.jonas.de@JONAS.DE
   3 imap/groupware.jonas.de@JONAS.DE
   3 imap/groupware.jonas.de@JONAS.DE
   3 imap/groupware.jonas.de@JONAS.DE
   3 imap/GROUPWARE@JONAS.DE
   3 imap/GROUPWARE@JONAS.DE
   3 imap/GROUPWARE@JONAS.DE
   3 imap/GROUPWARE@JONAS.DE
   3 imap/GROUPWARE@JONAS.DE
   3 cifs/groupware.jonas.de@JONAS.DE
   3 cifs/groupware.jonas.de@JONAS.DE
   3 cifs/groupware.jonas.de@JONAS.DE
   3 cifs/groupware.jonas.de@JONAS.DE
   3 cifs/groupware.jonas.de@JONAS.DE
   3 cifs/GROUPWARE@JONAS.DE
   3 cifs/GROUPWARE@JONAS.DE
   3 cifs/GROUPWARE@JONAS.DE
   3 cifs/GROUPWARE@JONAS.DE
   3 cifs/GROUPWARE@JONAS.DE
   3 http/groupware.jonas.de@JONAS.DE
   3 http/groupware.jonas.de@JONAS.DE
   3 http/groupware.jonas.de@JONAS.DE
   3 http/groupware.jonas.de@JONAS.DE
   3 http/groupware.jonas.de@JONAS.DE
   3 http/GROUPWARE@JONAS.DE
   3 http/GROUPWARE@JONAS.DE
   3 http/GROUPWARE@JONAS.DE
   3 http/GROUPWARE@JONAS.DE
   3 http/GROUPWARE@JONAS.DE
   3 GROUPWARE$@JONAS.DE
   3 GROUPWARE$@JONAS.DE
   3 GROUPWARE$@JONAS.DE
   3 GROUPWARE$@JONAS.DE
   3 GROUPWARE$@JONAS.DE
   3 HTTP/groupware.jonas.de@JONAS.DE
   3 HTTP/groupware.jonas.de@JONAS.DE
   3 HTTP/groupware.jonas.de@JONAS.DE
   3 HTTP/groupware.jonas.de@JONAS.DE
   3 HTTP/groupware.jonas.de@JONAS.DE
   3 HTTP/GROUPWARE@JONAS.DE
   3 HTTP/GROUPWARE@JONAS.DE
   3 HTTP/GROUPWARE@JONAS.DE
   3 HTTP/GROUPWARE@JONAS.DE
   3 HTTP/GROUPWARE@JONAS.DE

planet_jeroen · November 28, 2017, 8:08am

So can someone help me out understanding what is what here … ?

Nethserver acts as a VM host here. It is silently a member server of the NSDC-.. which runs as container on it. Correct ?

The aforementioned container is what is running the actual Samba4 AD domain.

DNS wise this puts us in a strange place, as I can configure DNS records on Nethserver’s DNS page. These are, however, not propagated to the Samba4 AD server. The Samba4 AD records can be queried by using the Nethserver as DNS server (albeit non-authorative).

This will work in most situations, but isnt correct as far as I know, and a direct result of running a container to which the Nethserver is not really really joined.

Can someone unravel this a bit for me ? What design choice am I not appreciating here ?

@m.traeumner … thats what I am trying to achieve … but when I set the hostname of my to-be-ad-server to domain.com, and then try to create the domain domain.com, I get an error about the realm already being defined in sssd.

flatspin · November 28, 2017, 10:29am

I setup a quick testvm.
In my case no problem to choose “domain.tld” without “ad” / subdomain

[root@ns7test ~]# hostname -f
ns7test.jeckel.lan
[root@ns7test ~]# hostname -d
jeckel.lan
[root@ns7test ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/ns7test.jeckel.lan@JECKEL.LAN
   2 host/NS7TEST@JECKEL.LAN
   2 host/ns7test.jeckel.lan@JECKEL.LAN
   2 host/NS7TEST@JECKEL.LAN
   2 host/ns7test.jeckel.lan@JECKEL.LAN
   2 host/NS7TEST@JECKEL.LAN
   2 host/ns7test.jeckel.lan@JECKEL.LAN
   2 host/NS7TEST@JECKEL.LAN
   2 host/ns7test.jeckel.lan@JECKEL.LAN
   2 host/NS7TEST@JECKEL.LAN
   2 NS7TEST$@JECKEL.LAN
   2 NS7TEST$@JECKEL.LAN
   2 NS7TEST$@JECKEL.LAN
   2 NS7TEST$@JECKEL.LAN
   2 NS7TEST$@JECKEL.LAN
[root@ns7test ~]# net ads testjoin
Join is OK

Maybe this procedure helps
http://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-dc.html#factory-reset

planet_jeroen · November 28, 2017, 10:41am

I just created a new VM, did not update it before creating the domain, and I can confirm that it works as expected and as you show. I will now proceed to try to reset samba on my dc and see what survives. sigh

I will also try to recreate this issue, as I am sure that I did not do much alse besides update all packages before installing AD on the machine with the current issue.

