Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.

Samba - General mailing list
We’ve just recently moved over to Samba 4. It looks as if “force directory
security mode” doesn’t work in samba 4. So I’m trying to setup the Windows
ACLs on our groups share.

I’ve been working on this for a few days. I’ve read over the docs, it seems
like all the google links are purple and I’m still stuck. Hopefully someone
here will have an idea.

We’re running Windows 2008R2 for our AD server. We’re running CentOS7 as
our smb server.

People can login to the share using their AD credentials and when I run
getent group "NSD\Domain Admins”, it returns a list of people. So I know
it’s talking to the AD server ok.

The problem is when I run the following command:
net rpc rights grant "NSD\Domain Admins" SeDiskOperatorPrivilege -U
"NSD\Administrator"
It asks me to the domain admin password
Enter NSD\Administrator's password:
I enter the password and I get this in response:
Failed to grant privileges for NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)

I’ve added what I need to, to fstab
UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4
_netdev,user_xattr,acl 0 0

I’ve added this to the global section:
username map = /etc/samba/user.map
enable privileges = yes

Here is the contents of /etc/samba/user.map:

[root@smbgroups ~]# cat /etc/samba/user.map
!root = NSD\Administrator NSD\administrator

I haven’t entered the other information to the global section of the server
yet, because I have people using the server. So I just added it to a test
share.

[Edwards_Public]
path = /iscsi-groups/Edwards_Public
comment = Edwards_Public
guest ok=no
oplocks=yes
read only = no
inherit permissions=no
directory mask=0770
strict locking=auto
create mask=0770
force create mode = 0770
nt acl support = Yes
vfs objects = full_audit
vfs objects = fruit streams_xattr

I’ve restarted the SMB service and even restarted the whole server to no
avail. I keep getting the “Failed to grant privileges for NSD\Domain Admins
(NT_STATUS_NO_SUCH_USER)” Error.

The only “luck” I’ve had was adding someone like the following:
net rpc rights grant “[hidden email]
SeDiskOperatorPrivilege -U "NSD\Administrator"

Irlbeckt is not a local user on the system, but and AD user.

[root@smbgroups ~]# net rpc rights list privileges SeDiskOperatorPrivilege
-U "NSD\administrator"
Enter NSD\administrator's password:
SeDiskOperatorPrivilege:
  Unix User\mcparlandj
  Unix Group\domain admins
  BUILTIN\Administrators
  Unix User\irlbeckt
  Unix User\conek

Unfortunately it comes back as “Unix User\irlbeckt” and not “NSD\irlbeckt”

So at this point I’m stuck as to how to give the domain admins
SeDiskOperatorPrivilege

I’d love to hear any ideas. Thanks!
Jamie
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.

Samba - General mailing list
On Mon, 18 Sep 2017 15:31:03 -0700
Jamie McParland via samba <[hidden email]> wrote:

> We’ve just recently moved over to Samba 4. It looks as if “force
> directory security mode” doesn’t work in samba 4. So I’m trying to
> setup the Windows ACLs on our groups share.
>
> I’ve been working on this for a few days. I’ve read over the docs, it
> seems like all the google links are purple and I’m still stuck.
> Hopefully someone here will have an idea.
>
> We’re running Windows 2008R2 for our AD server. We’re running CentOS7
> as our smb server.
>
> People can login to the share using their AD credentials and when I
> run getent group "NSD\Domain Admins”, it returns a list of people. So
> I know it’s talking to the AD server ok.
>
> The problem is when I run the following command:
> net rpc rights grant "NSD\Domain Admins" SeDiskOperatorPrivilege -U
> "NSD\Administrator"
> It asks me to the domain admin password
> Enter NSD\Administrator's password:
> I enter the password and I get this in response:
> Failed to grant privileges for NSD\Domain Admins
> (NT_STATUS_NO_SUCH_USER)
>
> I’ve added what I need to, to fstab
> UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4
> _netdev,user_xattr,acl 0 0

Just as an aside (which has nothing to do with your problem) you don't
need 'user_xattr,acl', they are part of the ext4 defaults.

>
> I’ve added this to the global section:
> username map = /etc/samba/user.map
> enable privileges = yes
>
> Here is the contents of /etc/samba/user.map:
>
> [root@smbgroups ~]# cat /etc/samba/user.map
> !root = NSD\Administrator NSD\administrator
>
> I haven’t entered the other information to the global section of the
> server yet, because I have people using the server. So I just added
> it to a test share.
>
> [Edwards_Public]
> path = /iscsi-groups/Edwards_Public
> comment = Edwards_Public
> guest ok=no
> oplocks=yes
> read only = no
> inherit permissions=no
> directory mask=0770
> strict locking=auto
> create mask=0770
> force create mode = 0770
> nt acl support = Yes
> vfs objects = full_audit
> vfs objects = fruit streams_xattr

You mentioned above that you are trying to setup Windows ACLs, so why
are you using lines that only have meaning if you are using POSIX ACLs ?

>
> I’ve restarted the SMB service and even restarted the whole server to
> no avail. I keep getting the “Failed to grant privileges for
> NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)” Error.
>
> The only “luck” I’ve had was adding someone like the following:
> net rpc rights grant “[hidden email]
> SeDiskOperatorPrivilege -U "NSD\Administrator"
>
> Irlbeckt is not a local user on the system, but and AD user.
>
> [root@smbgroups ~]# net rpc rights list privileges
> SeDiskOperatorPrivilege -U "NSD\administrator"
> Enter NSD\administrator's password:
> SeDiskOperatorPrivilege:
>   Unix User\mcparlandj
>   Unix Group\domain admins
>   BUILTIN\Administrators
>   Unix User\irlbeckt
>   Unix User\conek
>
> Unfortunately it comes back as “Unix User\irlbeckt” and not
> “NSD\irlbeckt”
>
> So at this point I’m stuck as to how to give the domain admins
> SeDiskOperatorPrivilege
>
> I’d love to hear any ideas. Thanks!
> Jamie

Can you post your [global] section of your smb.conf

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.

Samba - General mailing list
In reply to this post by Samba - General mailing list
Why not set your permissions from the windows server via security tab on
folder properties?

I set up mine the following way:

smb.conf allows domain admins and domain users full RWX access to share
(actual access controlled via ACLs)

share perms on linux box

chown root."domain admins" /SHAREPATH

setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH

I then assigned perms and ownership of folders via Windows.

See my blog - http://monklinux.blogspot.com/2017/09/how-to-samba-4-file-
server-as-member.html for how I set it up.






On 19 September 2017 at 00:31, Jamie McParland via samba <
[hidden email]> wrote:

>
> “Of course we must fear evil men, but there is another evil that we must
> fear more… and that is the indifference of good men.” -- Monsignor
>
>> We’ve just recently moved over to Samba 4. It looks as if “force directory
>> security mode” doesn’t work in samba 4. So I’m trying to setup the Windows
>> ACLs on our groups share.
>>
>> I’ve been working on this for a few days. I’ve read over the docs, it
>> seems
>> like all the google links are purple and I’m still stuck. Hopefully
>> someone
>> here will have an idea.
>>
>> We’re running Windows 2008R2 for our AD server. We’re running CentOS7 as
>> our smb server.
>>
>> People can login to the share using their AD credentials and when I run
>> getent group "NSD\Domain Admins”, it returns a list of people. So I know
>> it’s talking to the AD server ok.
>>
>> The problem is when I run the following command:
>> net rpc rights grant "NSD\Domain Admins" SeDiskOperatorPrivilege -U
>> "NSD\Administrator"
>> It asks me to the domain admin password
>> Enter NSD\Administrator's password:
>> I enter the password and I get this in response:
>> Failed to grant privileges for NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)
>>
>> I’ve added what I need to, to fstab
>> UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4
>> _netdev,user_xattr,acl 0 0
>>
>> I’ve added this to the global section:
>> username map = /etc/samba/user.map
>> enable privileges = yes
>>
>> Here is the contents of /etc/samba/user.map:
>>
>> [root@smbgroups ~]# cat /etc/samba/user.map
>> !root = NSD\Administrator NSD\administrator
>>
>> I haven’t entered the other information to the global section of the
>> server
>> yet, because I have people using the server. So I just added it to a test
>> share.
>>
>> [Edwards_Public]
>> path = /iscsi-groups/Edwards_Public
>> comment = Edwards_Public
>> guest ok=no
>> oplocks=yes
>> read only = no
>> inherit permissions=no
>> directory mask=0770
>> strict locking=auto
>> create mask=0770
>> force create mode = 0770
>> nt acl support = Yes
>> vfs objects = full_audit
>> vfs objects = fruit streams_xattr
>>
>> I’ve restarted the SMB service and even restarted the whole server to no
>> avail. I keep getting the “Failed to grant privileges for NSD\Domain
>> Admins
>> (NT_STATUS_NO_SUCH_USER)” Error.
>>
>> The only “luck” I’ve had was adding someone like the following:
>> net rpc rights grant “[hidden email]
>> SeDiskOperatorPrivilege -U "NSD\Administrator"
>>
>> Irlbeckt is not a local user on the system, but and AD user.
>>
>> [root@smbgroups ~]# net rpc rights list privileges
>> SeDiskOperatorPrivilege
>> -U "NSD\administrator"
>> Enter NSD\administrator's password:
>> SeDiskOperatorPrivilege:
>>   Unix User\mcparlandj
>>   Unix Group\domain admins
>>   BUILTIN\Administrators
>>   Unix User\irlbeckt
>>   Unix User\conek
>>
>> Unfortunately it comes back as “Unix User\irlbeckt” and not “NSD\irlbeckt”
>>
>> So at this point I’m stuck as to how to give the domain admins
>> SeDiskOperatorPrivilege
>>
>> I’d love to hear any ideas. Thanks!
>> Jamie
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.

Samba - General mailing list
Hai,

I've just read you howto, and its a very good start point.
You may have to correct a few small things there, but imo pretty good yes.

This :
> chown root."domain admins" /SHAREPATH
Is/should not needed.

setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH
^^^^^^ you did mean setfacl ?
But same, yes it works, and better then above, but you may get other problems later on.

For example, can you test the following. ( login as domain admin on a domain joined pc )
Start regedit, now can you connect to remote registry with regedit to a server.
( from within file menu, connect to networkregistry ), search a member server name.
And connect, did that work without problems?

Imho, The op better use :
net rpc rights grant "BUILTIN\Administrators" SeDiskOperatorPrivilege -U "NSD\Administrator"
NSD\Domain Admins is member of BUILTIN\Administrator by default and imo, this is not sufficent for "Administrators"

Setting the correct SePrivileges is imo, very important.
The is what i set for "BUILTIN\Administrators" , which i took from my Win2008R2 server.
(net rpc rights list accounts -U Administrator )
SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeRemoteShutdownPrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
SeInteractiveLogonRight
SeNetworkLogonRight
SeRemoteInteractiveLogonRight
SeDiskOperatorPrivilege

In this post is a more complete output of some Seprivileges
https://www.spinics.net/lists/samba/msg144117.html


Greetz,

Louis





> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Jurie Botha via samba
> Verzonden: dinsdag 19 september 2017 11:02
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Can't set SeDiskOperatorPrivilege to
> Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
>
> Why not set your permissions from the windows server via
> security tab on folder properties?
>
> I set up mine the following way:
>
> smb.conf allows domain admins and domain users full RWX
> access to share (actual access controlled via ACLs)
>
> share perms on linux box
>
> chown root."domain admins" /SHAREPATH
>
> setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH
>
> I then assigned perms and ownership of folders via Windows.
>
> See my blog -
> http://monklinux.blogspot.com/2017/09/how-to-samba-4-file-
> server-as-member.html for how I set it up.
>
>
>
>
>
>
> On 19 September 2017 at 00:31, Jamie McParland via samba <
> [hidden email]> wrote:
>
> >
> > “Of course we must fear evil men, but there is another evil that we
> > must fear more… and that is the indifference of good men.” --
> > Monsignor
> >
> >> We’ve just recently moved over to Samba 4. It looks as if “force
> >> directory security mode” doesn’t work in samba 4. So I’m trying to
> >> setup the Windows ACLs on our groups share.
> >>
> >> I’ve been working on this for a few days. I’ve read over
> the docs, it
> >> seems like all the google links are purple and I’m still stuck.
> >> Hopefully someone here will have an idea.
> >>
> >> We’re running Windows 2008R2 for our AD server. We’re
> running CentOS7
> >> as our smb server.
> >>
> >> People can login to the share using their AD credentials
> and when I
> >> run getent group "NSD\Domain Admins”, it returns a list of
> people. So
> >> I know it’s talking to the AD server ok.
> >>
> >> The problem is when I run the following command:
> >> net rpc rights grant "NSD\Domain Admins"
> SeDiskOperatorPrivilege -U
> >> "NSD\Administrator"
> >> It asks me to the domain admin password Enter NSD\Administrator's
> >> password:
> >> I enter the password and I get this in response:
> >> Failed to grant privileges for NSD\Domain Admins
> >> (NT_STATUS_NO_SUCH_USER)
> >>
> >> I’ve added what I need to, to fstab
> >> UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4
> >> _netdev,user_xattr,acl 0 0
> >>
> >> I’ve added this to the global section:
> >> username map = /etc/samba/user.map
> >> enable privileges = yes
> >>
> >> Here is the contents of /etc/samba/user.map:
> >>
> >> [root@smbgroups ~]# cat /etc/samba/user.map !root =
> NSD\Administrator
> >> NSD\administrator
> >>
> >> I haven’t entered the other information to the global
> section of the
> >> server yet, because I have people using the server. So I
> just added
> >> it to a test share.
> >>
> >> [Edwards_Public]
> >> path = /iscsi-groups/Edwards_Public
> >> comment = Edwards_Public
> >> guest ok=no
> >> oplocks=yes
> >> read only = no
> >> inherit permissions=no
> >> directory mask=0770
> >> strict locking=auto
> >> create mask=0770
> >> force create mode = 0770
> >> nt acl support = Yes
> >> vfs objects = full_audit
> >> vfs objects = fruit streams_xattr
> >>
> >> I’ve restarted the SMB service and even restarted the
> whole server to
> >> no avail. I keep getting the “Failed to grant privileges for
> >> NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)” Error.
> >>
> >> The only “luck” I’ve had was adding someone like the following:
> >> net rpc rights grant “[hidden email]
> >> SeDiskOperatorPrivilege -U "NSD\Administrator"
> >>
> >> Irlbeckt is not a local user on the system, but and AD user.
> >>
> >> [root@smbgroups ~]# net rpc rights list privileges
> >> SeDiskOperatorPrivilege -U "NSD\administrator"
> >> Enter NSD\administrator's password:
> >> SeDiskOperatorPrivilege:
> >>   Unix User\mcparlandj
> >>   Unix Group\domain admins
> >>   BUILTIN\Administrators
> >>   Unix User\irlbeckt
> >>   Unix User\conek
> >>
> >> Unfortunately it comes back as “Unix User\irlbeckt” and
> not “NSD\irlbeckt”
> >>
> >> So at this point I’m stuck as to how to give the domain admins
> >> SeDiskOperatorPrivilege
> >>
> >> I’d love to hear any ideas. Thanks!
> >> Jamie
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> >
> >
> > --
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.

Samba - General mailing list
Thanks for everyone chiming in on my problem. I really do appreciate it.

Just to clarify, I’m working on a share called Edwards_Public. I’m trying
to get it so the members of the AD group called do_superintendent are the
only people able to read and write any files in that directory.

Here is my global config:

workgroup = NSD
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
log level = 5
realm = NSD.NEWBERG.K12.OR.US
security = ads
wide links = yes
unix extensions = no
obey pam restrictions = yes
hide files = /$*/
hide files = /*.tmp
hide special files = yes
hide dot files = yes
veto files = /.DS_Store/
delete veto files = yes

Based on the recommendations in this thread I’ve done the following:

setfacl -m g:"domain admins":rwx,g:"domain users":rx Edwards_Public

net rpc rights grant "BUILTIN\Administrators" SeDiskOperatorPrivilege -U
"NSD\Administrator"

Still not having any luck though.

Jurie:
>>Why not set your permissions from the windows server via security tab on
folder properties?
I would like to do that. My account (mcparlandj) is in the domain admin AD
group. But when I use the “Computer Management” application on Windows 7,
click properties for the share I want to edit the permissions on and click
the Security tab, I see this:

“You do not have permission to view or edit this object’s permission
settings”

If I click on the Share Permissions tab, I’m able to add / remove / modify
permissions for “Groups or user names”, but they don’t seem to actually
work or do anything. For example, I set the do_superintendent group to
allow Full Control, Change, Read. When I login to a windows machine as a
user that is a member of the do_superintendent group and I click on the
share they should have access to, I get a log and password prompt that pops
up. I’m not able to get into that share.

Also, another weird thing is after awhile I’ll go back to the “Computer
Management” application, click on the Share Permissions tab, all the group
names have changed into what look like SID numbers and the little person
icon has a red question mark next to it.

Lastly, I’ve opened an SSH session to the server, changed into the share in
question. Then did an su to the user in the do_superintendent group and
tried to create a file. I wasn’t able to. This may be expected behavior
though as an ssh session doesn’t use SMB, but I’m grasping at straws trying
to figure out what’s wrong.





Thanks,
Jamie McParland
Technology Supervisor - Newberg Public Schools
Office - 503•554•5026

Visit our blog for how tos and Tech news.
http://www.newberg.k12.or.us/tech/

Tech Help Desk 6:30AM to 3:30PM (503) 554-5044





On Tue, Sep 19, 2017 at 2:39 AM, L.P.H. van Belle via samba <
[hidden email]> wrote:

