net rpc rights grant: NT_STATUS_ACCESS_DENIED
in [Samba]
|
From: Adam Nielsen on 8 Sep 2009 18:30 > Use 'net sam' to add the user in question to the BUILTIN\Administrators > group on your Samba host. >> >> # /usr/local/samba/bin/net rpc rights grant testpc1 >> SePrintOperatorPrivilege -U testpc1 >> Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED) Oh, so does 'net rpc' in this case connect to the local machine? i.e. it has nothing to do with Active Directory? I was under the impression that it modified the permissions on the Active Directory object, not what the local Samba instance would allow or deny - my apologies! Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Gerald Carter on 8 Sep 2009 18:40 Hey Adam, >> Use 'net sam' to add the user in question to the BUILTIN\Administrators >> group on your Samba host. >>> # /usr/local/samba/bin/net rpc rights grant testpc1 >>> SePrintOperatorPrivilege -U testpc1 >>> Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED) > > Oh, so does 'net rpc' in this case connect to the local machine? i.e. > it has nothing to do with Active Directory? Correct. It connect over RPC to the Samba host. I think there is a 'net sam rights' which will do the same operation without using RPC. I.e. just operate on the account policy db. cheers, jerry -- ===================================================================== http://www.plainjoe.org/ "What man is a man who does not make the world better?" --Balian
From: Ryan Suarez on 8 Sep 2009 19:10 Adam Nielsen wrote: >> Use 'net sam' to add the user in question to the BUILTIN\Administrators >> group on your Samba host. >> >>> # /usr/local/samba/bin/net rpc rights grant testpc1 >>> SePrintOperatorPrivilege -U testpc1 >>> Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED) >>> > > Oh, so does 'net rpc' in this case connect to the local machine? i.e. > it has nothing to do with Active Directory? > > I was under the impression that it modified the permissions on the > Active Directory object, not what the local Samba instance would allow > or deny - my apologies! > Well, I wasn't actually able to run the net rpc rights grant. I was still getting the access denied errors. Instead, I just added testpc1 as a member of the local Builtin/Administrators group which has all the rpc rights by default. So it's still a valid question. Does net rpc rights grant for the user edit the Active Directory object? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Adam Nielsen on 8 Sep 2009 19:50 > Well, I wasn't actually able to run the net rpc rights grant. I was > still getting the access denied errors. Instead, I just added testpc1 > as a member of the local Builtin/Administrators group which has all the > rpc rights by default. Well now testpc1 is an admin you should be able to run the command again and it should work. Since you're not actually using Active Directory you could presumably also use "-U machine_name/root" or whatever the name is of the local Samba root/admin account, instead of the testpc1 user. > So it's still a valid question. Does net rpc rights grant for the user > edit the Active Directory object? I think the permission you're trying to access is set at the local machine level - think of it like a firewall. When the request comes through Samba decides whether to allow or deny it based on the privilege you're trying to set. So it will apply whether or not you're using Active Directory. That's my understanding of it anyway! Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
First
|
Prev
|
Pages: 1 2 3 Prev: Problem to join Win20900 ADS realm Next: [Samba] Authentication from Vista? |