[Samba] Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.

Tue Sep 19 20:13:45 UTC 2017

Thanks for everyone chiming in on my problem. I really do appreciate it.

Just to clarify, I’m working on a share called Edwards_Public. I’m trying
to get it so the members of the AD group called do_superintendent are the
only people able to read and write any files in that directory.

Here is my global config:

workgroup = NSD
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
log level = 5
realm = NSD.NEWBERG.K12.OR.US
security = ads
wide links = yes
unix extensions = no
obey pam restrictions = yes
hide files = /$*/
hide files = /*.tmp
hide special files = yes
hide dot files = yes
veto files = /.DS_Store/
delete veto files = yes

Based on the recommendations in this thread I’ve done the following:

setfacl -m g:"domain admins":rwx,g:"domain users":rx Edwards_Public

net rpc rights grant "BUILTIN\Administrators" SeDiskOperatorPrivilege -U
"NSD\Administrator"

Still not having any luck though.

Jurie:
>>Why not set your permissions from the windows server via security tab on
folder properties?
I would like to do that. My account (mcparlandj) is in the domain admin AD
group. But when I use the “Computer Management” application on Windows 7,
click properties for the share I want to edit the permissions on and click
the Security tab, I see this:

“You do not have permission to view or edit this object’s permission
settings”

If I click on the Share Permissions tab, I’m able to add / remove / modify
permissions for “Groups or user names”, but they don’t seem to actually
work or do anything. For example, I set the do_superintendent group to
allow Full Control, Change, Read. When I login to a windows machine as a
user that is a member of the do_superintendent group and I click on the
share they should have access to, I get a log and password prompt that pops
up. I’m not able to get into that share.

Also, another weird thing is after awhile I’ll go back to the “Computer
Management” application, click on the Share Permissions tab, all the group
names have changed into what look like SID numbers and the little person
icon has a red question mark next to it.

Lastly, I’ve opened an SSH session to the server, changed into the share in
question. Then did an su to the user in the do_superintendent group and
tried to create a file. I wasn’t able to. This may be expected behavior
though as an ssh session doesn’t use SMB, but I’m grasping at straws trying
to figure out what’s wrong.

Thanks,
Jamie McParland
Technology Supervisor - Newberg Public Schools
Office - 503•554•5026

Visit our blog for how tos and Tech news.
http://www.newberg.k12.or.us/tech/

Tech Help Desk 6:30AM to 3:30PM (503) 554-5044

On Tue, Sep 19, 2017 at 2:39 AM, L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:

