Web lists-archives.com

Re: [Samba] Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.




Hai, 

I've just read you howto, and its a very good start point.
You may have to correct a few small things there, but imo pretty good yes.

This : 
> chown root."domain admins" /SHAREPATH 
Is/should not needed.

setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH
^^^^^^ you did mean setfacl ? 
But same, yes it works, and better then above, but you may get other problems later on. 

For example, can you test the following. ( login as domain admin on a domain joined pc ) 
Start regedit, now can you connect to remote registry with regedit to a server. 
( from within file menu, connect to networkregistry ), search a member server name. 
And connect, did that work without problems? 

Imho, The op better use : 
net rpc rights grant "BUILTIN\Administrators" SeDiskOperatorPrivilege -U "NSD\Administrator"
NSD\Domain Admins is member of BUILTIN\Administrator by default and imo, this is not sufficent for "Administrators" 

Setting the correct SePrivileges is imo, very important. 
The is what i set for "BUILTIN\Administrators" , which i took from my Win2008R2 server. 
(net rpc rights list accounts -U Administrator ) 
SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeRemoteShutdownPrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
SeInteractiveLogonRight
SeNetworkLogonRight
SeRemoteInteractiveLogonRight
SeDiskOperatorPrivilege

In this post is a more complete output of some Seprivileges
https://www.spinics.net/lists/samba/msg144117.html


Greetz, 

Louis





> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Jurie Botha via samba
> Verzonden: dinsdag 19 september 2017 11:02
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Can't set SeDiskOperatorPrivilege to 
> Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
> 
> Why not set your permissions from the windows server via 
> security tab on folder properties?
> 
> I set up mine the following way:
> 
> smb.conf allows domain admins and domain users full RWX 
> access to share (actual access controlled via ACLs)
> 
> share perms on linux box
> 
> chown root."domain admins" /SHAREPATH
> 
> setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH
> 
> I then assigned perms and ownership of folders via Windows.
> 
> See my blog - 
> http://monklinux.blogspot.com/2017/09/how-to-samba-4-file-
> server-as-member.html for how I set it up.
> 
> 
> 
> 
> 
> 
> On 19 September 2017 at 00:31, Jamie McParland via samba < 
> samba@xxxxxxxxxxxxxxx> wrote:
> 
> >
> > “Of course we must fear evil men, but there is another evil that we 
> > must fear more… and that is the indifference of good men.” -- 
> > Monsignor
> >
> >> We’ve just recently moved over to Samba 4. It looks as if “force 
> >> directory security mode” doesn’t work in samba 4. So I’m trying to 
> >> setup the Windows ACLs on our groups share.
> >>
> >> I’ve been working on this for a few days. I’ve read over 
> the docs, it 
> >> seems like all the google links are purple and I’m still stuck. 
> >> Hopefully someone here will have an idea.
> >>
> >> We’re running Windows 2008R2 for our AD server. We’re 
> running CentOS7 
> >> as our smb server.
> >>
> >> People can login to the share using their AD credentials 
> and when I 
> >> run getent group "NSD\Domain Admins”, it returns a list of 
> people. So 
> >> I know it’s talking to the AD server ok.
> >>
> >> The problem is when I run the following command:
> >> net rpc rights grant "NSD\Domain Admins" 
> SeDiskOperatorPrivilege -U 
> >> "NSD\Administrator"
> >> It asks me to the domain admin password Enter NSD\Administrator's 
> >> password:
> >> I enter the password and I get this in response:
> >> Failed to grant privileges for NSD\Domain Admins 
> >> (NT_STATUS_NO_SUCH_USER)
> >>
> >> I’ve added what I need to, to fstab
> >> UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4 
> >> _netdev,user_xattr,acl 0 0
> >>
> >> I’ve added this to the global section:
> >> username map = /etc/samba/user.map
> >> enable privileges = yes
> >>
> >> Here is the contents of /etc/samba/user.map:
> >>
> >> [root@smbgroups ~]# cat /etc/samba/user.map !root = 
> NSD\Administrator 
> >> NSD\administrator
> >>
> >> I haven’t entered the other information to the global 
> section of the 
> >> server yet, because I have people using the server. So I 
> just added 
> >> it to a test share.
> >>
> >> [Edwards_Public]
> >> path = /iscsi-groups/Edwards_Public
> >> comment = Edwards_Public
> >> guest ok=no
> >> oplocks=yes
> >> read only = no
> >> inherit permissions=no
> >> directory mask=0770
> >> strict locking=auto
> >> create mask=0770
> >> force create mode = 0770
> >> nt acl support = Yes
> >> vfs objects = full_audit
> >> vfs objects = fruit streams_xattr
> >>
> >> I’ve restarted the SMB service and even restarted the 
> whole server to 
> >> no avail. I keep getting the “Failed to grant privileges for 
> >> NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)” Error.
> >>
> >> The only “luck” I’ve had was adding someone like the following:
> >> net rpc rights grant “irlbeckt@xxxxxxxxxxxxxxxxxxxxx”
> >> SeDiskOperatorPrivilege -U "NSD\Administrator"
> >>
> >> Irlbeckt is not a local user on the system, but and AD user.
> >>
> >> [root@smbgroups ~]# net rpc rights list privileges 
> >> SeDiskOperatorPrivilege -U "NSD\administrator"
> >> Enter NSD\administrator's password:
> >> SeDiskOperatorPrivilege:
> >>   Unix User\mcparlandj
> >>   Unix Group\domain admins
> >>   BUILTIN\Administrators
> >>   Unix User\irlbeckt
> >>   Unix User\conek
> >>
> >> Unfortunately it comes back as “Unix User\irlbeckt” and 
> not “NSD\irlbeckt”
> >>
> >> So at this point I’m stuck as to how to give the domain admins 
> >> SeDiskOperatorPrivilege
> >>
> >> I’d love to hear any ideas. Thanks!
> >> Jamie
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> >
> >
> > --
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba