L.P.H. van Belle
2017-Sep-19 09:39 UTC
[Samba] Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
Hai, I've just read you howto, and its a very good start point. You may have to correct a few small things there, but imo pretty good yes. This :> chown root."domain admins" /SHAREPATHIs/should not needed. setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH ^^^^^^ you did mean setfacl ? But same, yes it works, and better then above, but you may get other problems later on. For example, can you test the following. ( login as domain admin on a domain joined pc ) Start regedit, now can you connect to remote registry with regedit to a server. ( from within file menu, connect to networkregistry ), search a member server name. And connect, did that work without problems? Imho, The op better use : net rpc rights grant "BUILTIN\Administrators" SeDiskOperatorPrivilege -U "NSD\Administrator" NSD\Domain Admins is member of BUILTIN\Administrator by default and imo, this is not sufficent for "Administrators" Setting the correct SePrivileges is imo, very important. The is what i set for "BUILTIN\Administrators" , which i took from my Win2008R2 server. (net rpc rights list accounts -U Administrator ) SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege SeInteractiveLogonRight SeNetworkLogonRight SeRemoteInteractiveLogonRight SeDiskOperatorPrivilege In this post is a more complete output of some Seprivileges https://www.spinics.net/lists/samba/msg144117.html Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Jurie Botha via samba > Verzonden: dinsdag 19 september 2017 11:02 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Can't set SeDiskOperatorPrivilege to > Domain Admins. (NT_STATUS_NO_SUCH_USER) Error. > > Why not set your permissions from the windows server via > security tab on folder properties? > > I set up mine the following way: > > smb.conf allows domain admins and domain users full RWX > access to share (actual access controlled via ACLs) > > share perms on linux box > > chown root."domain admins" /SHAREPATH > > setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH > > I then assigned perms and ownership of folders via Windows. > > See my blog - > http://monklinux.blogspot.com/2017/09/how-to-samba-4-file- > server-as-member.html for how I set it up. > > > > > > > On 19 September 2017 at 00:31, Jamie McParland via samba < > samba at lists.samba.org> wrote: > > > > > “Of course we must fear evil men, but there is another evil that we > > must fear more… and that is the indifference of good men.” -- > > Monsignor > > > >> We’ve just recently moved over to Samba 4. It looks as if “force > >> directory security mode” doesn’t work in samba 4. So I’m trying to > >> setup the Windows ACLs on our groups share. > >> > >> I’ve been working on this for a few days. I’ve read over > the docs, it > >> seems like all the google links are purple and I’m still stuck. > >> Hopefully someone here will have an idea. > >> > >> We’re running Windows 2008R2 for our AD server. We’re > running CentOS7 > >> as our smb server. > >> > >> People can login to the share using their AD credentials > and when I > >> run getent group "NSD\Domain Admins”, it returns a list of > people. So > >> I know it’s talking to the AD server ok. > >> > >> The problem is when I run the following command: > >> net rpc rights grant "NSD\Domain Admins" > SeDiskOperatorPrivilege -U > >> "NSD\Administrator" > >> It asks me to the domain admin password Enter NSD\Administrator's > >> password: > >> I enter the password and I get this in response: > >> Failed to grant privileges for NSD\Domain Admins > >> (NT_STATUS_NO_SUCH_USER) > >> > >> I’ve added what I need to, to fstab > >> UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4 > >> _netdev,user_xattr,acl 0 0 > >> > >> I’ve added this to the global section: > >> username map = /etc/samba/user.map > >> enable privileges = yes > >> > >> Here is the contents of /etc/samba/user.map: > >> > >> [root at smbgroups ~]# cat /etc/samba/user.map !root = > NSD\Administrator > >> NSD\administrator > >> > >> I haven’t entered the other information to the global > section of the > >> server yet, because I have people using the server. So I > just added > >> it to a test share. > >> > >> [Edwards_Public] > >> path = /iscsi-groups/Edwards_Public > >> comment = Edwards_Public > >> guest ok=no > >> oplocks=yes > >> read only = no > >> inherit permissions=no > >> directory mask=0770 > >> strict locking=auto > >> create mask=0770 > >> force create mode = 0770 > >> nt acl support = Yes > >> vfs objects = full_audit > >> vfs objects = fruit streams_xattr > >> > >> I’ve restarted the SMB service and even restarted the > whole server to > >> no avail. I keep getting the “Failed to grant privileges for > >> NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)” Error. > >> > >> The only “luck” I’ve had was adding someone like the following: > >> net rpc rights grant “irlbeckt at nsd.newberg.k12.or.us” > >> SeDiskOperatorPrivilege -U "NSD\Administrator" > >> > >> Irlbeckt is not a local user on the system, but and AD user. > >> > >> [root at smbgroups ~]# net rpc rights list privileges > >> SeDiskOperatorPrivilege -U "NSD\administrator" > >> Enter NSD\administrator's password: > >> SeDiskOperatorPrivilege: > >> Unix User\mcparlandj > >> Unix Group\domain admins > >> BUILTIN\Administrators > >> Unix User\irlbeckt > >> Unix User\conek > >> > >> Unfortunately it comes back as “Unix User\irlbeckt” and > not “NSD\irlbeckt” > >> > >> So at this point I’m stuck as to how to give the domain admins > >> SeDiskOperatorPrivilege > >> > >> I’d love to hear any ideas. Thanks! > >> Jamie > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > -- > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Jamie McParland
2017-Sep-19 20:13 UTC
[Samba] Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
Thanks for everyone chiming in on my problem. I really do appreciate it. Just to clarify, I’m working on a share called Edwards_Public. I’m trying to get it so the members of the AD group called do_superintendent are the only people able to read and write any files in that directory. Here is my global config: workgroup = NSD client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log log level = 5 realm = NSD.NEWBERG.K12.OR.US security = ads wide links = yes unix extensions = no obey pam restrictions = yes hide files = /$*/ hide files = /*.tmp hide special files = yes hide dot files = yes veto files = /.DS_Store/ delete veto files = yes Based on the recommendations in this thread I’ve done the following: setfacl -m g:"domain admins":rwx,g:"domain users":rx Edwards_Public net rpc rights grant "BUILTIN\Administrators" SeDiskOperatorPrivilege -U "NSD\Administrator" Still not having any luck though. Jurie:>>Why not set your permissions from the windows server via security tab onfolder properties? I would like to do that. My account (mcparlandj) is in the domain admin AD group. But when I use the “Computer Management” application on Windows 7, click properties for the share I want to edit the permissions on and click the Security tab, I see this: “You do not have permission to view or edit this object’s permission settings” If I click on the Share Permissions tab, I’m able to add / remove / modify permissions for “Groups or user names”, but they don’t seem to actually work or do anything. For example, I set the do_superintendent group to allow Full Control, Change, Read. When I login to a windows machine as a user that is a member of the do_superintendent group and I click on the share they should have access to, I get a log and password prompt that pops up. I’m not able to get into that share. Also, another weird thing is after awhile I’ll go back to the “Computer Management” application, click on the Share Permissions tab, all the group names have changed into what look like SID numbers and the little person icon has a red question mark next to it. Lastly, I’ve opened an SSH session to the server, changed into the share in question. Then did an su to the user in the do_superintendent group and tried to create a file. I wasn’t able to. This may be expected behavior though as an ssh session doesn’t use SMB, but I’m grasping at straws trying to figure out what’s wrong. Thanks, Jamie McParland Technology Supervisor - Newberg Public Schools Office - 503•554•5026 Visit our blog for how tos and Tech news. http://www.newberg.k12.or.us/tech/ Tech Help Desk 6:30AM to 3:30PM (503) 554-5044 On Tue, Sep 19, 2017 at 2:39 AM, L.P.H. van Belle via samba < samba at lists.samba.org> wrote:> Hai, > > I've just read you howto, and its a very good start point. > You may have to correct a few small things there, but imo pretty good yes. > > This : > > chown root."domain admins" /SHAREPATH > Is/should not needed. > > setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH > ^^^^^^ you did mean setfacl ? > But same, yes it works, and better then above, but you may get other > problems later on. > > For example, can you