Re: [Samba] Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
- Date: Tue, 19 Sep 2017 11:39:17 +0200
- From: "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
I've just read you howto, and its a very good start point.
You may have to correct a few small things there, but imo pretty good yes.
> chown root."domain admins" /SHAREPATH
Is/should not needed.
setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH
^^^^^^ you did mean setfacl ?
But same, yes it works, and better then above, but you may get other problems later on.
For example, can you test the following. ( login as domain admin on a domain joined pc )
Start regedit, now can you connect to remote registry with regedit to a server.
( from within file menu, connect to networkregistry ), search a member server name.
And connect, did that work without problems?
Imho, The op better use :
net rpc rights grant "BUILTIN\Administrators" SeDiskOperatorPrivilege -U "NSD\Administrator"
NSD\Domain Admins is member of BUILTIN\Administrator by default and imo, this is not sufficent for "Administrators"
Setting the correct SePrivileges is imo, very important.
The is what i set for "BUILTIN\Administrators" , which i took from my Win2008R2 server.
(net rpc rights list accounts -U Administrator )
In this post is a more complete output of some Seprivileges
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
> Jurie Botha via samba
> Verzonden: dinsdag 19 september 2017 11:02
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Can't set SeDiskOperatorPrivilege to
> Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
> Why not set your permissions from the windows server via
> security tab on folder properties?
> I set up mine the following way:
> smb.conf allows domain admins and domain users full RWX
> access to share (actual access controlled via ACLs)
> share perms on linux box
> chown root."domain admins" /SHAREPATH
> setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH
> I then assigned perms and ownership of folders via Windows.
> See my blog -
> server-as-member.html for how I set it up.
> On 19 September 2017 at 00:31, Jamie McParland via samba <
> samba@xxxxxxxxxxxxxxx> wrote:
> > “Of course we must fear evil men, but there is another evil that we
> > must fear more… and that is the indifference of good men.” --
> > Monsignor
> >> We’ve just recently moved over to Samba 4. It looks as if “force
> >> directory security mode” doesn’t work in samba 4. So I’m trying to
> >> setup the Windows ACLs on our groups share.
> >> I’ve been working on this for a few days. I’ve read over
> the docs, it
> >> seems like all the google links are purple and I’m still stuck.
> >> Hopefully someone here will have an idea.
> >> We’re running Windows 2008R2 for our AD server. We’re
> running CentOS7
> >> as our smb server.
> >> People can login to the share using their AD credentials
> and when I
> >> run getent group "NSD\Domain Admins”, it returns a list of
> people. So
> >> I know it’s talking to the AD server ok.
> >> The problem is when I run the following command:
> >> net rpc rights grant "NSD\Domain Admins"
> SeDiskOperatorPrivilege -U
> >> "NSD\Administrator"
> >> It asks me to the domain admin password Enter NSD\Administrator's
> >> password:
> >> I enter the password and I get this in response:
> >> Failed to grant privileges for NSD\Domain Admins
> >> (NT_STATUS_NO_SUCH_USER)
> >> I’ve added what I need to, to fstab
> >> UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4
> >> _netdev,user_xattr,acl 0 0
> >> I’ve added this to the global section:
> >> username map = /etc/samba/user.map
> >> enable privileges = yes
> >> Here is the contents of /etc/samba/user.map:
> >> [root@smbgroups ~]# cat /etc/samba/user.map !root =
> >> NSD\administrator
> >> I haven’t entered the other information to the global
> section of the
> >> server yet, because I have people using the server. So I
> just added
> >> it to a test share.
> >> [Edwards_Public]
> >> path = /iscsi-groups/Edwards_Public
> >> comment = Edwards_Public
> >> guest ok=no
> >> oplocks=yes
> >> read only = no
> >> inherit permissions=no
> >> directory mask=0770
> >> strict locking=auto
> >> create mask=0770
> >> force create mode = 0770
> >> nt acl support = Yes
> >> vfs objects = full_audit
> >> vfs objects = fruit streams_xattr
> >> I’ve restarted the SMB service and even restarted the
> whole server to
> >> no avail. I keep getting the “Failed to grant privileges for
> >> NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)” Error.
> >> The only “luck” I’ve had was adding someone like the following:
> >> net rpc rights grant “irlbeckt@xxxxxxxxxxxxxxxxxxxxx”
> >> SeDiskOperatorPrivilege -U "NSD\Administrator"
> >> Irlbeckt is not a local user on the system, but and AD user.
> >> [root@smbgroups ~]# net rpc rights list privileges
> >> SeDiskOperatorPrivilege -U "NSD\administrator"
> >> Enter NSD\administrator's password:
> >> SeDiskOperatorPrivilege:
> >> Unix User\mcparlandj
> >> Unix Group\domain admins
> >> BUILTIN\Administrators
> >> Unix User\irlbeckt
> >> Unix User\conek
> >> Unfortunately it comes back as “Unix User\irlbeckt” and
> not “NSD\irlbeckt”
> >> So at this point I’m stuck as to how to give the domain admins
> >> SeDiskOperatorPrivilege
> >> I’d love to hear any ideas. Thanks!
> >> Jamie
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> > --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the