> Hai,
>
> I've just read you howto, and its a very good start point.
> You may have to correct a few small things there, but imo pretty good yes.
>
> This :
> > chown root."domain admins" /SHAREPATH
> Is/should not needed.
>
> setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH
> ^^^^^^ you did mean setfacl ?
> But same, yes it works, and better then above, but you may get other
> problems later on.
>
> For example, can you test the following. ( login as domain admin on a
> domain joined pc )
> Start regedit, now can you connect to remote registry with regedit to a
> server.
> ( from within file menu, connect to networkregistry ), search a member
> server name.
> And connect, did that work without problems?
>
> Imho, The op better use :
> net rpc rights grant "BUILTIN\Administrators" SeDiskOperatorPrivilege -U
> "NSD\Administrator"
> NSD\Domain Admins is member of BUILTIN\Administrator by default and imo,
> this is not sufficent for "Administrators"
>
> Setting the correct SePrivileges is imo, very important.
> The is what i set for "BUILTIN\Administrators" , which i took from my
> Win2008R2 server.
> (net rpc rights list accounts -U Administrator )
> SeSecurityPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeSystemtimePrivilege
> SeShutdownPrivilege
> SeRemoteShutdownPrivilege
> SeTakeOwnershipPrivilege
> SeDebugPrivilege
> SeSystemEnvironmentPrivilege
> SeSystemProfilePrivilege
> SeProfileSingleProcessPrivilege
> SeIncreaseBasePriorityPrivilege
> SeLoadDriverPrivilege
> SeCreatePagefilePrivilege
> SeIncreaseQuotaPrivilege
> SeChangeNotifyPrivilege
> SeUndockPrivilege
> SeManageVolumePrivilege
> SeImpersonatePrivilege
> SeCreateGlobalPrivilege
> SeEnableDelegationPrivilege
> SeInteractiveLogonRight
> SeNetworkLogonRight
> SeRemoteInteractiveLogonRight
> SeDiskOperatorPrivilege
>
> In this post is a more complete output of some Seprivileges
> https://www.spinics.net/lists/samba/msg144117.html
>
>
> Greetz,
>
> Louis
>
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:[hidden email]] Namens
> > Jurie Botha via samba
> > Verzonden: dinsdag 19 september 2017 11:02
> > Aan: [hidden email]
> > Onderwerp: Re: [Samba] Can't set SeDiskOperatorPrivilege to
> > Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
> >
> > Why not set your permissions from the windows server via
> > security tab on folder properties?
> >
> > I set up mine the following way:
> >
> > smb.conf allows domain admins and domain users full RWX
> > access to share (actual access controlled via ACLs)
> >
> > share perms on linux box
> >
> > chown root."domain admins" /SHAREPATH
> >
> > setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH
> >
> > I then assigned perms and ownership of folders via Windows.
> >
> > See my blog -
> > http://monklinux.blogspot.com/2017/09/how-to-samba-4-file-
> > server-as-member.html for how I set it up.
> >
> >
> >
> >
> >
> >
> > On 19 September 2017 at 00:31, Jamie McParland via samba <
> > [hidden email]> wrote:
> >
> > >
> > > “Of course we must fear evil men, but there is another evil that we
> > > must fear more… and that is the indifference of good men.” --
> > > Monsignor
> > >
> > >> We’ve just recently moved over to Samba 4. It looks as if “force
> > >> directory security mode” doesn’t work in samba 4. So I’m trying to
> > >> setup the Windows ACLs on our groups share.
> > >>
> > >> I’ve been working on this for a few days. I’ve read over
> > the docs, it
> > >> seems like all the google links are purple and I’m still stuck.
> > >> Hopefully someone here will have an idea.
> > >>
> > >> We’re running Windows 2008R2 for our AD server. We’re
> > running CentOS7
> > >> as our smb server.
> > >>
> > >> People can login to the share using their AD credentials
> > and when I
> > >> run getent group "NSD\Domain Admins”, it returns a list of
> > people. So
> > >> I know it’s talking to the AD server ok.
> > >>
> > >> The problem is when I run the following command:
> > >> net rpc rights grant "NSD\Domain Admins"
> > SeDiskOperatorPrivilege -U
> > >> "NSD\Administrator"
> > >> It asks me to the domain admin password Enter NSD\Administrator's
> > >> password:
> > >> I enter the password and I get this in response:
> > >> Failed to grant privileges for NSD\Domain Admins
> > >> (NT_STATUS_NO_SUCH_USER)
> > >>
> > >> I’ve added what I need to, to fstab
> > >> UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4
> > >> _netdev,user_xattr,acl 0 0
> > >>
> > >> I’ve added this to the global section:
> > >> username map = /etc/samba/user.map
> > >> enable privileges = yes
> > >>
> > >> Here is the contents of /etc/samba/user.map:
> > >>
> > >> [root@smbgroups ~]# cat /etc/samba/user.map !root =
> > NSD\Administrator
> > >> NSD\administrator
> > >>
> > >> I haven’t entered the other information to the global
> > section of the
> > >> server yet, because I have people using the server. So I
> > just added
> > >> it to a test share.
> > >>
> > >> [Edwards_Public]
> > >> path = /iscsi-groups/Edwards_Public
> > >> comment = Edwards_Public
> > >> guest ok=no
> > >> oplocks=yes
> > >> read only = no
> > >> inherit permissions=no
> > >> directory mask=0770
> > >> strict locking=auto
> > >> create mask=0770
> > >> force create mode = 0770
> > >> nt acl support = Yes
> > >> vfs objects = full_audit
> > >> vfs objects = fruit streams_xattr
> > >>
> > >> I’ve restarted the SMB service and even restarted the
> > whole server to
> > >> no avail. I keep getting the “Failed to grant privileges for
> > >> NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)” Error.
> > >>
> > >> The only “luck” I’ve had was adding someone like the following:
> > >> net rpc rights grant “[hidden email]
> > >> SeDiskOperatorPrivilege -U "NSD\Administrator"
> > >>
> > >> Irlbeckt is not a local user on the system, but and AD user.
> > >>
> > >> [root@smbgroups ~]# net rpc rights list privileges
> > >> SeDiskOperatorPrivilege -U "NSD\administrator"
> > >> Enter NSD\administrator's password:
> > >> SeDiskOperatorPrivilege:
> > >>   Unix User\mcparlandj
> > >>   Unix Group\domain admins
> > >>   BUILTIN\Administrators
> > >>   Unix User\irlbeckt
> > >>   Unix User\conek
> > >>
> > >> Unfortunately it comes back as “Unix User\irlbeckt” and
> > not “NSD\irlbeckt”
> > >>
> > >> So at this point I’m stuck as to how to give the domain admins
> > >> SeDiskOperatorPrivilege
> > >>
> > >> I’d love to hear any ideas. Thanks!
> > >> Jamie
> > >> --
> > >> To unsubscribe from this list go to the following URL and read the
> > >> instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > >
> > >
> > >
> > > --
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.

