Jamie McParland
2017-Sep-18 22:31 UTC
[Samba] Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
We’ve just recently moved over to Samba 4. It looks as if “force directory security mode” doesn’t work in samba 4. So I’m trying to setup the Windows ACLs on our groups share. I’ve been working on this for a few days. I’ve read over the docs, it seems like all the google links are purple and I’m still stuck. Hopefully someone here will have an idea. We’re running Windows 2008R2 for our AD server. We’re running CentOS7 as our smb server. People can login to the share using their AD credentials and when I run getent group "NSD\Domain Admins”, it returns a list of people. So I know it’s talking to the AD server ok. The problem is when I run the following command: net rpc rights grant "NSD\Domain Admins" SeDiskOperatorPrivilege -U "NSD\Administrator" It asks me to the domain admin password Enter NSD\Administrator's password: I enter the password and I get this in response: Failed to grant privileges for NSD\Domain Admins (NT_STATUS_NO_SUCH_USER) I’ve added what I need to, to fstab UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4 _netdev,user_xattr,acl 0 0 I’ve added this to the global section: username map = /etc/samba/user.map enable privileges = yes Here is the contents of /etc/samba/user.map: [root at smbgroups ~]# cat /etc/samba/user.map !root = NSD\Administrator NSD\administrator I haven’t entered the other information to the global section of the server yet, because I have people using the server. So I just added it to a test share. [Edwards_Public] path = /iscsi-groups/Edwards_Public comment = Edwards_Public guest ok=no oplocks=yes read only = no inherit permissions=no directory mask=0770 strict locking=auto create mask=0770 force create mode = 0770 nt acl support = Yes vfs objects = full_audit vfs objects = fruit streams_xattr I’ve restarted the SMB service and even restarted the whole server to no avail. I keep getting the “Failed to grant privileges for NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)” Error. The only “luck” I’ve had was adding someone like the following: net rpc rights grant “irlbeckt at nsd.newberg.k12.or.us” SeDiskOperatorPrivilege -U "NSD\Administrator" Irlbeckt is not a local user on the system, but and AD user. [root at smbgroups ~]# net rpc rights list privileges SeDiskOperatorPrivilege -U "NSD\administrator" Enter NSD\administrator's password: SeDiskOperatorPrivilege: Unix User\mcparlandj Unix Group\domain admins BUILTIN\Administrators Unix User\irlbeckt Unix User\conek Unfortunately it comes back as “Unix User\irlbeckt” and not “NSD\irlbeckt” So at this point I’m stuck as to how to give the domain admins SeDiskOperatorPrivilege I’d love to hear any ideas. Thanks! Jamie
Rowland Penny
2017-Sep-19 07:58 UTC
[Samba] Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
On Mon, 18 Sep 2017 15:31:03 -0700 Jamie McParland via samba <samba at lists.samba.org> wrote:> We’ve just recently moved over to Samba 4. It looks as if “force > directory security mode” doesn’t work in samba 4. So I’m trying to > setup the Windows ACLs on our groups share. > > I’ve been working on this for a few days. I’ve read over the docs, it > seems like all the google links are purple and I’m still stuck. > Hopefully someone here will have an idea. > > We’re running Windows 2008R2 for our AD server. We’re running CentOS7 > as our smb server. > > People can login to the share using their AD credentials and when I > run getent group "NSD\Domain Admins”, it returns a list of people. So > I know it’s talking to the AD server ok. > > The problem is when I run the following command: > net rpc rights grant "NSD\Domain Admins" SeDiskOperatorPrivilege -U > "NSD\Administrator" > It asks me to the domain admin password > Enter NSD\Administrator's password: > I enter the password and I get this in response: > Failed to grant privileges for NSD\Domain Admins > (NT_STATUS_NO_SUCH_USER) > > I’ve added what I need to, to fstab > UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4 > _netdev,user_xattr,acl 0 0Just as an aside (which has nothing to do with your problem) you don't need 'user_xattr,acl', they are part of the ext4 defaults.> > I’ve added this to the global section: > username map = /etc/samba/user.map > enable privileges = yes > > Here is the contents of /etc/samba/user.map: > > [root at smbgroups ~]# cat /etc/samba/user.map > !root = NSD\Administrator NSD\administrator > > I haven’t entered the other information to the global section of the > server yet, because I have people using the server. So I just added > it to a test share. > > [Edwards_Public] > path = /iscsi-groups/Edwards_Public > comment = Edwards_Public > guest ok=no > oplocks=yes > read only = no > inherit permissions=no > directory mask=0770 > strict locking=auto > create mask=0770 > force create mode = 0770 > nt acl support = Yes > vfs objects = full_audit > vfs objects = fruit streams_xattrYou mentioned above that you are trying to setup Windows ACLs, so why are you using lines that only have meaning if you are using POSIX ACLs ?> > I’ve restarted the SMB service and even restarted the whole server to > no avail. I keep getting the “Failed to grant privileges for > NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)” Error. > > The only “luck” I’ve had was adding someone like the following: > net rpc rights grant “irlbeckt at nsd.newberg.k12.or.us” > SeDiskOperatorPrivilege -U "NSD\Administrator" > > Irlbeckt is not a local user on the system, but and AD user. > > [root at smbgroups ~]# net rpc rights list privileges > SeDiskOperatorPrivilege -U "NSD\administrator" > Enter NSD\administrator's password: > SeDiskOperatorPrivilege: > Unix User\mcparlandj > Unix Group\domain admins > BUILTIN\Administrators > Unix User\irlbeckt > Unix User\conek > > Unfortunately it comes back as “Unix User\irlbeckt” and not > “NSD\irlbeckt” > > So at this point I’m stuck as to how to give the domain admins > SeDiskOperatorPrivilege > > I’d love to hear any ideas. Thanks! > JamieCan you post your [global] section of your smb.conf Rowland
Possibly Parallel Threads
- Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
- Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
- Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
- Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
- Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.