> Hai,
>
> I've just read you howto, and its a very good start point.
> You may have to correct a few small things there, but imo pretty good yes.
>
> This :
> > chown root."domain admins" /SHAREPATH
> Is/should not needed.
>
> setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH
> ^^^^^^ you did mean setfacl ?
> But same, yes it works, and better then above, but you may get other
> problems later on.
>
> For example, can you test the following. ( login as domain admin on a
> domain joined pc )
> Start regedit, now can you connect to remote registry with regedit to a
> server.
> ( from within file menu, connect to networkregistry ), search a member
> server name.
> And connect, did that work without problems?
>
> Imho, The op better use :
> net rpc rights grant "BUILTIN\Administrators" SeDiskOperatorPrivilege -U
> "NSD\Administrator"
> NSD\Domain Admins is member of BUILTIN\Administrator by default and imo,
> this is not sufficent for "Administrators"
>
> Setting the correct SePrivileges is imo, very important.
> The is what i set for "BUILTIN\Administrators" , which i took from my
> Win2008R2 server.
> (net rpc rights list accounts -U Administrator )
> SeSecurityPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeSystemtimePrivilege
> SeShutdownPrivilege
> SeRemoteShutdownPrivilege
> SeTakeOwnershipPrivilege
> SeDebugPrivilege
> SeSystemEnvironmentPrivilege
> SeSystemProfilePrivilege
> SeProfileSingleProcessPrivilege
> SeIncreaseBasePriorityPrivilege
> SeLoadDriverPrivilege
> SeCreatePagefilePrivilege
> SeIncreaseQuotaPrivilege
> SeChangeNotifyPrivilege
> SeUndockPrivilege
> SeManageVolumePrivilege
> SeImpersonatePrivilege
> SeCreateGlobalPrivilege
> SeEnableDelegationPrivilege
> SeInteractiveLogonRight
> SeNetworkLogonRight
> SeRemoteInteractiveLogonRight
> SeDiskOperatorPrivilege
>
> In this post is a more complete output of some Seprivileges
> https://www.spinics.net/lists/samba/msg144117.html
>
>
> Greetz,
>
> Louis
>
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Jurie Botha via samba
> > Verzonden: dinsdag 19 september 2017 11:02
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Can't set SeDiskOperatorPrivilege to
> > Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
> >
> > Why not set your permissions from the windows server via
> > security tab on folder properties?
> >
> > I set up mine the following way:
> >
> > smb.conf allows domain admins and domain users full RWX
> > access to share (actual access controlled via ACLs)
> >
> > share perms on linux box
> >
> > chown root."domain admins" /SHAREPATH
> >
> > setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH
> >
> > I then assigned perms and ownership of folders via Windows.
> >
> > See my blog -
> > http://monklinux.blogspot.com/2017/09/how-to-samba-4-file-
> > server-as-member.html for how I set it up.
> >
> >
> >
> >
> >
> >
> > On 19 September 2017 at 00:31, Jamie McParland via samba <
> > samba at lists.samba.org> wrote:
> >
> > >
> > > “Of course we must fear evil men, but there is another evil that we
> > > must fear more… and that is the indifference of good men.” --
> > > Monsignor
> > >
> > >> We’ve just recently moved over to Samba 4. It looks as if “force
> > >> directory security mode” doesn’t work in samba 4. So I’m trying to
> > >> setup the Windows ACLs on our groups share.
> > >>
> > >> I’ve been working on this for a few days. I’ve read over
> > the docs, it
> > >> seems like all the google links are purple and I’m still stuck.
> > >> Hopefully someone here will have an idea.
> > >>
> > >> We’re running Windows 2008R2 for our AD server. We’re
> > running CentOS7
> > >> as our smb server.
> > >>
> > >> People can login to the share using their AD credentials
> > and when I
> > >> run getent group "NSD\Domain Admins”, it returns a list of
> > people. So
> > >> I know it’s talking to the AD server ok.
> > >>
> > >> The problem is when I run the following command:
> > >> net rpc rights grant "NSD\Domain Admins"
> > SeDiskOperatorPrivilege -U
> > >> "NSD\Administrator"
> > >> It asks me to the domain admin password Enter NSD\Administrator's
> > >> password:
> > >> I enter the password and I get this in response:
> > >> Failed to grant privileges for NSD\Domain Admins
> > >> (NT_STATUS_NO_SUCH_USER)
> > >>
> > >> I’ve added what I need to, to fstab
> > >> UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4
> > >> _netdev,user_xattr,acl 0 0
> > >>
> > >> I’ve added this to the global section:
> > >> username map = /etc/samba/user.map
> > >> enable privileges = yes
> > >>
> > >> Here is the contents of /etc/samba/user.map:
> > >>
> > >> [root at smbgroups ~]# cat /etc/samba/user.map !root =
> > NSD\Administrator
> > >> NSD\administrator
> > >>
> > >> I haven’t entered the other information to the global
> > section of the
> > >> server yet, because I have people using the server. So I
> > just added
> > >> it to a test share.
> > >>
> > >> [Edwards_Public]
> > >> path = /iscsi-groups/Edwards_Public
> > >> comment = Edwards_Public
> > >> guest ok=no
> > >> oplocks=yes
> > >> read only = no
> > >> inherit permissions=no
> > >> directory mask=0770
> > >> strict locking=auto
> > >> create mask=0770
> > >> force create mode = 0770
> > >> nt acl support = Yes
> > >> vfs objects = full_audit
> > >> vfs objects = fruit streams_xattr
> > >>
> > >> I’ve restarted the SMB service and even restarted the
> > whole server to
> > >> no avail. I keep getting the “Failed to grant privileges for
> > >> NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)” Error.
> > >>
> > >> The only “luck” I’ve had was adding someone like the following:
> > >> net rpc rights grant “irlbeckt at nsd.newberg.k12.or.us”
> > >> SeDiskOperatorPrivilege -U "NSD\Administrator"
> > >>
> > >> Irlbeckt is not a local user on the system, but and AD user.
> > >>
> > >> [root at smbgroups ~]# net rpc rights list privileges
> > >> SeDiskOperatorPrivilege -U "NSD\administrator"
> > >> Enter NSD\administrator's password:
> > >> SeDiskOperatorPrivilege:
> > >>   Unix User\mcparlandj
> > >>   Unix Group\domain admins
> > >>   BUILTIN\Administrators
> > >>   Unix User\irlbeckt
> > >>   Unix User\conek
> > >>
> > >> Unfortunately it comes back as “Unix User\irlbeckt” and
> > not “NSD\irlbeckt”
> > >>
> > >> So at this point I’m stuck as to how to give the domain admins
> > >> SeDiskOperatorPrivilege
> > >>
> > >> I’d love to hear any ideas. Thanks!
> > >> Jamie
> > >> --
> > >> To unsubscribe from this list go to the following URL and read the
> > >> instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > >
> > >
> > >
> > > --
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>