Re: [Samba] Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
- Date: Tue, 19 Sep 2017 11:01:56 +0200
- From: Jurie Botha via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
Why not set your permissions from the windows server via security tab on
I set up mine the following way:
smb.conf allows domain admins and domain users full RWX access to share
(actual access controlled via ACLs)
share perms on linux box
chown root."domain admins" /SHAREPATH
setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH
I then assigned perms and ownership of folders via Windows.
See my blog - http://monklinux.blogspot.com/2017/09/how-to-samba-4-file-
server-as-member.html for how I set it up.
On 19 September 2017 at 00:31, Jamie McParland via samba <
> “Of course we must fear evil men, but there is another evil that we must
> fear more… and that is the indifference of good men.” -- Monsignor
>> We’ve just recently moved over to Samba 4. It looks as if “force directory
>> security mode” doesn’t work in samba 4. So I’m trying to setup the Windows
>> ACLs on our groups share.
>> I’ve been working on this for a few days. I’ve read over the docs, it
>> like all the google links are purple and I’m still stuck. Hopefully
>> here will have an idea.
>> We’re running Windows 2008R2 for our AD server. We’re running CentOS7 as
>> our smb server.
>> People can login to the share using their AD credentials and when I run
>> getent group "NSD\Domain Admins”, it returns a list of people. So I know
>> it’s talking to the AD server ok.
>> The problem is when I run the following command:
>> net rpc rights grant "NSD\Domain Admins" SeDiskOperatorPrivilege -U
>> It asks me to the domain admin password
>> Enter NSD\Administrator's password:
>> I enter the password and I get this in response:
>> Failed to grant privileges for NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)
>> I’ve added what I need to, to fstab
>> UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4
>> _netdev,user_xattr,acl 0 0
>> I’ve added this to the global section:
>> username map = /etc/samba/user.map
>> enable privileges = yes
>> Here is the contents of /etc/samba/user.map:
>> [root@smbgroups ~]# cat /etc/samba/user.map
>> !root = NSD\Administrator NSD\administrator
>> I haven’t entered the other information to the global section of the
>> yet, because I have people using the server. So I just added it to a test
>> path = /iscsi-groups/Edwards_Public
>> comment = Edwards_Public
>> guest ok=no
>> read only = no
>> inherit permissions=no
>> directory mask=0770
>> strict locking=auto
>> create mask=0770
>> force create mode = 0770
>> nt acl support = Yes
>> vfs objects = full_audit
>> vfs objects = fruit streams_xattr
>> I’ve restarted the SMB service and even restarted the whole server to no
>> avail. I keep getting the “Failed to grant privileges for NSD\Domain
>> (NT_STATUS_NO_SUCH_USER)” Error.
>> The only “luck” I’ve had was adding someone like the following:
>> net rpc rights grant “irlbeckt@xxxxxxxxxxxxxxxxxxxxx”
>> SeDiskOperatorPrivilege -U "NSD\Administrator"
>> Irlbeckt is not a local user on the system, but and AD user.
>> [root@smbgroups ~]# net rpc rights list privileges
>> -U "NSD\administrator"
>> Enter NSD\administrator's password:
>> Unix User\mcparlandj
>> Unix Group\domain admins
>> Unix User\irlbeckt
>> Unix User\conek
>> Unfortunately it comes back as “Unix User\irlbeckt” and not “NSD\irlbeckt”
>> So at this point I’m stuck as to how to give the domain admins
>> I’d love to hear any ideas. Thanks!
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the