Samba - General mailing list
On Tue, 19 Sep 2017 13:13:45 -0700
Jamie McParland via samba <[hidden email]> wrote:

> Thanks for everyone chiming in on my problem. I really do appreciate
> it.
>
> Just to clarify, I’m working on a share called Edwards_Public. I’m
> trying to get it so the members of the AD group called
> do_superintendent are the only people able to read and write any
> files in that directory.
>
> Here is my global config:
>
> workgroup = NSD
> client signing = yes
> client use spnego = yes
> kerberos method = secrets and keytab
> log file = /var/log/samba/%m.log
> log level = 5
> realm = NSD.NEWBERG.K12.OR.US
> security = ads
> wide links = yes
> unix extensions = no
> obey pam restrictions = yes
> hide files = /$*/
> hide files = /*.tmp
> hide special files = yes
> hide dot files = yes
> veto files = /.DS_Store/
> delete veto files = yes
>

If that is the full [global] part of your smb.conf, you have a problem,
you don't seem to be using Samba for authentication, are you also using
sssd ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.

Samba - General mailing list
Yes, I’m using sssd.

> On Sep 19, 2017, at 1:33 PM, Rowland Penny <[hidden email]> wrote:
>
> On Tue, 19 Sep 2017 13:13:45 -0700
> Jamie McParland via samba <[hidden email]> wrote:
>
>> Thanks for everyone chiming in on my problem. I really do appreciate
>> it.
>>
>> Just to clarify, I’m working on a share called Edwards_Public. I’m
>> trying to get it so the members of the AD group called
>> do_superintendent are the only people able to read and write any
>> files in that directory.
>>
>> Here is my global config:
>>
>> workgroup = NSD
>> client signing = yes
>> client use spnego = yes
>> kerberos method = secrets and keytab
>> log file = /var/log/samba/%m.log
>> log level = 5
>> realm = NSD.NEWBERG.K12.OR.US
>> security = ads
>> wide links = yes
>> unix extensions = no
>> obey pam restrictions = yes
>> hide files = /$*/
>> hide files = /*.tmp
>> hide special files = yes
>> hide dot files = yes
>> veto files = /.DS_Store/
>> delete veto files = yes
>>
>
> If that is the full [global] part of your smb.conf, you have a problem,
> you don't seem to be using Samba for authentication, are you also using
> sssd ?
>
> Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.

Samba - General mailing list
In reply to this post by Samba - General mailing list
From your Global config I see no IDMAP settings. You need that for Linux to
recognize your ad users.

See my blog top post for example: Monklinux.blogspot.com

Try my configuration, should work perfectly. Soz 4 short reply, typing on
phone.

Lemme know if it works. Note, pay attention to section under installing
samba.

On Sep 19, 2017 22:19, "Jamie McParland via samba" <[hidden email]>
wrote:

