Question regarding FQDN & SeDiskOperatorPrivilege

Sooooooo close. But too tired to continue.

Taken from:

https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting

Create a username map as decribed there, and then enter:

net rpc rights grant "MYDOMAIN\Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege SeDiskOperatorPrivilege -Uadministrator

[root@fileserver ~]# net rpc rights grant "Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege SeDiskOperatorPrivilege  -Uadministrator
Enter administrator's password:
Successfully granted rights.
[root@fileserver ~]# getent group "Domain Admins"
domain admins@mydomain.com:*:1262600512:administrator@mydomain.com,lms048@mydomain.com,admin@mydomain.com
[root@fileserver ~]# net rpc rights list accounts -Uadministrator
Enter administrator's password:
Unix Group\domain admins@mydomain.com
SeMachineAccountPrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege

I can now actually SEE the security settings using Shared Folders and Files on a Windows machine, and actualy click checkboxes on the security tab, whereas they where greyed out, but as soon as I click apply, I get access denied.

This is using my own account which is member from domain admins.

Next I tried MYDOMAIN\administrator as Windows login, and after removing some stuff from my profile share definition, I can now set rights. Still not entirely working, as the owner is root, and that needs to be the local administrators group. Getting close tho.

I’m not that awake anymore tho … to be continued.

TL;DR: username map is your friend.

1 Like