test the following. ( login as domain admin on a > domain joined pc ) > Start regedit, now can you connect to remote registry with regedit to a > server. > ( from within file menu, connect to networkregistry ), search a member > server name. > And connect, did that work without problems? > > Imho, The op better use : > net rpc rights grant "BUILTIN\Administrators" SeDiskOperatorPrivilege -U > "NSD\Administrator" > NSD\Domain Admins is member of BUILTIN\Administrator by default and imo, > this is not sufficent for "Administrators" > > Setting the correct SePrivileges is imo, very important. > The is what i set for "BUILTIN\Administrators" , which i took from my > Win2008R2 server. > (net rpc rights list accounts -U Administrator ) > SeSecurityPrivilege > SeBackupPrivilege > SeRestorePrivilege > SeSystemtimePrivilege > SeShutdownPrivilege > SeRemoteShutdownPrivilege > SeTakeOwnershipPrivilege > SeDebugPrivilege > SeSystemEnvironmentPrivilege > SeSystemProfilePrivilege > SeProfileSingleProcessPrivilege > SeIncreaseBasePriorityPrivilege > SeLoadDriverPrivilege > SeCreatePagefilePrivilege > SeIncreaseQuotaPrivilege > SeChangeNotifyPrivilege > SeUndockPrivilege > SeManageVolumePrivilege > SeImpersonatePrivilege > SeCreateGlobalPrivilege > SeEnableDelegationPrivilege > SeInteractiveLogonRight > SeNetworkLogonRight > SeRemoteInteractiveLogonRight > SeDiskOperatorPrivilege > > In this post is a more complete output of some Seprivileges > https://www.spinics.net/lists/samba/msg144117.html > > > Greetz, > > Louis > > > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Jurie Botha via samba > > Verzonden: dinsdag 19 september 2017 11:02 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] Can't set SeDiskOperatorPrivilege to > > Domain Admins. (NT_STATUS_NO_SUCH_USER) Error. > > > > Why not set your permissions from the windows server via > > security tab on folder properties? > > > > I set up mine the following way: > > > > smb.conf allows domain admins and domain users full RWX > > access to share (actual access controlled via ACLs) > > > > share perms on linux box > > > > chown root."domain admins" /SHAREPATH > > > > setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH > > > > I then assigned perms and ownership of folders via Windows. > > > > See my blog - > > http://monklinux.blogspot.com/2017/09/how-to-samba-4-file- > > server-as-member.html for how I set it up. > > > > > > > > > > > > > > On 19 September 2017 at 00:31, Jamie McParland via samba < > > samba at lists.samba.org> wrote: > > > > > > > > “Of course we must fear evil men, but there is another evil that we > > > must fear more… and that is the indifference of good men.” -- > > > Monsignor > > > > > >> We’ve just recently moved over to Samba 4. It looks as if “force > > >> directory security mode” doesn’t work in samba 4. So I’m trying to > > >> setup the Windows ACLs on our groups share. > > >> > > >> I’ve been working on this for a few days. I’ve read over > > the docs, it > > >> seems like all the google links are purple and I’m still stuck. > > >> Hopefully someone here will have an idea. > > >> > > >> We’re running Windows 2008R2 for our AD server. We’re > > running CentOS7 > > >> as our smb server. > > >> > > >> People can login to the share using their AD credentials > > and when I > > >> run getent group "NSD\Domain Admins”, it returns a list of > > people. So > > >> I know it’s talking to the AD server ok. > > >> > > >> The problem is when I run the following command: > > >> net rpc rights grant "NSD\Domain Admins" > > SeDiskOperatorPrivilege -U > > >> "NSD\Administrator" > > >> It asks me to the domain admin password Enter NSD\Administrator's > > >> password: > > >> I enter the password and I get this in response: > > >> Failed to grant privileges for NSD\Domain Admins > > >> (NT_STATUS_NO_SUCH_USER) > > >> > > >> I’ve added what I need to, to fstab > > >> UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4 > > >> _netdev,user_xattr,acl 0 0 > > >> > > >> I’ve added this to the global section: > > >> username map = /etc/samba/user.map > > >> enable privileges = yes > > >> > > >> Here is the contents of /etc/samba/user.map: > > >> > > >> [root at smbgroups ~]# cat /etc/samba/user.map !root > > NSD\Administrator > > >> NSD\administrator > > >> > > >> I haven’t entered the other information to the global > > section of the > > >> server yet, because I have people using the server. So I > > just added > > >> it to a test share. > > >> > > >> [Edwards_Public] > > >> path = /iscsi-groups/Edwards_Public > > >> comment = Edwards_Public > > >> guest ok=no > > >> oplocks=yes > > >> read only = no > > >> inherit permissions=no > > >> directory mask=0770 > > >> strict locking=auto > > >> create mask=0770 > > >> force create mode = 0770 > > >> nt acl support = Yes > > >> vfs objects = full_audit > > >> vfs objects = fruit streams_xattr > > >> > > >> I’ve restarted the SMB service and even restarted the > > whole server to > > >> no avail. I keep getting the “Failed to grant privileges for > > >> NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)” Error. > > >> > > >> The only “luck” I’ve had was adding someone like the following: > > >> net rpc rights grant “irlbeckt at nsd.newberg.k12.or.us” > > >> SeDiskOperatorPrivilege -U "NSD\Administrator" > > >> > > >> Irlbeckt is not a local user on the system, but and AD user. > > >> > > >> [root at smbgroups ~]# net rpc rights list privileges > > >> SeDiskOperatorPrivilege -U "NSD\administrator" > > >> Enter NSD\administrator's password: > > >> SeDiskOperatorPrivilege: > > >> Unix User\mcparlandj > > >> Unix Group\domain admins > > >> BUILTIN\Administrators > > >> Unix User\irlbeckt > > >> Unix User\conek > > >> > > >> Unfortunately it comes back as “Unix User\irlbeckt” and > > not “NSD\irlbeckt” > > >> > > >> So at this point I’m stuck as to how to give the domain admins > > >> SeDiskOperatorPrivilege > > >> > > >> I’d love to hear any ideas. Thanks! > > >> Jamie > > >> -- > > >> To unsubscribe from this list go to the following URL and read the > > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > > -- > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2017-Sep-19 20:33 UTC
[Samba] Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
On Tue, 19 Sep 2017 13:13:45 -0700 Jamie McParland via samba <samba at lists.samba.org> wrote:> Thanks for everyone chiming in on my problem. I really do appreciate > it. > > Just to clarify, I’m working on a share called Edwards_Public. I’m > trying to get it so the members of the AD group called > do_superintendent are the only people able to read and write any > files in that directory. > > Here is my global config: > > workgroup = NSD > client signing = yes > client use spnego = yes > kerberos method = secrets and keytab > log file = /var/log/samba/%m.log > log level = 5 > realm = NSD.NEWBERG.K12.OR.US > security = ads > wide links = yes > unix extensions = no > obey pam restrictions = yes > hide files = /$*/ > hide files = /*.tmp > hide special files = yes > hide dot files = yes > veto files = /.DS_Store/ > delete veto files = yes >If that is the full [global] part of your smb.conf, you have a problem, you don't seem to be using Samba for authentication, are you also using sssd ? Rowland
Jurie Botha
2017-Sep-19 21:31 UTC
[Samba] Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
>From your Global config I see no IDMAP settings. You need that for Linux torecognize your ad users. See my blog top post for example: Monklinux.blogspot.com Try my configuration, should work perfectly. Soz 4 short reply, typing on phone. Lemme know if it works. Note, pay attention to section under installing samba. On Sep 19, 2017 22:19, "Jamie McParland via samba" <samba at lists.samba.org> wrote:> Thanks for everyone chiming in on my problem. I really do appreciate it. > > Just to clarify, I’m working on a share called Edwards_Public. I’m trying > to get it so the members of the AD group called do_superintendent are the > only people able to read and write any files in that directory. > > Here is my global config: > > workgroup = NSD > client signing = yes > client use spnego = yes > kerberos method = secrets and keytab > log file = /var/log/samba/%m.log > log level = 5 > realm = NSD.NEWBERG.K12.OR.US > security = ads > wide links = yes > unix extensions = no > obey pam restrictions = yes > hide files = /$*/ > hide files = /*.tmp > hide special files = yes > hide dot files = yes > veto files = /.DS_Store/ > delete veto files = yes > > Based on the recommendations in this thread I’ve done the following: > > setfacl -m g:"domain admins":rwx,g:"domain users":rx Edwards_Public > > net rpc rights grant "BUILTIN\Administrators" SeDiskOperatorPrivilege -U > "NSD\Administrator" > > Still not having any luck though. > > Jurie: > >>Why not set your permissions from the windows server via security tab on > folder properties? > I would like to do that. My account (mcparlandj) is in the domain admin AD > group. But when I use the “Computer