Jurie Botha
2017-Sep-19 09:01 UTC
[Samba] Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
Why not set your permissions from the windows server via security tab on folder properties? I set up mine the following way: smb.conf allows domain admins and domain users full RWX access to share (actual access controlled via ACLs) share perms on linux box chown root."domain admins" /SHAREPATH setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH I then assigned perms and ownership of folders via Windows. See my blog - http://monklinux.blogspot.com/2017/09/how-to-samba-4-file- server-as-member.html for how I set it up. On 19 September 2017 at 00:31, Jamie McParland via samba < samba at lists.samba.org> wrote:> > “Of course we must fear evil men, but there is another evil that we must > fear more… and that is the indifference of good men.” -- Monsignor > >> We’ve just recently moved over to Samba 4. It looks as if “force directory >> security mode” doesn’t work in samba 4. So I’m trying to setup the Windows >> ACLs on our groups share. >> >> I’ve been working on this for a few days. I’ve read over the docs, it >> seems >> like all the google links are purple and I’m still stuck. Hopefully >> someone >> here will have an idea. >> >> We’re running Windows 2008R2 for our AD server. We’re running CentOS7 as >> our smb server. >> >> People can login to the share using their AD credentials and when I run >> getent group "NSD\Domain Admins”, it returns a list of people. So I know >> it’s talking to the AD server ok. >> >> The problem is when I run the following command: >> net rpc rights grant "NSD\Domain Admins" SeDiskOperatorPrivilege -U >> "NSD\Administrator" >> It asks me to the domain admin password >> Enter NSD\Administrator's password: >> I enter the password and I get this in response: >> Failed to grant privileges for NSD\Domain Admins (NT_STATUS_NO_SUCH_USER) >> >> I’ve added what I need to, to fstab >> UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4 >> _netdev,user_xattr,acl 0 0 >> >> I’ve added this to the global section: >> username map = /etc/samba/user.map >> enable privileges = yes >> >> Here is the contents of /etc/samba/user.map: >> >> [root at smbgroups ~]# cat /etc/samba/user.map >> !root = NSD\Administrator NSD\administrator >> >> I haven’t entered the other information to the global section of the >> server >> yet, because I have people using the server. So I just added it to a test >> share. >> >> [Edwards_Public] >> path = /iscsi-groups/Edwards_Public >> comment = Edwards_Public >> guest ok=no >> oplocks=yes >> read only = no >> inherit permissions=no >> directory mask=0770 >> strict locking=auto >> create mask=0770 >> force create mode = 0770 >> nt acl support = Yes >> vfs objects = full_audit >> vfs objects = fruit streams_xattr >> >> I’ve restarted the SMB service and even restarted the whole server to no >> avail. I keep getting the “Failed to grant privileges for NSD\Domain >> Admins >> (NT_STATUS_NO_SUCH_USER)” Error. >> >> The only “luck” I’ve had was adding someone like the following: >> net rpc rights grant “irlbeckt at nsd.newberg.k12.or.us” >> SeDiskOperatorPrivilege -U "NSD\Administrator" >> >> Irlbeckt is not a local user on the system, but and AD user. >> >> [root at smbgroups ~]# net rpc rights list privileges >> SeDiskOperatorPrivilege >> -U "NSD\administrator" >> Enter NSD\administrator's password: >> SeDiskOperatorPrivilege: >> Unix User\mcparlandj >> Unix Group\domain admins >> BUILTIN\Administrators >> Unix User\irlbeckt >> Unix User\conek >> >> Unfortunately it comes back as “Unix User\irlbeckt” and not “NSD\irlbeckt” >> >> So at this point I’m stuck as to how to give the domain admins >> SeDiskOperatorPrivilege >> >> I’d love to hear any ideas. Thanks! >> Jamie >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > > > > -- >
Reasonably Related Threads
- Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
- Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
- Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
- Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
- Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.