samba - May 2021 - Viewing Open Files with Computer Management

Hello, everyone,
I'm wondering if it is possible to use the Computer Management MMC in
modern versions of Windows to view "Sessions" and "Open
Files" on a Samba
server? Currently when I try to access either Sessions or Open Files I get
the following error messages:

Sessions: You do not have permissions to see the list of sessions from
Windows clients.
Open Files: You do not have permissions to see the list of files opened by
Windows clients.

I've done some Google searching on this issue and found a couple of
suggestions:
1) Grant the user (or group) the SeDiskOperatorPrivilege on the Samba
server.
2) Per a mailing list thread from 2017, create a username map and map the
users who need this capability to "root" (
https://lists.samba.org/archive/samba/2017-December/212608.html).

Item 1 seems to have no effect at all - errors are the same - and for item
2, when I run "smbstatus" I can see the username and group both set to
"root", but I still get the error messages.

Any hints or suggestions on what to look at - or if this is even possible?

-Nick

On Wed, May 26, 2021 at 2:04 PM Nick Couchman via samba <
samba at lists.samba.org> wrote:
> Hello, everyone,
> I'm wondering if it is possible to use the Computer Management MMC in
> modern versions of Windows to view "Sessions" and "Open
Files" on a Samba
> server? Currently when I try to access either Sessions or Open Files I get
> the following error messages:
>
> Sessions: You do not have permissions to see the list of sessions from
> Windows clients.
> Open Files: You do not have permissions to see the list of files opened by
> Windows clients.
>
> I've done some Google searching on this issue and found a couple of
> suggestions:
> 1) Grant the user (or group) the SeDiskOperatorPrivilege on the Samba
> server.
> 2) Per a mailing list thread from 2017, create a username map and map the
> users who need this capability to "root" (
> https://lists.samba.org/archive/samba/2017-December/212608.html).
>
> Item 1 seems to have no effect at all - errors are the same - and for item
> 2, when I run "smbstatus" I can see the username and group both
set to
> "root", but I still get the error messages.
>
> Any hints or suggestions on what to look at - or if this is even possible?
>
> -Nick
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

I typically do this sort of thing as follows (assuming no AD) -- caveat,
example is on FreeBSD:
1) create local group
 root@:/usr/ports/net/samba # pw groupadd smb_admins

2) create groupmap and get new sid
root@:/usr/ports/net/samba # net groupmap add unixgroup=smb_admins
ntgroup=smb_admins
No rid or sid specified, choosing a RID
Got RID 1002

root@:/usr/ports/net/samba # net groupmap list
Guests (S-1-5-32-546) -> BUILTIN\guests
Administrators (S-1-5-32-544) -> BUILTIN\administrators
Users (S-1-5-32-545) -> BUILTIN\users
smb_admins (S-1-5-21-3928159180-3161166842-2405926743-1002) -> smb_admins

4) add new sid as a foreign group for BUILTIN\\Administrators and verify
root@:/usr/ports/net/samba # net groupmap addmem S-1-5-32-544
S-1-5-21-3928159180-3161166842-2405926743-1002
root@:/usr/ports/net/samba # net groupmap listmem S-1-5-32-544
S-1-5-21-3928159180-3161166842-2405926743-1002

5) add user to the admin group
root@:/usr/ports/net/samba # pw usermod smbuser -G smb_admins
root@:/usr/ports/net/samba # id smbuser
uid=1002(smbuser) gid=1002(smbuser) groups=1002(smbuser),1003(smb_admins)

This sort of strategy allows you to control this access via group
membership for a local Unix group, but the same can be achieved through
`net rpc rights grant <username> <privilege> -U root`.