[Samba] Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
- Date: Mon, 18 Sep 2017 15:31:03 -0700
- From: Jamie McParland via samba <samba@xxxxxxxxxxxxxxx>
- Subject: [Samba] Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
We’ve just recently moved over to Samba 4. It looks as if “force directory
security mode” doesn’t work in samba 4. So I’m trying to setup the Windows
ACLs on our groups share.
I’ve been working on this for a few days. I’ve read over the docs, it seems
like all the google links are purple and I’m still stuck. Hopefully someone
here will have an idea.
We’re running Windows 2008R2 for our AD server. We’re running CentOS7 as
our smb server.
People can login to the share using their AD credentials and when I run
getent group "NSD\Domain Admins”, it returns a list of people. So I know
it’s talking to the AD server ok.
The problem is when I run the following command:
net rpc rights grant "NSD\Domain Admins" SeDiskOperatorPrivilege -U
It asks me to the domain admin password
Enter NSD\Administrator's password:
I enter the password and I get this in response:
Failed to grant privileges for NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)
I’ve added what I need to, to fstab
UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4
_netdev,user_xattr,acl 0 0
I’ve added this to the global section:
username map = /etc/samba/user.map
enable privileges = yes
Here is the contents of /etc/samba/user.map:
[root@smbgroups ~]# cat /etc/samba/user.map
!root = NSD\Administrator NSD\administrator
I haven’t entered the other information to the global section of the server
yet, because I have people using the server. So I just added it to a test
path = /iscsi-groups/Edwards_Public
comment = Edwards_Public
read only = no
force create mode = 0770
nt acl support = Yes
vfs objects = full_audit
vfs objects = fruit streams_xattr
I’ve restarted the SMB service and even restarted the whole server to no
avail. I keep getting the “Failed to grant privileges for NSD\Domain Admins
The only “luck” I’ve had was adding someone like the following:
net rpc rights grant “irlbeckt@xxxxxxxxxxxxxxxxxxxxx”
SeDiskOperatorPrivilege -U "NSD\Administrator"
Irlbeckt is not a local user on the system, but and AD user.
[root@smbgroups ~]# net rpc rights list privileges SeDiskOperatorPrivilege
Enter NSD\administrator's password:
Unix Group\domain admins
Unfortunately it comes back as “Unix User\irlbeckt” and not “NSD\irlbeckt”
So at this point I’m stuck as to how to give the domain admins
I’d love to hear any ideas. Thanks!
To unsubscribe from this list go to the following URL and read the