Web lists-archives.com

Re: [Samba] Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.




From your Global config I see no IDMAP settings. You need that for Linux to
recognize your ad users.

See my blog top post for example: Monklinux.blogspot.com

Try my configuration, should work perfectly. Soz 4 short reply, typing on
phone.

Lemme know if it works. Note, pay attention to section under installing
samba.

On Sep 19, 2017 22:19, "Jamie McParland via samba" <samba@xxxxxxxxxxxxxxx>
wrote:

> Thanks for everyone chiming in on my problem. I really do appreciate it.
>
> Just to clarify, I’m working on a share called Edwards_Public. I’m trying
> to get it so the members of the AD group called do_superintendent are the
> only people able to read and write any files in that directory.
>
> Here is my global config:
>
> workgroup = NSD
> client signing = yes
> client use spnego = yes
> kerberos method = secrets and keytab
> log file = /var/log/samba/%m.log
> log level = 5
> realm = NSD.NEWBERG.K12.OR.US
> security = ads
> wide links = yes
> unix extensions = no
> obey pam restrictions = yes
> hide files = /$*/
> hide files = /*.tmp
> hide special files = yes
> hide dot files = yes
> veto files = /.DS_Store/
> delete veto files = yes
>
> Based on the recommendations in this thread I’ve done the following:
>
> setfacl -m g:"domain admins":rwx,g:"domain users":rx Edwards_Public
>
> net rpc rights grant "BUILTIN\Administrators" SeDiskOperatorPrivilege -U
> "NSD\Administrator"
>
> Still not having any luck though.
>
> Jurie:
> >>Why not set your permissions from the windows server via security tab on
> folder properties?
> I would like to do that. My account (mcparlandj) is in the domain admin AD
> group. But when I use the “Computer Management” application on Windows 7,
> click properties for the share I want to edit the permissions on and click
> the Security tab, I see this:
>
> “You do not have permission to view or edit this object’s permission
> settings”
>
> If I click on the Share Permissions tab, I’m able to add / remove / modify
> permissions for “Groups or user names”, but they don’t seem to actually
> work or do anything. For example, I set the do_superintendent group to
> allow Full Control, Change, Read. When I login to a windows machine as a
> user that is a member of the do_superintendent group and I click on the
> share they should have access to, I get a log and password prompt that pops
> up. I’m not able to get into that share.
>
> Also, another weird thing is after awhile I’ll go back to the “Computer
> Management” application, click on the Share Permissions tab, all the group
> names have changed into what look like SID numbers and the little person
> icon has a red question mark next to it.
>
> Lastly, I’ve opened an SSH session to the server, changed into the share in
> question. Then did an su to the user in the do_superintendent group and
> tried to create a file. I wasn’t able to. This may be expected behavior
> though as an ssh session doesn’t use SMB, but I’m grasping at straws trying
> to figure out what’s wrong.
>
>
>
>
>
> Thanks,
> Jamie McParland
> Technology Supervisor - Newberg Public Schools
> Office - 503•554•5026
>
> Visit our blog for how tos and Tech news.
> http://www.newberg.k12.or.us/tech/
>
> Tech Help Desk 6:30AM to 3:30PM (503) 554-5044
>
>
>
>
>
> On Tue, Sep 19, 2017 at 2:39 AM, L.P.H. van Belle via samba <
> samba@xxxxxxxxxxxxxxx> wrote:
>
> > Hai,
> >
> > I've just read you howto, and its a very good start point.
> > You may have to correct a few small things there, but imo pretty good
> yes.
> >
> > This :
> > > chown root."domain admins" /SHAREPATH
> > Is/should not needed.
> >
> > setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH
> > ^^^^^^ you did mean setfacl ?
> > But same, yes it works, and better then above, but you may get other
> > problems later on.
> >
> > For example, can you test the following. ( login as domain admin on a
> > domain joined pc )
> > Start regedit, now can you connect to remote registry with regedit to a
> > server.
> > ( from within file menu, connect to networkregistry ), search a member
> > server name.
> > And connect, did that work without problems?
> >
> > Imho, The op better use :
> > net rpc rights grant "BUILTIN\Administrators" SeDiskOperatorPrivilege -U
> > "NSD\Administrator"
> > NSD\Domain Admins is member of BUILTIN\Administrator by default and imo,
> > this is not sufficent for "Administrators"
> >
> > Setting the correct SePrivileges is imo, very important.
> > The is what i set for "BUILTIN\Administrators" , which i took from my
> > Win2008R2 server.
> > (net rpc rights list accounts -U Administrator )
> > SeSecurityPrivilege
> > SeBackupPrivilege
> > SeRestorePrivilege
> > SeSystemtimePrivilege
> > SeShutdownPrivilege
> > SeRemoteShutdownPrivilege
> > SeTakeOwnershipPrivilege
> > SeDebugPrivilege
> > SeSystemEnvironmentPrivilege
> > SeSystemProfilePrivilege
> > SeProfileSingleProcessPrivilege
> > SeIncreaseBasePriorityPrivilege
> > SeLoadDriverPrivilege
> > SeCreatePagefilePrivilege
> > SeIncreaseQuotaPrivilege
> > SeChangeNotifyPrivilege
> > SeUndockPrivilege
> > SeManageVolumePrivilege
> > SeImpersonatePrivilege
> > SeCreateGlobalPrivilege
