[Samba] Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.

Rowland Penny rpenny at samba.org
Tue Sep 19 07:58:37 UTC 2017

On Mon, 18 Sep 2017 15:31:03 -0700
Jamie McParland via samba <samba at lists.samba.org> wrote:

> We’ve just recently moved over to Samba 4. It looks as if “force
> directory security mode” doesn’t work in samba 4. So I’m trying to
> setup the Windows ACLs on our groups share.
> I’ve been working on this for a few days. I’ve read over the docs, it
> seems like all the google links are purple and I’m still stuck.
> Hopefully someone here will have an idea.
> We’re running Windows 2008R2 for our AD server. We’re running CentOS7
> as our smb server.
> People can login to the share using their AD credentials and when I
> run getent group "NSD\Domain Admins”, it returns a list of people. So
> I know it’s talking to the AD server ok.
> The problem is when I run the following command:
> net rpc rights grant "NSD\Domain Admins" SeDiskOperatorPrivilege -U
> "NSD\Administrator"
> It asks me to the domain admin password
> Enter NSD\Administrator's password:
> I enter the password and I get this in response:
> Failed to grant privileges for NSD\Domain Admins
> I’ve added what I need to, to fstab
> UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4
> _netdev,user_xattr,acl 0 0

Just as an aside (which has nothing to do with your problem) you don't
need 'user_xattr,acl', they are part of the ext4 defaults.

> I’ve added this to the global section:
> username map = /etc/samba/user.map
> enable privileges = yes
> Here is the contents of /etc/samba/user.map:
> [root at smbgroups ~]# cat /etc/samba/user.map
> !root = NSD\Administrator NSD\administrator
> I haven’t entered the other information to the global section of the
> server yet, because I have people using the server. So I just added
> it to a test share.
> [Edwards_Public]
> path = /iscsi-groups/Edwards_Public
> comment = Edwards_Public
> guest ok=no
> oplocks=yes
> read only = no
> inherit permissions=no
> directory mask=0770
> strict locking=auto
> create mask=0770
> force create mode = 0770
> nt acl support = Yes
> vfs objects = full_audit
> vfs objects = fruit streams_xattr

You mentioned above that you are trying to setup Windows ACLs, so why
are you using lines that only have meaning if you are using POSIX ACLs ?

> I’ve restarted the SMB service and even restarted the whole server to
> no avail. I keep getting the “Failed to grant privileges for
> NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)” Error.
> The only “luck” I’ve had was adding someone like the following:
> net rpc rights grant “irlbeckt at nsd.newberg.k12.or.us> SeDiskOperatorPrivilege -U "NSD\Administrator"
> Irlbeckt is not a local user on the system, but and AD user.
> [root at smbgroups ~]# net rpc rights list privileges
> SeDiskOperatorPrivilege -U "NSD\administrator"
> Enter NSD\administrator's password:
> SeDiskOperatorPrivilege:
>   Unix User\mcparlandj
>   Unix Group\domain admins
>   BUILTIN\Administrators
>   Unix User\irlbeckt
>   Unix User\conek
> Unfortunately it comes back as “Unix User\irlbeckt” and not
> “NSD\irlbeckt”
> So at this point I’m stuck as to how to give the domain admins
> SeDiskOperatorPrivilege
> I’d love to hear any ideas. Thanks!
> Jamie

Can you post your [global] section of your smb.conf


More information about the samba mailing list