My mistake seems to have been accepting an sssd error when trying to name my domain, and wrongfully deducing it has to be named differently. To be continued …

planet_jeroen · November 28, 2017, 2:28pm

So, ran a factory reset, and DO get new packages. So this might have been something that is now resolved. I swear to my sanity (for as far as I got it) that I used to get an sssd error about the realm already existing.

Thanks for the suggestion, it worked wonders … and I feel a bit embarassed that I just days ago said the fine manual contained more then you would expect … only to be referred to it … sorry for not doing my own homework better.

Anyhow, scratch that irritation off my list … now the real issue:

Let’s rejoin the fileserver to the new domain … but wait … what ?? Ah, sanity preserved:

…but by now I’m stubborn, so I just click ‘join’ again:

…whatever … on we go …

[root@fileserver ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/fileserver.mydomain.com@MYDOMAIN.COM
   2 host/fileserver@MYDOMAIN.COM
   2 host/fileserver.mydomain.com@MYDOMAIN.COM
   2 host/fileserver@MYDOMAIN.COM
   2 host/fileserver.mydomain.com@MYDOMAIN.COM
   2 host/fileserver@MYDOMAIN.COM
   2 host/fileserver.mydomain.com@MYDOMAIN.COM
   2 host/fileserver@MYDOMAIN.COM
   2 host/fileserver.mydomain.com@MYDOMAIN.COM
   2 host/fileserver@MYDOMAIN.COM
   2 fileserver$@MYDOMAIN.COM
   2 fileserver$@MYDOMAIN.COM
   2 fileserver$@MYDOMAIN.COM
   2 fileserver$@MYDOMAIN.COM
   2 fileserver$@MYDOMAIN.COM
   3 host/fileserver.mydomain.com@MYDOMAIN.COM
   3 host/fileserver@MYDOMAIN.COM
   3 host/fileserver.mydomain.com@MYDOMAIN.COM
   3 host/fileserver@MYDOMAIN.COM
   3 host/fileserver.mydomain.com@MYDOMAIN.COM
   3 host/fileserver@MYDOMAIN.COM
   3 host/fileserver.mydomain.com@MYDOMAIN.COM
   3 host/fileserver@MYDOMAIN.COM
   3 host/fileserver.mydomain.com@MYDOMAIN.COM
   3 host/fileserver@MYDOMAIN.COM
   3 fileserver$@MYDOMAIN.COM
   3 fileserver$@MYDOMAIN.COM
   3 fileserver$@MYDOMAIN.COM
   3 fileserver$@MYDOMAIN.COM
   3 fileserver$@MYDOMAIN.COM

Allas, no luck on setting seDiskOperatorPrivilege yet

[root@fileserver ~]# hostname -f
fileserver.mydomain.com
[root@fileserver ~]# hostname -d
mydomain.com
[root@fileserver ~]# getent group "domain admins"
domain admins@mydomain.com:*:1262600512:administrator@mydomain.com,admin@mydomain.com
[root@fileserver ~]# net sam rights grant "Domain Admins" seDiskOperatorPrivilege
Could not find name Domain Admins
[root@fileserver ~]# net sam rights grant "mydom\Domain Admins" seDiskOperatorPrivilege
Could not find name mydom\Domain Admins
[root@fileserver ~]# net sam rights grant "mydom\\Domain Admins" seDiskOperatorPrivilege
Could not find name mydom\Domain Admins
[root@fileserver ~]# net sam rights grant "MYDOM\domain admins" seDiskOperatorPrivilege
Could not find name MYDOM\domain admins
[root@fileserver ~]# net sam rights grant "domain admins@mydomain.com" seDiskOperatorPrivilege
Could not find name domain admins@mydomain.com
[root@fileserver ~]# net sam rights list seDiskOperatorPrivilege
BUILTIN\Administrators

I can confirm that we can set rights to BUILTIN groups, but these are server-local and for some reason rights do not propogate correctly. When joining a domain, the domain admins should become member of the local server admins. They are not.

What is worse:

[root@domainserver~]# net sam list groups

…yeah, nothing returned.

However:

[root@domainserver~]# net ads group -Uadministrator
Enter administrator's password:
Allowed RODC Password Replication Group
Enterprise Read-Only Domain Controllers
Denied RODC Password Replication Group
Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
Certificate Service DCOM Access
Network Configuration Operators
Terminal Server License Servers
Incoming Forest Trust Builders
Read-Only Domain Controllers
Group Policy Creator Owners
Performance Monitor Users
Cryptographic Operators
Distributed COM Users
Performance Log Users
Remote Desktop Users
Account Operators
Event Log Readers
RAS and IAS Servers
Backup Operators
Domain Controllers
Server Operators
Enterprise Admins
Print Operators
Administrators
Domain Computers
Cert Publishers
DnsUpdateProxy
Domain Admins
Domain Guests
Schema Admins
Domain Users
Replicator
IIS_IUSRS
DnsAdmins
Guests
Users
support
[root@domainserver ~]#

So, that might be a clue as to why I can not use net rpc rights grant on groups it can not find … my knowledge is lacking tho, so I have no clue how samba normally would get these domaingroups. I’m still reading up. Thanks so far!

planet_jeroen · November 28, 2017, 6:21pm

Any takers on why getent CAN find “Domain Admins” but net sam rights or net rpc group list can not ?

[root@fileserver ~]# getent group "Domain Admins"
domain admins@mydomain.com:*:1262600512:administrator@mydomain.com,lms048@mydomain.com,admin@mydomain.com

[root@fileserver ~]# net rpc group list -Uadministrator   (domain admin password supplied)
Enter administrator's password:
[root@fileserver ~]# net rpc group list -Uadministrator   (fileserver admin password supplied)
Enter administrator's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
[root@fileserver ~]# net rpc group list -UAdministrator   (domain admin password supplied)
Enter Administrator's password:
[root@fileserver ~]#

planet_jeroen · November 28, 2017, 10:10pm

I think I just might have had a eureka moment. Currently, only the local Administrators group has any permissions assigned:

[root@fileserver ~]# net rpc rights list accounts -Uadministrator
Enter administrator's password:
BUILTIN\Print Operators
No privileges assigned

BUILTIN\Account Operators
No privileges assigned

BUILTIN\Backup Operators
No privileges assigned

BUILTIN\Server Operators
No privileges assigned

BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege

Everyone
No privileges assigned

BUILTIN\Users
No privileges assigned

But this does us no good, as this group has no rights in the domain. They are server-local. I would normally just go to my samba server, and execute the command there first on Domain Admins. But, we cant, as it is a container, and I can not ssh into it.

I thought I had seen a howto somewhere on ssh-ing into that container. Digging away …

Am just making stuff up by now or could this be valid?

planet_jeroen · November 28, 2017, 10:33pm

I just posted this in the wrong topic … soz.

Partial success:

[root@adserver ~]# systemd-run -M nsdc -t /bin/bash
bash-4.2# net rpc rights grant "MYDOMAIN\Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege SeDiskOperatorPrivilege  -Uadministrator
Enter administrator's password:
Successfully granted rights.

I still can not execute the command on the fileserver, will now check what it did for me in effect …

edit: sadly, nothing. If I execute the same command in the container, but add -Sfileserver to it, it can not find Domain Admins …

edit2: in the nsdc container, the starting situation was the same as on the member server: only the builtin administrators had any permissions. Will now check what rejoining the domain does.

mrmarkuz · November 28, 2017, 11:18pm

Grant rights from server:

[root@server ~]# systemd-run -M nsdc -t /bin/bash -c 'net rpc rights grant "CMB\Domain Admins" SePrintOperatorPrivilege -U "CMB\admin"'
Running as unit run-14591.service.
Press ^] three times within 1s to disconnect TTY.
Enter CMB\admin's password:
Successfully granted rights.

List the privileged users:

[root@server ~]# systemd-run -M nsdc -t /bin/bash -c 'net rpc rights list privileges SePrintOperatorPrivilege -U "CMB\admin"'
Running as unit run-14893.service.
Press ^] three times within 1s to disconnect TTY.
Enter CMB\admin's password:
SePrintOperatorPrivilege:
  CMB\Domain Admins

Do you know how to check the assigned privileges with some other tool?

planet_jeroen · November 28, 2017, 11:28pm

Sadly, that will grant rights in the ad container, unless you add -Sserver, and then you wont have rights

I just checked with computer manager on a Win7 client, connected the memberserver, and can not edit security settings. Connected the container, can edit the security settings.

Good news: after it works, it works. Bad news, no clue how to set the permission on the member server.