samba - Sep 2017 - Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.

On Tue, 19 Sep 2017 13:13:45 -0700
Jamie McParland via samba <samba at lists.samba.org> wrote:
> Thanks for everyone chiming in on my problem. I really do appreciate
> it.
> 
> Just to clarify, I’m working on a share called Edwards_Public. I’m
> trying to get it so the members of the AD group called
> do_superintendent are the only people able to read and write any
> files in that directory.
> 
> Here is my global config:
> 
> workgroup = NSD
> client signing = yes
> client use spnego = yes
> kerberos method = secrets and keytab
> log file = /var/log/samba/%m.log
> log level = 5
> realm = NSD.NEWBERG.K12.OR.US
> security = ads
> wide links = yes
> unix extensions = no
> obey pam restrictions = yes
> hide files = /$*/
> hide files = /*.tmp
> hide special files = yes
> hide dot files = yes
> veto files = /.DS_Store/
> delete veto files = yes
> 
If that is the full [global] part of your smb.conf, you have a problem,
you don't seem to be using Samba for authentication, are you also using
sssd ?

Rowland

Yes, I’m using sssd.
> On Sep 19, 2017, at 1:33 PM, Rowland Penny <rpenny at samba.org>
wrote:
> 
> On Tue, 19 Sep 2017 13:13:45 -0700
> Jamie McParland via samba <samba at lists.samba.org> wrote:
> 
>> Thanks for everyone chiming in on my problem. I really do appreciate
>> it.
>> 
>> Just to clarify, I’m working on a share called Edwards_Public. I’m
>> trying to get it so the members of the AD group called
>> do_superintendent are the only people able to read and write any
>> files in that directory.
>> 
>> Here is my global config:
>> 
>> workgroup = NSD
>> client signing = yes
>> client use spnego = yes
>> kerberos method = secrets and keytab
>> log file = /var/log/samba/%m.log
>> log level = 5
>> realm = NSD.NEWBERG.K12.OR.US
>> security = ads
>> wide links = yes
>> unix extensions = no
>> obey pam restrictions = yes
>> hide files = /$*/
>> hide files = /*.tmp
>> hide special files = yes
>> hide dot files = yes
>> veto files = /.DS_Store/
>> delete veto files = yes
>> 
> 
> If that is the full [global] part of your smb.conf, you have a problem,
> you don't seem to be using Samba for authentication, are you also using
> sssd ?
> 
> Rowland

On Tue, 19 Sep 2017 14:25:06 -0700
Jamie Mcparland <mcparlandj at newberg.k12.or.us> wrote:
> Yes, I’m using sssd.
> 
Then Samba isn't doing the authentication, so you are asking your
question in the wrong place. Try asking on the sssd-users mailing list.

Either that are change to using winbind instead, you will find the info
on how to do that here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland