[Samba] Viewing Open Files with Computer Management

Andrew Walker walker.aj325 at gmail.com
Wed May 26 18:33:31 UTC 2021


On Wed, May 26, 2021 at 2:04 PM Nick Couchman via samba <
samba at lists.samba.org> wrote:

> Hello, everyone,
> I'm wondering if it is possible to use the Computer Management MMC in
> modern versions of Windows to view "Sessions" and "Open Files" on a Samba
> server? Currently when I try to access either Sessions or Open Files I get
> the following error messages:
>
> Sessions: You do not have permissions to see the list of sessions from
> Windows clients.
> Open Files: You do not have permissions to see the list of files opened by
> Windows clients.
>
> I've done some Google searching on this issue and found a couple of
> suggestions:
> 1) Grant the user (or group) the SeDiskOperatorPrivilege on the Samba
> server.
> 2) Per a mailing list thread from 2017, create a username map and map the
> users who need this capability to "root" (
> https://lists.samba.org/archive/samba/2017-December/212608.html).
>
> Item 1 seems to have no effect at all - errors are the same - and for item
> 2, when I run "smbstatus" I can see the username and group both set to
> "root", but I still get the error messages.
>
> Any hints or suggestions on what to look at - or if this is even possible?
>
> -Nick
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


I typically do this sort of thing as follows (assuming no AD) -- caveat,
example is on FreeBSD:
1) create local group
 root@:/usr/ports/net/samba # pw groupadd smb_admins

2) create groupmap and get new sid
root@:/usr/ports/net/samba # net groupmap add unixgroup=smb_admins
ntgroup=smb_admins
No rid or sid specified, choosing a RID
Got RID 1002

root@:/usr/ports/net/samba # net groupmap list
Guests (S-1-5-32-546) -> BUILTIN\guests
Administrators (S-1-5-32-544) -> BUILTIN\administrators
Users (S-1-5-32-545) -> BUILTIN\users
smb_admins (S-1-5-21-3928159180-3161166842-2405926743-1002) -> smb_admins

4) add new sid as a foreign group for BUILTIN\\Administrators and verify
root@:/usr/ports/net/samba # net groupmap addmem S-1-5-32-544
S-1-5-21-3928159180-3161166842-2405926743-1002
root@:/usr/ports/net/samba # net groupmap listmem S-1-5-32-544
S-1-5-21-3928159180-3161166842-2405926743-1002

5) add user to the admin group
root@:/usr/ports/net/samba # pw usermod smbuser -G smb_admins
root@:/usr/ports/net/samba # id smbuser
uid=1002(smbuser) gid=1002(smbuser) groups=1002(smbuser),1003(smb_admins)

This sort of strategy allows you to control this access via group
membership for a local Unix group, but the same can be achieved through
`net rpc rights grant <username> <privilege> -U root`.


More information about the samba mailing list