> Thanks for everyone chiming in on my problem. I really do appreciate it.
>
> Just to clarify, I’m working on a share called Edwards_Public. I’m trying
> to get it so the members of the AD group called do_superintendent are the
> only people able to read and write any files in that directory.
>
> Here is my global config:
>
> workgroup = NSD
> client signing = yes
> client use spnego = yes
> kerberos method = secrets and keytab
> log file = /var/log/samba/%m.log
> log level = 5
> realm = NSD.NEWBERG.K12.OR.US
> security = ads
> wide links = yes
> unix extensions = no
> obey pam restrictions = yes
> hide files = /$*/
> hide files = /*.tmp
> hide special files = yes
> hide dot files = yes
> veto files = /.DS_Store/
> delete veto files = yes
>
> Based on the recommendations in this thread I’ve done the following:
>
> setfacl -m g:"domain admins":rwx,g:"domain users":rx Edwards_Public
>
> net rpc rights grant "BUILTIN\Administrators" SeDiskOperatorPrivilege -U
> "NSD\Administrator"
>
> Still not having any luck though.
>
> Jurie:
> >>Why not set your permissions from the windows server via security tab on
> folder properties?
> I would like to do that. My account (mcparlandj) is in the domain admin AD
> group. But when I use the “Computer Management” application on Windows 7,
> click properties for the share I want to edit the permissions on and click
> the Security tab, I see this:
>
> “You do not have permission to view or edit this object’s permission
> settings”
>
> If I click on the Share Permissions tab, I’m able to add / remove / modify
> permissions for “Groups or user names”, but they don’t seem to actually
> work or do anything. For example, I set the do_superintendent group to
> allow Full Control, Change, Read. When I login to a windows machine as a
> user that is a member of the do_superintendent group and I click on the
> share they should have access to, I get a log and password prompt that pops
> up. I’m not able to get into that share.
>
> Also, another weird thing is after awhile I’ll go back to the “Computer
> Management” application, click on the Share Permissions tab, all the group
> names have changed into what look like SID numbers and the little person
> icon has a red question mark next to it.
>
> Lastly, I’ve opened an SSH session to the server, changed into the share in
> question. Then did an su to the user in the do_superintendent group and
> tried to create a file. I wasn’t able to. This may be expected behavior
> though as an ssh session doesn’t use SMB, but I’m grasping at straws trying
> to figure out what’s wrong.
>
>
>
>
>
> Thanks,
> Jamie McParland
> Technology Supervisor - Newberg Public Schools
> Office - 503•554•5026
>
> Visit our blog for how tos and Tech news.
> http://www.newberg.k12.or.us/tech/
>
> Tech Help Desk 6:30AM to 3:30PM (503) 554-5044
>
>
>
>
>
> On Tue, Sep 19, 2017 at 2:39 AM, L.P.H. van Belle via samba <
> [hidden email]> wrote:
>
> > Hai,
> >
> > I've just read you howto, and its a very good start point.
> > You may have to correct a few small things there, but imo pretty good
> yes.
> >
> > This :
> > > chown root."domain admins" /SHAREPATH
> > Is/should not needed.
> >
> > setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH
> > ^^^^^^ you did mean setfacl ?
> > But same, yes it works, and better then above, but you may get other
> > problems later on.
> >
> > For example, can you test the following. ( login as domain admin on a
> > domain joined pc )
> > Start regedit, now can you connect to remote registry with regedit to a
> > server.
> > ( from within file menu, connect to networkregistry ), search a member
> > server name.
> > And connect, did that work without problems?
> >
> > Imho, The op better use :
> > net rpc rights grant "BUILTIN\Administrators" SeDiskOperatorPrivilege -U
> > "NSD\Administrator"
> > NSD\Domain Admins is member of BUILTIN\Administrator by default and imo,
> > this is not sufficent for "Administrators"
> >
> > Setting the correct SePrivileges is imo, very important.
> > The is what i set for "BUILTIN\Administrators" , which i took from my
> > Win2008R2 server.
> > (net rpc rights list accounts -U Administrator )
> > SeSecurityPrivilege
> > SeBackupPrivilege
> > SeRestorePrivilege
> > SeSystemtimePrivilege
> > SeShutdownPrivilege
> > SeRemoteShutdownPrivilege
> > SeTakeOwnershipPrivilege
> > SeDebugPrivilege
> > SeSystemEnvironmentPrivilege
> > SeSystemProfilePrivilege
> > SeProfileSingleProcessPrivilege
> > SeIncreaseBasePriorityPrivilege
> > SeLoadDriverPrivilege
> > SeCreatePagefilePrivilege
> > SeIncreaseQuotaPrivilege
> > SeChangeNotifyPrivilege
> > SeUndockPrivilege
> > SeManageVolumePrivilege
> > SeImpersonatePrivilege
> > SeCreateGlobalPrivilege
> > SeEnableDelegationPrivilege
> > SeInteractiveLogonRight
> > SeNetworkLogonRight
> > SeRemoteInteractiveLogonRight
> > SeDiskOperatorPrivilege
> >
> > In this post is a more complete output of some Seprivileges
> > https://www.spinics.net/lists/samba/msg144117.html
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:[hidden email]] Namens
> > > Jurie Botha via samba
> > > Verzonden: dinsdag 19 september 2017 11:02
> > > Aan: [hidden email]
> > > Onderwerp: Re: [Samba] Can't set SeDiskOperatorPrivilege to
> > > Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
> > >
> > > Why not set your permissions from the windows server via
> > > security tab on folder properties?
> > >
> > > I set up mine the following way:
> > >
> > > smb.conf allows domain admins and domain users full RWX
> > > access to share (actual access controlled via ACLs)
> > >
> > > share perms on linux box
> > >
> > > chown root."domain admins" /SHAREPATH
> > >
> > > setacl -m g:"domain admins":rwx,g:"domain users":rx /SHARELOCALPATH
> > >
> > > I then assigned perms and ownership of folders via Windows.
> > >
> > > See my blog -
> > > http://monklinux.blogspot.com/2017/09/how-to-samba-4-file-
> > > server-as-member.html for how I set it up.
> > >
> > >
> > >
> > >
> > >
> > >
> > > On 19 September 2017 at 00:31, Jamie McParland via samba <
> > > [hidden email]> wrote:
> > >
> > > >
> > > > “Of course we must fear evil men, but there is another evil that we
> > > > must fear more… and that is the indifference of good men.” --
> > > > Monsignor
> > > >
> > > >> We’ve just recently moved over to Samba 4. It looks as if “force
> > > >> directory security mode” doesn’t work in samba 4. So I’m trying to
> > > >> setup the Windows ACLs on our groups share.
> > > >>
> > > >> I’ve been working on this for a few days. I’ve read over
> > > the docs, it
> > > >> seems like all the google links are purple and I’m still stuck.
> > > >> Hopefully someone here will have an idea.
> > > >>
> > > >> We’re running Windows 2008R2 for our AD server. We’re
> > > running CentOS7
> > > >> as our smb server.
> > > >>
> > > >> People can login to the share using their AD credentials
> > > and when I
> > > >> run getent group "NSD\Domain Admins”, it returns a list of
> > > people. So
> > > >> I know it’s talking to the AD server ok.
> > > >>
> > > >> The problem is when I run the following command:
> > > >> net rpc rights grant "NSD\Domain Admins"
> > > SeDiskOperatorPrivilege -U
> > > >> "NSD\Administrator"
> > > >> It asks me to the domain admin password Enter NSD\Administrator's
> > > >> password:
> > > >> I enter the password and I get this in response:
> > > >> Failed to grant privileges for NSD\Domain Admins
> > > >> (NT_STATUS_NO_SUCH_USER)
> > > >>
> > > >> I’ve added what I need to, to fstab
> > > >> UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups ext4
> > > >> _netdev,user_xattr,acl 0 0
> > > >>
> > > >> I’ve added this to the global section:
> > > >> username map = /etc/samba/user.map
> > > >> enable privileges = yes
> > > >>
> > > >> Here is the contents of /etc/samba/user.map:
> > > >>
> > > >> [root@smbgroups ~]# cat /etc/samba/user.map !root =
> > > NSD\Administrator
> > > >> NSD\administrator
> > > >>
> > > >> I haven’t entered the other information to the global
> > > section of the
> > > >> server yet, because I have people using the server. So I
> > > just added
> > > >> it to a test share.
> > > >>
> > > >> [Edwards_Public]
> > > >> path = /iscsi-groups/Edwards_Public
> > > >> comment = Edwards_Public
> > > >> guest ok=no
> > > >> oplocks=yes
> > > >> read only = no
> > > >> inherit permissions=no
> > > >> directory mask=0770
> > > >> strict locking=auto
> > > >> create mask=0770
> > > >> force create mode = 0770
> > > >> nt acl support = Yes
> > > >> vfs objects = full_audit
> > > >> vfs objects = fruit streams_xattr
> > > >>
> > > >> I’ve restarted the SMB service and even restarted the
> > > whole server to
> > > >> no avail. I keep getting the “Failed to grant privileges for
> > > >> NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)” Error.
> > > >>
> > > >> The only “luck” I’ve had was adding someone like the following:
> > > >> net rpc rights grant “[hidden email]
> > > >> SeDiskOperatorPrivilege -U "NSD\Administrator"
> > > >>
> > > >> Irlbeckt is not a local user on the system, but and AD user.
> > > >>
> > > >> [root@smbgroups ~]# net rpc rights list privileges
> > > >> SeDiskOperatorPrivilege -U "NSD\administrator"
> > > >> Enter NSD\administrator's password:
> > > >> SeDiskOperatorPrivilege:
> > > >>   Unix User\mcparlandj
> > > >>   Unix Group\domain admins
> > > >>   BUILTIN\Administrators
> > > >>   Unix User\irlbeckt
> > > >>   Unix User\conek
> > > >>
> > > >> Unfortunately it comes back as “Unix User\irlbeckt” and
> > > not “NSD\irlbeckt”
> > > >>
> > > >> So at this point I’m stuck as to how to give the domain admins
> > > >> SeDiskOperatorPrivilege
> > > >>
> > > >> I’d love to hear any ideas. Thanks!
> > > >> Jamie
> > > >> --
> > > >> To unsubscribe from this list go to the following URL and read the
> > > >> instructions:  https://lists.samba.org/mailman/options/samba
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 19 Sep 2017 14:25:06 -0700
Jamie Mcparland <[hidden email]> wrote:

