Web lists-archives.com

Re: [Samba] Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.




Why not set your permissions from the windows server via security tab on
folder properties?

I set up mine the following way:

smb.conf allows domain admins and domain users full RWX access to share
(actual access controlled via ACLs)

share perms on linux box

chown root."domain admins" /SHAREPATH

setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH

I then assigned perms and ownership of folders via Windows.

See my blog - http://monklinux.blogspot.com/2017/09/how-to-samba-4-file-
server-as-member.html for how I set it up.






On 19 September 2017 at 00:31, Jamie McParland via samba <
samba@xxxxxxxxxxxxxxx> wrote:

>
> “Of course we must fear evil men, but there is another evil that we must
> fear more… and that is the indifference of good men.” -- Monsignor
>
>> We’ve just recently moved over to Samba 4. It looks as if “force directory
>> security mode” doesn’t work in samba 4. So I’m trying to setup the Windows
>> ACLs on our groups share.
>>
>> I’ve been working on this for a few days. I’ve read over the docs, it
>> seems
>> like all the google links are purple and I’m still stuck. Hopefully
>> someone
>> here will have an idea.
>>
>> We’re running Windows 2008R2 for our AD server. We’re running CentOS7 as
>> our smb server.
>>
>> People can login to the share using their AD credentials and when I run
>> getent group "NSD\Domain Admins”, it returns a list of people. So I know
>> it’s talking to the AD server ok.
>>
>> The problem is when I run the following command:
>> net rpc rights grant "NSD\Domain Admins" SeDiskOperatorPrivilege -U
>> "NSD\Administrator"
>> It asks me to the domain admin password
>> Enter NSD\Administrator's password:
>> I enter the password and I get this in response:
>> Failed to grant privileges for NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)
>>
>> I’ve added what I need to, to fstab
>> UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4
>> _netdev,user_xattr,acl 0 0
>>
>> I’ve added this to the global section:
>> username map = /etc/samba/user.map
>> enable privileges = yes
>>
>> Here is the contents of /etc/samba/user.map:
>>
>> [root@smbgroups ~]# cat /etc/samba/user.map
>> !root = NSD\Administrator NSD\administrator
>>
>> I haven’t entered the other information to the global section of the
>> server
>> yet, because I have people using the server. So I just added it to a test
>> share.
>>
>> [Edwards_Public]
>> path = /iscsi-groups/Edwards_Public
>> comment = Edwards_Public
>> guest ok=no
>> oplocks=yes
>> read only = no
>> inherit permissions=no
>> directory mask=0770
>> strict locking=auto
>> create mask=0770
>> force create mode = 0770
>> nt acl support = Yes
>> vfs objects = full_audit
>> vfs objects = fruit streams_xattr
>>
>> I’ve restarted the SMB service and even restarted the whole server to no
>> avail. I keep getting the “Failed to grant privileges for NSD\Domain
>> Admins
>> (NT_STATUS_NO_SUCH_USER)” Error.
>>
>> The only “luck” I’ve had was adding someone like the following:
>> net rpc rights grant “irlbeckt@xxxxxxxxxxxxxxxxxxxxx”
>> SeDiskOperatorPrivilege -U "NSD\Administrator"
>>
>> Irlbeckt is not a local user on the system, but and AD user.
>>
>> [root@smbgroups ~]# net rpc rights list privileges
>> SeDiskOperatorPrivilege
>> -U "NSD\administrator"
>> Enter NSD\administrator's password:
>> SeDiskOperatorPrivilege:
>>   Unix User\mcparlandj
>>   Unix Group\domain admins
>>   BUILTIN\Administrators
>>   Unix User\irlbeckt
>>   Unix User\conek
>>
>> Unfortunately it comes back as “Unix User\irlbeckt” and not “NSD\irlbeckt”
>>
>> So at this point I’m stuck as to how to give the domain admins
>> SeDiskOperatorPrivilege
>>
>> I’d love to hear any ideas. Thanks!
>> Jamie
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba