samba - Jun 2014 - samba4.1 as domain member in a domain I don't be admin

Hi,

I bet this question was asked several times, but I'm honestly not able
to find a solution.

My samba4.1 (running on FreeBSD10) is part of a larger network/AD where
I only have very restricted rights.
Our network consists of a "toplevel" AD-Domain (top.foo.bar) and
several
"subdomains" (in my case: sub1.top.foo.bar), which have their own
domaincontrollers (MS Windows Server 2008R2).

I only have rights to add domainmembers to sub1.top.foo.bar. All user
accounts are top.foo.bar\users.

I followed this ( https://wiki.samba.org/index.php/Samba4/Domain_Member
) tutorial. Which worked perfectly with adding the server to the domain
and retrieving users/groups and so on. (via wbinfo) My samba server was
added to my AD-Subtree.

Now I wanted to add a share and followed this tutorial:
https://wiki.samba.org/index.php/Setup_and_configure_file_shares

I tried to grant the SeDiskOperatorPrivilege to my domain user
TOP\myUser. First net rpc tried to connect to 127.0.0.1, so I added
-Smy-pdc.sub1.top.foo.bar which resulted in:

net rpc rights grant 'TOP\myUser' SeDiskOperatorPrivilege
-U'TOP\myUser'
-Smy-pdc.sub1.top.foo.bar
Failed to grant privileges for 'TOP\myUser' (NT_STATUS_ACCESS_DENIED)

Then I stumpled accross
http://samba.2283325.n4.nabble.com/Using-Local-Groups-with-AD-Domain-Users-for-Samba-Shares-td4639133.html
https://groups.google.com/forum/#!topic/linux.samba/g0HfGnA_vns

Which suggested to add a local group, and add my domain user to that and
granting this group the privileges.
I tried this in several ways. I added a custom group and added my
domainuser, I added a domaingroup my user is member of. I added this
group and my user to BUILTIN\Administrators. granted Administrators, the
domaingroup and my domainuser all the privileges via net sam, which
seemed to work.
I still get a permission denied on my windows computer management.


I would be very happy for a hint in the right direction. Getting started
with samba4 seems to be a little bit more complicated than I first
thought :)

Thanks and best regards
Sebastian


P.S. here is my smb.conf

[global]

  netbiosname = marx-new
  workgroup = SUB1
  security = ADS
  realm = TOP.FOO.BAR
  encrypt passwords = yes

  idmap config *:backend = tdb
  idmap config *:range = 70001-80000
  idmap config FAK6:backend = ad
  idmap config FAK6:schema_mode = rfc2307
  idmap config FAK6:range = 500-40000

  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users  = yes
  winbind enum groups = yes

  nsupdate command = /usr/local/bin/samba-nsupdate -g



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20140612/9852d0be/attachment.pgp>