> Yes, I’m using sssd.
>

Then Samba isn't doing the authentication, so you are asking your
question in the wrong place. Try asking on the sssd-users mailing list.

Either that are change to using winbind instead, you will find the info
on how to do that here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Can't set SeDiskOperatorPrivilege to Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 19 Sep 2017 23:31:51 +0200
Jurie Botha via samba <[hidden email]> wrote:

> From your Global config I see no IDMAP settings. You need that for
> Linux to recognize your ad users.
>
> See my blog top post for example: Monklinux.blogspot.com
>
> Try my configuration, should work perfectly. Soz 4 short reply,
> typing on phone.

Sorry, but it isn't perfect, it is mostly correct, but there are
several errors. Also Samba has its own documentation, so you should
point users to that.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

How to use AD authentication for normal Samba file sharing

Samba - General mailing list
In reply to this post by Samba - General mailing list
I have a Linux host used for file sharing. Although I have a Samba4 AD/DC configured in the
LAN, this file-sharing host is not currently a domain member. Right now, the smb.conf set up on
this server does not require any ID or passwords from Windows client workstations. The current
smb.conf is shown below, only one of the shares is listed.

I would like to have this file-sharing host authenticate using Active Directory
authentication. That is, when the Windows user maps the shared drive, I would like it to
authenticate with the domain credentials and not require the user to enter ID/PW on the Map
Network Drive dialog.

Is this possible?

If so, I know how to make the Linux file-sharing host a domain member. What would I have to do
to get Samba to authenticate the user's domain credentials?

My smb.conf:

[global]
netbios name = OHPRSSTORAGE
   workgroup = WORKGROUP
   server string = HPRS NAS server

domain master = no
prefered master = no

   security = user
   map to guest = Bad User

   hosts allow = 192.168.0. 127.

load printers = no
printcap name = /dev/null
printing = bsd
disable spoolss = yes

guest account = nevermind

   log file = /var/log/samba.%m
   max log size = 50

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   dns proxy = no

[public]
path = /mnt/RAID/public

hide dot files = yes
map hidden = yes
hide files = /Outlook/outlook/~*/

veto oplock files = /OfficeCalendar.pst/
locking = yes
public = yes
guest ok = yes
guest only = yes
writeable = yes
browseable= yes
printable = no
create mask = 0660
force create mode = 0660
directory mask = 0771

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: How to use AD authentication for normal Samba file sharing

Samba - General mailing list
With help from kjhambrick at linuxquestions.org I did figure out how to authenticate from a
Window domain member to a samba share using AD credentials.  My smb.conf is listed below.  I
was able to map the share from Windows using domain credentials and create a file on the share.

Here's my next challenge: All the UID.GIDs on the share (287G and +105K files) are currently
the non-AD values of 1001.301.  For the time being, I'd like to keep all files, and all newly
created files with this UID.GID.

How can I do this? On the "classic" samba share (not AD authentication) this was accomplished
by:

   guest account = ohprso # where ohprso's UID = 1001

I've seen the smb.conf setting:

   !<server user> = <client user>

but I'm not sure that's appropriate in this case.

Is there such a mechanism for AD authenticated clients?

Thanks --Mark

my AD Authenticating smb.conf:

[global]
netbios name = OHPRSSTORAGE

   server string = HPRS NAS server

domain master = no
prefered master = no

realm = HPRS.LOCAL
workgroup = HPRS
usershare allow guests = Yes     # Do I need this?
usershare max shares = 10
security = ADS
template shell = /bin/bash

max log size = 10000
   
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 10000-10099

winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes

[public]
path = /mnt/RAID/public

hide dot files = yes
map hidden = yes
hide files = /Outlook/outlook/~*/

veto oplock files = /OfficeCalendar.pst/

inherit acls = yes
valid users = @"domain users"

locking = yes
public = yes
writeable = yes
browseable= yes
printable = no
create mask = 0660
force create mode = 0660
directory mask = 0771
                 
-----Original Message-----
Date: Mon, 20 Nov 2017 15:21:40 -0500
To: [hidden email]
User-Agent: Heirloom mailx 12.5 7/5/10
Subject: [Samba] How to use AD authentication for normal Samba file sharing
From: Mark Foley via samba <[hidden email]>

I have a Linux host used for file sharing. Although I have a Samba4 AD/DC configured in the
LAN, this file-sharing host is not currently a domain member. Right now, the smb.conf set up on
this server does not require any ID or passwords from Windows client workstations. The current
smb.conf is shown below, only one of the shares is listed.

I would like to have this file-sharing host authenticate using Active Directory
authentication. That is, when the Windows user maps the shared drive, I would like it to
authenticate with the domain credentials and not require the user to enter ID/PW on the Map
Network Drive dialog.

Is this possible?

If so, I know how to make the Linux file-sharing host a domain member. What would I have to do
to get Samba to authenticate the user's domain credentials?

My smb.conf:

[deleted]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: How to use AD authentication for normal Samba file sharing

Samba - General mailing list
I guess I'm answering my own questions on this thread!

I believe I've found the answer to my last issue on this. To my smb.conf (message below), add:

force user ohprso
force group ohprs

I've tested it and the Domain user 10001.10001 was able to create a file on the samba share as
1001.103.

If that seems wrong to anyone on this list, please advise. Even if it looks right, perhaps post
a "Yes, that looks right", so I know these messages are making it to the list!

--Mark

-----Original Message-----
Date: Mon, 27 Nov 2017 18:22:47 -0500
Organization: Ohio Highway Patrol Retirement System
To: [hidden email]
Subject: Re: [Samba] How to use AD authentication for normal Samba file  sharing
From: Mark Foley via samba <[hidden email]>

With help from kjhambrick at linuxquestions.org I did figure out how to authenticate from a
Window domain member to a samba share using AD credentials.  My smb.conf is listed below.  I
was able to map the share from Windows using domain credentials and create a file on the share.

Here's my next challenge: All the UID.GIDs on the share (287G and +105K files) are currently
the non-AD values of 1001.301.  For the time being, I'd like to keep all files, and all newly
created files with this UID.GID.

How can I do this? On the "classic" samba share (not AD authentication) this was accomplished
by:

   guest account = ohprso # where ohprso's UID = 1001

I've seen the smb.conf setting:

   !<server user> = <client user>

but I'm not sure that's appropriate in this case.

Is there such a mechanism for AD authenticated clients?

Thanks --Mark

my AD Authenticating smb.conf:

[global]
netbios name = OHPRSSTORAGE

   server string = HPRS NAS server

domain master = no
prefered master = no

realm = HPRS.LOCAL
workgroup = HPRS
usershare allow guests = Yes     # Do I need this?
usershare max shares = 10
security = ADS
template shell = /bin/bash

max log size = 10000
   
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 10000-10099

winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes

[public]
path = /mnt/RAID/public

hide dot files = yes
map hidden = yes
hide files = /Outlook/outlook/~*/

veto oplock files = /OfficeCalendar.pst/

inherit acls = yes
valid users = @"domain users"

locking = yes
public = yes
writeable = yes
browseable= yes
printable = no
create mask = 0660
force create mode = 0660
directory mask = 0771
                 
-----Original Message-----
Date: Mon, 20 Nov 2017 15:21:40 -0500
To: [hidden email]
User-Agent: Heirloom mailx 12.5 7/5/10
Subject: [Samba] How to use AD authentication for normal Samba file sharing
From: Mark Foley via samba <[hidden email]>

I have a Linux host used for file sharing. Although I have a Samba4 AD/DC configured in the
LAN, this file-sharing host is not currently a domain member. Right now, the smb.conf set up on
this server does not require any ID or passwords from Windows client workstations. The current
smb.conf is shown below, only one of the shares is listed.

I would like to have this file-sharing host authenticate using Active Directory
authentication. That is, when the Windows user maps the shared drive, I would like it to
authenticate with the domain credentials and not require the user to enter ID/PW on the Map
Network Drive dialog.

Is this possible?

If so, I know how to make the Linux file-sharing host a domain member. What would I have to do
to get Samba to authenticate the user's domain credentials?

My smb.conf:

[deleted]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: How to use AD authentication for normal Samba file sharing

Samba - General mailing list


See inline comments:

On Tue, 28 Nov 2017 00:08:42 -0500
Mark Foley via samba <[hidden email]> wrote:

> I guess I'm answering my own questions on this thread!
>
> I believe I've found the answer to my last issue on this. To my
> smb.conf (message below), add:
>
> force user ohprso
> force group ohprs
>
> I've tested it and the Domain user 10001.10001 was able to create a
> file on the samba share as 1001.103.

Of course this works, you are forcing everybody and every group to be
just one user and just one group.

>
> If that seems wrong to anyone on this list, please advise. Even if it
> looks right, perhaps post a "Yes, that looks right", so I know these
> messages are making it to the list!
>
> --Mark
>
> -----Original Message-----
> Date: Mon, 27 Nov 2017 18:22:47 -0500
> Organization: Ohio Highway Patrol Retirement System
> To: [hidden email]
> Subject: Re: [Samba] How to use AD authentication for normal Samba
> file  sharing From: Mark Foley via samba <[hidden email]>
>
> With help from kjhambrick at linuxquestions.org I did figure out how
> to authenticate from a Window domain member to a samba share using AD
> credentials.  My smb.conf is listed below.  I was able to map the
> share from Windows using domain credentials and create a file on the
> share.
>
> Here's my next challenge: All the UID.GIDs on the share (287G and
> +105K files) are currently the non-AD values of 1001.301.  For the
> time being, I'd like to keep all files, and all newly created files
> with this UID.GID.
>
> How can I do this? On the "classic" samba share (not AD
> authentication) this was accomplished by:
>
>    guest account = ohprso # where ohprso's UID = 1001
>
> I've seen the smb.conf setting:
>
>    !<server user> = <client user>

I have never seen such lines in smb.conf, it is a line from a
user.map .e.g. !root = Administrator

>
> but I'm not sure that's appropriate in this case.
>
> Is there such a mechanism for AD authenticated clients?
>
> Thanks --Mark
>
> my AD Authenticating smb.conf:
>
> [global]
> netbios name = OHPRSSTORAGE
>
>    server string = HPRS NAS server
>
> domain master = no
> prefered master = no
>
> realm = HPRS.LOCAL
> workgroup = HPRS
> usershare allow guests = Yes     # Do I need this?

Do you use usershares ?

> usershare max shares = 10
> security = ADS
> template shell = /bin/bash
>
> max log size = 10000
>    
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config HPRS:backend = ad
> idmap config HPRS:schema_mode = rfc2307
> idmap config HPRS:range = 10000-10099
>
> winbind enum groups = Yes
> winbind enum users = Yes
> winbind nss info = rfc2307
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
>
> [public]
> path = /mnt/RAID/public
>
> hide dot files = yes
> map hidden = yes
> hide files = /Outlook/outlook/~*/
>
> veto oplock files = /OfficeCalendar.pst/
>
> inherit acls = yes
> valid users = @"domain users"
>
> locking = yes
> public = yes
> writeable = yes
> browseable= yes
> printable = no
> create mask = 0660
> force create mode = 0660
> directory mask = 0771

Nice Unix domain member smb.conf you have got there, you might as well
go the whole hog now and run 'net ads join -U Administrator' and have
all the benefits of being a domain member, because what you have now
is, for all intents and purposes, a Unix domain member.
 
Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba