[Samba] Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.

Jamie McParland mcparlandj at newberg.k12.or.us
Mon Sep 18 22:31:03 UTC 2017 

We’ve just recently moved over to Samba 4. It looks as if “force directory
security mode” doesn’t work in samba 4. So I’m trying to setup the Windows
ACLs on our groups share.

I’ve been working on this for a few days. I’ve read over the docs, it seems
like all the google links are purple and I’m still stuck. Hopefully someone
here will have an idea.

We’re running Windows 2008R2 for our AD server. We’re running CentOS7 as
our smb server.

People can login to the share using their AD credentials and when I run
getent group "NSD\Domain Admins”, it returns a list of people. So I know
it’s talking to the AD server ok.

The problem is when I run the following command:
net rpc rights grant "NSD\Domain Admins" SeDiskOperatorPrivilege -U
"NSD\Administrator"
It asks me to the domain admin password
Enter NSD\Administrator's password:
I enter the password and I get this in response:
Failed to grant privileges for NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)

I’ve added what I need to, to fstab
UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4
_netdev,user_xattr,acl 0 0

I’ve added this to the global section:
username map = /etc/samba/user.map
enable privileges = yes

Here is the contents of /etc/samba/user.map:

[root at smbgroups ~]# cat /etc/samba/user.map
!root = NSD\Administrator NSD\administrator

I haven’t entered the other information to the global section of the server
yet, because I have people using the server. So I just added it to a test
share.

[Edwards_Public]
path = /iscsi-groups/Edwards_Public
comment = Edwards_Public
guest ok=no
oplocks=yes
read only = no
inherit permissions=no
directory mask=0770
strict locking=auto
create mask=0770
force create mode = 0770
nt acl support = Yes
vfs objects = full_audit
vfs objects = fruit streams_xattr

I’ve restarted the SMB service and even restarted the whole server to no
avail. I keep getting the “Failed to grant privileges for NSD\Domain Admins
(NT_STATUS_NO_SUCH_USER)” Error.

The only “luck” I’ve had was adding someone like the following:
net rpc rights grant “irlbeckt at nsd.newberg.k12.or.us”
SeDiskOperatorPrivilege -U "NSD\Administrator"

Irlbeckt is not a local user on the system, but and AD user.

[root at smbgroups ~]# net rpc rights list privileges SeDiskOperatorPrivilege
-U "NSD\administrator"
Enter NSD\administrator's password:
SeDiskOperatorPrivilege:
  Unix User\mcparlandj
  Unix Group\domain admins
  BUILTIN\Administrators
  Unix User\irlbeckt
  Unix User\conek

Unfortunately it comes back as “Unix User\irlbeckt” and not “NSD\irlbeckt”

So at this point I’m stuck as to how to give the domain admins
SeDiskOperatorPrivilege

I’d love to hear any ideas. Thanks!
Jamie

More information about the samba mailing list