Management” application on Windows 7, > click properties for the share I want to edit the permissions on and click > the Security tab, I see this: > > “You do not have permission to view or edit this object’s permission > settings” > > If I click on the Share Permissions tab, I’m able to add / remove / modify > permissions for “Groups or user names”, but they don’t seem to actually > work or do anything. For example, I set the do_superintendent group to > allow Full Control, Change, Read. When I login to a windows machine as a > user that is a member of the do_superintendent group and I click on the > share they should have access to, I get a log and password prompt that pops > up. I’m not able to get into that share. > > Also, another weird thing is after awhile I’ll go back to the “Computer > Management” application, click on the Share Permissions tab, all the group > names have changed into what look like SID numbers and the little person > icon has a red question mark next to it. > > Lastly, I’ve opened an SSH session to the server, changed into the share in > question. Then did an su to the user in the do_superintendent group and > tried to create a file. I wasn’t able to. This may be expected behavior > though as an ssh session doesn’t use SMB, but I’m grasping at straws trying > to figure out what’s wrong. > > > > > > Thanks, > Jamie McParland > Technology Supervisor - Newberg Public Schools > Office - 503•554•5026 > > Visit our blog for how tos and Tech news. > http://www.newberg.k12.or.us/tech/ > > Tech Help Desk 6:30AM to 3:30PM (503) 554-5044 > > > > > > On Tue, Sep 19, 2017 at 2:39 AM, L.P.H. van Belle via samba < > samba at lists.samba.org> wrote: > > > Hai, > > > > I've just read you howto, and its a very good start point. > > You may have to correct a few small things there, but imo pretty good > yes. > > > > This : > > > chown root."domain admins" /SHAREPATH > > Is/should not needed. > > > > setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH > > ^^^^^^ you did mean setfacl ? > > But same, yes it works, and better then above, but you may get other > > problems later on. > > > > For example, can you test the following. ( login as domain admin on a > > domain joined pc ) > > Start regedit, now can you connect to remote registry with regedit to a > > server. > > ( from within file menu, connect to networkregistry ), search a member > > server name. > > And connect, did that work without problems? > > > > Imho, The op better use : > > net rpc rights grant "BUILTIN\Administrators" SeDiskOperatorPrivilege -U > > "NSD\Administrator" > > NSD\Domain Admins is member of BUILTIN\Administrator by default and imo, > > this is not sufficent for "Administrators" > > > > Setting the correct SePrivileges is imo, very important. > > The is what i set for "BUILTIN\Administrators" , which i took from my > > Win2008R2 server. > > (net rpc rights list accounts -U Administrator ) > > SeSecurityPrivilege > > SeBackupPrivilege > > SeRestorePrivilege > > SeSystemtimePrivilege > > SeShutdownPrivilege > > SeRemoteShutdownPrivilege > > SeTakeOwnershipPrivilege > > SeDebugPrivilege > > SeSystemEnvironmentPrivilege > > SeSystemProfilePrivilege > > SeProfileSingleProcessPrivilege > > SeIncreaseBasePriorityPrivilege > > SeLoadDriverPrivilege > > SeCreatePagefilePrivilege > > SeIncreaseQuotaPrivilege > > SeChangeNotifyPrivilege > > SeUndockPrivilege > > SeManageVolumePrivilege > > SeImpersonatePrivilege > > SeCreateGlobalPrivilege > > SeEnableDelegationPrivilege > > SeInteractiveLogonRight > > SeNetworkLogonRight > > SeRemoteInteractiveLogonRight > > SeDiskOperatorPrivilege > > > > In this post is a more complete output of some Seprivileges > > https://www.spinics.net/lists/samba/msg144117.html > > > > > > Greetz, > > > > Louis > > > > > > > > > > > > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > > Jurie Botha via samba > > > Verzonden: dinsdag 19 september 2017 11:02 > > > Aan: samba at lists.samba.org > > > Onderwerp: Re: [Samba] Can't set SeDiskOperatorPrivilege to > > > Domain Admins. (NT_STATUS_NO_SUCH_USER) Error. > > > > > > Why not set your permissions from the windows server via > > > security tab on folder properties? > > > > > > I set up mine the following way: > > > > > > smb.conf allows domain admins and domain users full RWX > > > access to share (actual access controlled via ACLs) > > > > > > share perms on linux box > > > > > > chown root."domain admins" /SHAREPATH > > > > > > setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH > > > > > > I then assigned perms and ownership of folders via Windows. > > > > > > See my blog - > > > http://monklinux.blogspot.com/2017/09/how-to-samba-4-file- > > > server-as-member.html for how I set it up. > > > > > > > > > > > > > > > > > > > > > On 19 September 2017 at 00:31, Jamie McParland via samba < > > > samba at lists.samba.org> wrote: > > > > > > > > > > > “Of course we must fear evil men, but there is another evil that we > > > > must fear more… and that is the indifference of good men.” -- > > > > Monsignor > > > > > > > >> We’ve just recently moved over to Samba 4. It looks as if “force > > > >> directory security mode” doesn’t work in samba 4. So I’m trying to > > > >> setup the Windows ACLs on our groups share. > > > >> > > > >> I’ve been working on this for a few days. I’ve read over > > > the docs, it > > > >> seems like all the google links are purple and I’m still stuck. > > > >> Hopefully someone here will have an idea. > > > >> > > > >> We’re running Windows 2008R2 for our AD server. We’re > > > running CentOS7 > > > >> as our smb server. > > > >> > > > >> People can login to the share using their AD credentials > > > and when I > > > >> run getent group "NSD\Domain Admins”, it returns a list of > > > people. So > > > >> I know it’s talking to the AD server ok. > > > >> > > > >> The problem is when I run the following command: > > > >> net rpc rights grant "NSD\Domain Admins" > > > SeDiskOperatorPrivilege -U > > > >> "NSD\Administrator" > > > >> It asks me to the domain admin password Enter NSD\Administrator's > > > >> password: > > > >> I enter the password and I get this in response: > > > >> Failed to grant privileges for NSD\Domain Admins > > > >> (NT_STATUS_NO_SUCH_USER) > > > >> > > > >> I’ve added what I need to, to fstab > > > >> UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4 > > > >> _netdev,user_xattr,acl 0 0 > > > >> > > > >> I’ve added this to the global section: > > > >> username map = /etc/samba/user.map > > > >> enable privileges = yes > > > >> > > > >> Here is the contents of /etc/samba/user.map: > > > >> > > > >> [root at smbgroups ~]# cat /etc/samba/user.map !root > > > NSD\Administrator > > > >> NSD\administrator > > > >> > > > >> I haven’t entered the other information to the global > > > section of the > > > >> server yet, because I have people using the server. So I > > > just added > > > >> it to a test share. > > > >> > > > >> [Edwards_Public] > > > >> path = /iscsi-groups/Edwards_Public > > > >> comment = Edwards_Public > > > >> guest ok=no > > > >> oplocks=yes > > > >> read only = no > > > >> inherit permissions=no > > > >> directory mask=0770 > > > >> strict locking=auto > > > >> create mask=0770 > > > >> force create mode = 0770 > > > >> nt acl support = Yes > > > >> vfs objects = full_audit > > > >> vfs objects = fruit streams_xattr > > > >> > > > >> I’ve restarted the SMB service and even restarted the > > > whole server to > > > >> no avail. I keep getting the “Failed to grant privileges for > > > >> NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)” Error. > > > >> > > > >> The only “luck” I’ve had was adding someone like the following: > > > >> net rpc rights grant “irlbeckt at nsd.newberg.k12.or.us” > > > >> SeDiskOperatorPrivilege -U "NSD\Administrator" > > > >> > > > >> Irlbeckt is not a local user on the system, but and AD user. > > > >> > > > >> [root at smbgroups ~]# net rpc rights list privileges > > > >> SeDiskOperatorPrivilege -U "NSD\administrator" > > > >> Enter NSD\administrator's password: > > > >> SeDiskOperatorPrivilege: > > > >> Unix User\mcparlandj > > > >> Unix Group\domain admins > > > >> BUILTIN\Administrators > > > >> Unix User\irlbeckt > > > >> Unix User\conek > > > >> > > > >> Unfortunately it comes back as “Unix User\irlbeckt” and > > > not “NSD\irlbeckt” > > > >> > > > >> So at this point I’m stuck as to how to give the domain admins > > > >> SeDiskOperatorPrivilege > > > >> > > > >> I’d love to hear any ideas. Thanks! > > > >> Jamie > > > >> -- > > > >> To unsubscribe from this list go to the following URL and read the > > > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > > > > > > > -- > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Maybe Matching Threads
- Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
- Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
- Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
- Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
- Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.