roaming profiles and Documents and setting with non-standard Windows 2k3 administrator RID.....
in [Samba]
|
Prev: [Samba] roaming profiles and Documents and setting with non-standard Windows 2k3 administrator RID.....
Next: Samba access Windows Vista and Seven
From: John H Terpstra on 27 Jan 2010 23:20 On 01/27/2010 08:29 PM, Daniel R. Gore wrote: > Because of the extremely restrictive security environment we work under, > our Windows Admins have disabled the administrator account on our Domain > and created a new account with administrator rights. The result is that > the common RID of 500 which maps to the Linux UID and GID of 500 is no > longer valid. This means that when the Windows Domain controller, via > the Domain Administrator (which has another name and RID) tries to make > an account on the samba share where the profiles are intended for, it > fails because Samba expects this to come from the well known RID of > 500. > > Is there any way to specify in Samba what RID number to expect and use > for Domain Administration management? > > Thanks. > > Dan Dan, You can assign suitable rights and privileges using the "net" utility as follows: net rpc grant rights "DOMAIN\Group Name" SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege -Uadministrator%password When correctly processed for domain group "Whatchamacallit" you will get something that looks like this: net rpc rights list accounts -Uwinadmin%n3v3rgessit BUILTIN\Print Operators No privileges assigned BUILTIN\Account Operators No privileges assigned BUILTIN\Backup Operators No privileges assigned BUILTIN\Server Operators No privileges assigned BUILTIN\Administrators SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege Everyone No privileges assigned URDOMAIN\Whatchamacallit SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege Yell if you need more help. Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Robert Steinmetz AIA on 28 Jan 2010 01:40 I just tried that on my network. I think the correct command is "net rpc rights grant" Which seemed to work on the DC But although geten and wbinfo work, I didn't get any of the domain users with this command. Shouldn't they be listed? John H Terpstra wrote: > On 01/27/2010 08:29 PM, Daniel R. Gore wrote: > >> Because of the extremely restrictive security environment we work under, >> our Windows Admins have disabled the administrator account on our Domain >> and created a new account with administrator rights. The result is that >> the common RID of 500 which maps to the Linux UID and GID of 500 is no >> longer valid. This means that when the Windows Domain controller, via >> the Domain Administrator (which has another name and RID) tries to make >> an account on the samba share where the profiles are intended for, it >> fails because Samba expects this to come from the well known RID of >> 500. >> >> Is there any way to specify in Samba what RID number to expect and use >> for Domain Administration management? >> >> Thanks. >> >> Dan >> > Dan, > > You can assign suitable rights and privileges using the "net" utility as > follows: > > net rpc grant rights "DOMAIN\Group Name" SeMachineAccountPrivilege > SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege > SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege > SeDiskOperatorPrivilege -Uadministrator%password > > When correctly processed for domain group "Whatchamacallit" you will get > something that looks like this: > > net rpc rights list accounts -Uwinadmin%n3v3rgessit > BUILTIN\Print Operators > No privileges assigned > > BUILTIN\Account Operators > No privileges assigned > > BUILTIN\Backup Operators > No privileges assigned > > BUILTIN\Server Operators > No privileges assigned > > BUILTIN\Administrators > SeMachineAccountPrivilege > SeTakeOwnershipPrivilege > SeBackupPrivilege > SeRestorePrivilege > SeRemoteShutdownPrivilege > SePrintOperatorPrivilege > SeAddUsersPrivilege > SeDiskOperatorPrivilege > > Everyone > No privileges assigned > URDOMAIN\Whatchamacallit > SeMachineAccountPrivilege > SeTakeOwnershipPrivilege > SeBackupPrivilege > SeRestorePrivilege > SeRemoteShutdownPrivilege > SePrintOperatorPrivilege > SeAddUsersPrivilege > SeDiskOperatorPrivilege > > > Yell if you need more help. > > Cheers, > John T. > -- Robert Steinmetz, AIA Principal Steinmetz & Associates -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Daniel R. Gore on 28 Jan 2010 06:00
Thanks John, I will give that a try today. Dan On Wed, 2010-01-27 at 21:27 -0600, John H Terpstra wrote: > On 01/27/2010 08:29 PM, Daniel R. Gore wrote: > > Because of the extremely restrictive security environment we work under, > > our Windows Admins have disabled the administrator account on our Domain > > and created a new account with administrator rights. The result is that > > the common RID of 500 which maps to the Linux UID and GID of 500 is no > > longer valid. This means that when the Windows Domain controller, via > > the Domain Administrator (which has another name and RID) tries to make > > an account on the samba share where the profiles are intended for, it > > fails because Samba expects this to come from the well known RID of > > 500. > > > > Is there any way to specify in Samba what RID number to expect and use > > for Domain Administration management? > > > > Thanks. > > > > Dan > > Dan, > > You can assign suitable rights and privileges using the "net" utility as > follows: > > net rpc grant rights "DOMAIN\Group Name" SeMachineAccountPrivilege > SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege > SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege > SeDiskOperatorPrivilege -Uadministrator%password > > When correctly processed for domain group "Whatchamacallit" you will get > something that looks like this: > > net rpc rights list accounts -Uwinadmin%n3v3rgessit > BUILTIN\Print Operators > No privileges assigned > > BUILTIN\Account Operators > No privileges assigned > > BUILTIN\Backup Operators > No privileges assigned > > BUILTIN\Server Operators > No privileges assigned > > BUILTIN\Administrators > SeMachineAccountPrivilege > SeTakeOwnershipPrivilege > SeBackupPrivilege > SeRestorePrivilege > SeRemoteShutdownPrivilege > SePrintOperatorPrivilege > SeAddUsersPrivilege > SeDiskOperatorPrivilege > > Everyone > No privileges assigned > URDOMAIN\Whatchamacallit > SeMachineAccountPrivilege > SeTakeOwnershipPrivilege > SeBackupPrivilege > SeRestorePrivilege > SeRemoteShutdownPrivilege > SePrintOperatorPrivilege > SeAddUsersPrivilege > SeDiskOperatorPrivilege > > > Yell if you need more help. > > Cheers, > John T. > _________________________________ > This email has been ClamScanned ! > www.clamav.net _________________________________ This email has been ClamScanned ! www.clamav.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |