samba - Sep 2017 - Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.

We’ve just recently moved over to Samba 4. It looks as if “force directory
security mode” doesn’t work in samba 4. So I’m trying to setup the Windows
ACLs on our groups share.

I’ve been working on this for a few days. I’ve read over the docs, it seems
like all the google links are purple and I’m still stuck. Hopefully someone
here will have an idea.

We’re running Windows 2008R2 for our AD server. We’re running CentOS7 as
our smb server.

People can login to the share using their AD credentials and when I run
getent group "NSD\Domain Admins”, it returns a list of people. So I know
it’s talking to the AD server ok.

The problem is when I run the following command:
net rpc rights grant "NSD\Domain Admins" SeDiskOperatorPrivilege -U
"NSD\Administrator"
It asks me to the domain admin password
Enter NSD\Administrator's password:
I enter the password and I get this in response:
Failed to grant privileges for NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)

I’ve added what I need to, to fstab
UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4
_netdev,user_xattr,acl 0 0

I’ve added this to the global section:
username map = /etc/samba/user.map
enable privileges = yes

Here is the contents of /etc/samba/user.map:

[root at smbgroups ~]# cat /etc/samba/user.map
!root = NSD\Administrator NSD\administrator

I haven’t entered the other information to the global section of the server
yet, because I have people using the server. So I just added it to a test
share.

[Edwards_Public]
path = /iscsi-groups/Edwards_Public
comment = Edwards_Public
guest ok=no
oplocks=yes
read only = no
inherit permissions=no
directory mask=0770
strict locking=auto
create mask=0770
force create mode = 0770
nt acl support = Yes
vfs objects = full_audit
vfs objects = fruit streams_xattr

I’ve restarted the SMB service and even restarted the whole server to no
avail. I keep getting the “Failed to grant privileges for NSD\Domain Admins
(NT_STATUS_NO_SUCH_USER)” Error.

The only “luck” I’ve had was adding someone like the following:
net rpc rights grant “irlbeckt at nsd.newberg.k12.or.us”
SeDiskOperatorPrivilege -U "NSD\Administrator"

Irlbeckt is not a local user on the system, but and AD user.

[root at smbgroups ~]# net rpc rights list privileges SeDiskOperatorPrivilege
-U "NSD\administrator"
Enter NSD\administrator's password:
SeDiskOperatorPrivilege:
  Unix User\mcparlandj
  Unix Group\domain admins
  BUILTIN\Administrators
  Unix User\irlbeckt
  Unix User\conek

Unfortunately it comes back as “Unix User\irlbeckt” and not “NSD\irlbeckt”

So at this point I’m stuck as to how to give the domain admins
SeDiskOperatorPrivilege

I’d love to hear any ideas. Thanks!
Jamie

On Mon, 18 Sep 2017 15:31:03 -0700
Jamie McParland via samba <samba at lists.samba.org> wrote:
> We’ve just recently moved over to Samba 4. It looks as if “force
> directory security mode” doesn’t work in samba 4. So I’m trying to
> setup the Windows ACLs on our groups share.
> 
> I’ve been working on this for a few days. I’ve read over the docs, it
> seems like all the google links are purple and I’m still stuck.
> Hopefully someone here will have an idea.
> 
> We’re running Windows 2008R2 for our AD server. We’re running CentOS7
> as our smb server.
> 
> People can login to the share using their AD credentials and when I
> run getent group "NSD\Domain Admins”, it returns a list of people. So
> I know it’s talking to the AD server ok.
> 
> The problem is when I run the following command:
> net rpc rights grant "NSD\Domain Admins" SeDiskOperatorPrivilege
-U
> "NSD\Administrator"
> It asks me to the domain admin password
> Enter NSD\Administrator's password:
> I enter the password and I get this in response:
> Failed to grant privileges for NSD\Domain Admins
> (NT_STATUS_NO_SUCH_USER)
> 
> I’ve added what I need to, to fstab
> UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4
> _netdev,user_xattr,acl 0 0
Just as an aside (which has nothing to do with your problem) you don't
need 'user_xattr,acl', they are part of the ext4 defaults.
> 
> I’ve added this to the global section:
> username map = /etc/samba/user.map
> enable privileges = yes
> 
> Here is the contents of /etc/samba/user.map:
> 
> [root at smbgroups ~]# cat /etc/samba/user.map
> !root = NSD\Administrator NSD\administrator
> 
> I haven’t entered the other information to the global section of the
> server yet, because I have people using the server. So I just added
> it to a test share.
> 
> [Edwards_Public]
> path = /iscsi-groups/Edwards_Public
> comment = Edwards_Public
> guest ok=no
> oplocks=yes
> read only = no
> inherit permissions=no
> directory mask=0770
> strict locking=auto
> create mask=0770
> force create mode = 0770
> nt acl support = Yes
> vfs objects = full_audit
> vfs objects = fruit streams_xattr
You mentioned above that you are trying to setup Windows ACLs, so why
are you using lines that only have meaning if you are using POSIX ACLs ?
> 
> I’ve restarted the SMB service and even restarted the whole server to
> no avail. I keep getting the “Failed to grant privileges for
> NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)” Error.
> 
> The only “luck” I’ve had was adding someone like the following:
> net rpc rights grant “irlbeckt at nsd.newberg.k12.or.us”
> SeDiskOperatorPrivilege -U "NSD\Administrator"
> 
> Irlbeckt is not a local user on the system, but and AD user.
> 
> [root at smbgroups ~]# net rpc rights list privileges
> SeDiskOperatorPrivilege -U "NSD\administrator"
> Enter NSD\administrator's password:
> SeDiskOperatorPrivilege:
>   Unix User\mcparlandj
>   Unix Group\domain admins
>   BUILTIN\Administrators
>   Unix User\irlbeckt
>   Unix User\conek
> 
> Unfortunately it comes back as “Unix User\irlbeckt” and not
> “NSD\irlbeckt”
> 
> So at this point I’m stuck as to how to give the domain admins
> SeDiskOperatorPrivilege
> 
> I’d love to hear any ideas. Thanks!
> Jamie
Can you post your [global] section of your smb.conf

Rowland