> > SeEnableDelegationPrivilege
> > SeInteractiveLogonRight
> > SeNetworkLogonRight
> > SeRemoteInteractiveLogonRight
> > SeDiskOperatorPrivilege
> >
> > In this post is a more complete output of some Seprivileges
> > https://www.spinics.net/lists/samba/msg144117.html
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
> > > Jurie Botha via samba
> > > Verzonden: dinsdag 19 september 2017 11:02
> > > Aan: samba@xxxxxxxxxxxxxxx
> > > Onderwerp: Re: [Samba] Can't set SeDiskOperatorPrivilege to
> > > Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
> > >
> > > Why not set your permissions from the windows server via
> > > security tab on folder properties?
> > >
> > > I set up mine the following way:
> > >
> > > smb.conf allows domain admins and domain users full RWX
> > > access to share (actual access controlled via ACLs)
> > >
> > > share perms on linux box
> > >
> > > chown root."domain admins" /SHAREPATH
> > >
> > > setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH
> > >
> > > I then assigned perms and ownership of folders via Windows.
> > >
> > > See my blog -
> > > http://monklinux.blogspot.com/2017/09/how-to-samba-4-file-
> > > server-as-member.html for how I set it up.
> > >
> > >
> > >
> > >
> > >
> > >
> > > On 19 September 2017 at 00:31, Jamie McParland via samba <
> > > samba@xxxxxxxxxxxxxxx> wrote:
> > >
> > > >
> > > > “Of course we must fear evil men, but there is another evil that we
> > > > must fear more… and that is the indifference of good men.” --
> > > > Monsignor
> > > >
> > > >> We’ve just recently moved over to Samba 4. It looks as if “force
> > > >> directory security mode” doesn’t work in samba 4. So I’m trying to
> > > >> setup the Windows ACLs on our groups share.
> > > >>
> > > >> I’ve been working on this for a few days. I’ve read over
> > > the docs, it
> > > >> seems like all the google links are purple and I’m still stuck.
> > > >> Hopefully someone here will have an idea.
> > > >>
> > > >> We’re running Windows 2008R2 for our AD server. We’re
> > > running CentOS7
> > > >> as our smb server.
> > > >>
> > > >> People can login to the share using their AD credentials
> > > and when I
> > > >> run getent group "NSD\Domain Admins”, it returns a list of
> > > people. So
> > > >> I know it’s talking to the AD server ok.
> > > >>
> > > >> The problem is when I run the following command:
> > > >> net rpc rights grant "NSD\Domain Admins"
> > > SeDiskOperatorPrivilege -U
> > > >> "NSD\Administrator"
> > > >> It asks me to the domain admin password Enter NSD\Administrator's
> > > >> password:
> > > >> I enter the password and I get this in response:
> > > >> Failed to grant privileges for NSD\Domain Admins
> > > >> (NT_STATUS_NO_SUCH_USER)
> > > >>
> > > >> I’ve added what I need to, to fstab
> > > >> UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4
> > > >> _netdev,user_xattr,acl 0 0
> > > >>
> > > >> I’ve added this to the global section:
> > > >> username map = /etc/samba/user.map
> > > >> enable privileges = yes
> > > >>
> > > >> Here is the contents of /etc/samba/user.map:
> > > >>
> > > >> [root@smbgroups ~]# cat /etc/samba/user.map !root =
> > > NSD\Administrator
> > > >> NSD\administrator
> > > >>
> > > >> I haven’t entered the other information to the global
> > > section of the
> > > >> server yet, because I have people using the server. So I
> > > just added
> > > >> it to a test share.
> > > >>
> > > >> [Edwards_Public]
> > > >> path = /iscsi-groups/Edwards_Public
> > > >> comment = Edwards_Public
> > > >> guest ok=no
> > > >> oplocks=yes
> > > >> read only = no
> > > >> inherit permissions=no
> > > >> directory mask=0770
> > > >> strict locking=auto
> > > >> create mask=0770
> > > >> force create mode = 0770
> > > >> nt acl support = Yes
> > > >> vfs objects = full_audit
> > > >> vfs objects = fruit streams_xattr
> > > >>
> > > >> I’ve restarted the SMB service and even restarted the
> > > whole server to
> > > >> no avail. I keep getting the “Failed to grant privileges for
> > > >> NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)” Error.
> > > >>
> > > >> The only “luck” I’ve had was adding someone like the following:
> > > >> net rpc rights grant “irlbeckt@xxxxxxxxxxxxxxxxxxxxx”
> > > >> SeDiskOperatorPrivilege -U "NSD\Administrator"
> > > >>
> > > >> Irlbeckt is not a local user on the system, but and AD user.
> > > >>
> > > >> [root@smbgroups ~]# net rpc rights list privileges
> > > >> SeDiskOperatorPrivilege -U "NSD\administrator"
> > > >> Enter NSD\administrator's password:
> > > >> SeDiskOperatorPrivilege:
> > > >>   Unix User\mcparlandj
> > > >>   Unix Group\domain admins
> > > >>   BUILTIN\Administrators
> > > >>   Unix User\irlbeckt
> > > >>   Unix User\conek
> > > >>
> > > >> Unfortunately it comes back as “Unix User\irlbeckt” and
> > > not “NSD\irlbeckt”
> > > >>
> > > >> So at this point I’m stuck as to how to give the domain admins
> > > >> SeDiskOperatorPrivilege
> > > >>
> > > >> I’d love to hear any ideas. Thanks!
> > > >> Jamie
> > > >> --
> > > >> To unsubscribe from this list go to the following URL and read the
> > > >> instructions:  https://lists.samba.org/mailman/options/samba
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba