Question regarding FQDN & SeDiskOperatorPrivilege

It’s like the AD is a subdomain of domain.local. In Windows the default is to use the network domain as AD (domain.local). In Nethserver it’s default to use a subdomain AD (ad.domain.local). Both NetBIOS domain names are DOMAIN in both cases. It irritated me at first so I did it like @des described but when unbinding/rebinding I forgot to remove the AD so I decided to get used to it and it never made problems. Both is working in DNS to map the server, servername.ad.domain.local and servername.domain.local. But it in the end it depends on your needs and your personal network design style.

It’s also possible and recommended on Windows for some scenarios(public domain is same as windows domain but having external website…):

https://social.technet.microsoft.com/Forums/en-US/6d8b5084-9e8a-4c8a-a4bf-72990417a469/active-directory-domain-naming-best-practice-com-subdomainmydomaincom-or-local?forum=winserverDS

I went with best practices and created a sub domain, but it gives mixed results and I suspect my seDiskOperatorPrivilege command fails because of it.

I’m trying: (on the member server)

net sam rights grant "Domain Admins" seDiskOperatorPrivilege -U "domain\administrator" 
Or net rpc rights etc.

but it returns either access denied or user can’t be found.

Funny results …

Step 1: do nothing on the SAMBA AD server nor it’s Nethserver host. Domain is ad.domain.COM ‘server name’ in nethserver gui is server.domain.COM

Step 2: unbind memberserver, rename to server.ad.domain.local, rebind to ad.domain.com

After this, the difference between FQDN and group names remains exactly the same. My groups and users show as “domain admins@ad.domain.local” and not the joined ad.domain.COM

getent group "Domain Admins"
returns: domain admins@ad.domain.local:*:3456343:administrator@ad.domain.local,admin@......

So, I know where to find the hostname …

vi /etc/hostname

i, change that local to com, :wq

reboot later (faster than restarting the services by hand ), nothing changed from ad perspective.
hostname -f now displays .com at the end.

When I do a

net sam rights list seDiskOperatorPrivilege (as root)

I only get ‘BUILTIN\Administrators’

When I do a

net sam rights grant "Domain Admins" (or "DOMAIN\Domain Admins") seDiskOperatorPrivilege (as root)

I get: ‘could not find Domain Admins’ … or whatever variation I try: Domain Admins@ad.domain.local @ad.domain.com … all the same. Can not find it.

Am I missing something stupid or just being stupid ?

image.png842×309 37 KB

performing these commands on the ad server itself corrects the displaying of the domain name to ‘test@ad.domain.com’, but setting seDiskOperatorPrivilege doesnt help.

Played around a little bit:

[root@server ~]# net rpc rights grant "blah blah" seDiskOperatorPrivilege -U admin
Enter admin's password:
Failed to grant privileges for domain adm (NT_STATUS_NO_SUCH_USER)
[root@server ~]# net rpc rights grant "domain admins" seDiskOperatorPrivilege -U admin
Enter admin's password:
Failed to grant privileges for domain admins (NT_STATUS_ACCESS_DENIED)

but this works:

[root@server ~]# net sam rights grant "Users" seDiskOperatorPrivilege
Granted seDiskOperatorPrivilege to BUILTIN\Users

See groups available:

[root@server ~]# net ads group -U admin
Enter admin's password:
Allowed RODC Password Replication Group
Enterprise Read-Only Domain Controllers
Denied RODC Password Replication Group
Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
Certificate Service DCOM Access
Network Configuration Operators
Terminal Server License Servers
Incoming Forest Trust Builders
Read-Only Domain Controllers
Group Policy Creator Owners
Performance Monitor Users
Cryptographic Operators
Distributed COM Users
Performance Log Users
Remote Desktop Users
Account Operators
Event Log Readers
RAS and IAS Servers
Backup Operators
Domain Controllers
Server Operators
Enterprise Admins
Print Operators
Administrators
Domain Computers
Cert Publishers
DnsUpdateProxy
Domain Admins
Domain Guests
Schema Admins
Domain Users
Replicator
jabberadmins
IIS_IUSRS
DnsAdmins
Guests
Users

You may set the right to “Administrators” instead to “domain admins”, which are member of Administrators. It seems to work only with BUILTIN…

[root@server ~]# net sam rights grant "Domain Admins" seDiskOperatorPrivilege
Could not find name Domain Admins
[root@server ~]# net sam rights grant "Enterprise Admins" seDiskOperatorPrivilege
Could not find name Enterprise Admins
[root@server ~]# net sam rights grant "Domain Guests" seDiskOperatorPrivilege
Could not find name Domain Guests
[root@server ~]# net sam rights grant "Domain Users" seDiskOperatorPrivilege
Could not find name Domain Users
[root@server ~]# net sam rights grant "Users" seDiskOperatorPrivilege
Granted seDiskOperatorPrivilege to BUILTIN\Users
[root@server ~]# net sam rights grant Administrators seDiskOperatorPrivilege
Granted seDiskOperatorPrivilege to BUILTIN\Administrators

On Nethserver I have:

[root@server ~]# getent group "Domain Admins"
domain admins@cmb.local:*:1682800512:administrator@cmb.local,admin@cmb.local

and on joined Nethserver I have:

[root@nethvm2 ~]# getent group "domain admins"
domain admins@domain.local:*:1682800512:administrator@domain.local,admin@domain.local

After unbinding AD on my remote nethvm2, setting server name to “nethvm2.cmb.local” instead of “nethvm2.domain.local” and joining AD ad.cmb.local again, it worked:

[root@nethvm2 ~]# getent group "domain admins"
domain admins@cmb.local:*:1682800512:administrator@cmb.local,admin@cmb.local

Hi to all,
I think I don’t have a subdomain or an other domain for ad. Can you have a look please?

[root@groupware ~]# hostname -d
jonas.de
[root@groupware ~]# hostname -f
groupware.jonas.de
[root@groupware ~]# net ads testjoin
Join is OK
[root@groupware ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 host/groupware.jonas.de@JONAS.DE
   3 host/groupware.jonas.de@JONAS.DE
   3 host/groupware.jonas.de@JONAS.DE
   3 host/groupware.jonas.de@JONAS.DE
   3 host/groupware.jonas.de@JONAS.DE
   3 host/GROUPWARE@JONAS.DE
   3 host/GROUPWARE@JONAS.DE
   3 host/GROUPWARE@JONAS.DE
   3 host/GROUPWARE@JONAS.DE
   3 host/GROUPWARE@JONAS.DE
   3 smtp/groupware.jonas.de@JONAS.DE
   3 smtp/groupware.jonas.de@JONAS.DE
   3 smtp/groupware.jonas.de@JONAS.DE
   3 smtp/groupware.jonas.de@JONAS.DE
   3 smtp/groupware.jonas.de@JONAS.DE
   3 smtp/GROUPWARE@JONAS.DE
   3 smtp/GROUPWARE@JONAS.DE
   3 smtp/GROUPWARE@JONAS.DE
   3 smtp/GROUPWARE@JONAS.DE
   3 smtp/GROUPWARE@JONAS.DE
   3 pop/groupware.jonas.de@JONAS.DE
   3 pop/groupware.jonas.de@JONAS.DE
   3 pop/groupware.jonas.de@JONAS.DE
   3 pop/groupware.jonas.de@JONAS.DE
   3 pop/groupware.jonas.de@JONAS.DE
   3 pop/GROUPWARE@JONAS.DE
   3 pop/GROUPWARE@JONAS.DE
   3 pop/GROUPWARE@JONAS.DE
   3 pop/GROUPWARE@JONAS.DE
   3 pop/GROUPWARE@JONAS.DE
   3 imap/groupware.jonas.de@JONAS.DE
   3 imap/groupware.jonas.de@JONAS.DE
   3 imap/groupware.jonas.de@JONAS.DE
   3 imap/groupware.jonas.de@JONAS.DE
   3 imap/groupware.jonas.de@JONAS.DE
   3 imap/GROUPWARE@JONAS.DE
   3 imap/GROUPWARE@JONAS.DE
   3 imap/GROUPWARE@JONAS.DE
   3 imap/GROUPWARE@JONAS.DE
   3 imap/GROUPWARE@JONAS.DE
   3 cifs/groupware.jonas.de@JONAS.DE
   3 cifs/groupware.jonas.de@JONAS.DE
   3 cifs/groupware.jonas.de@JONAS.DE
   3 cifs/groupware.jonas.de@JONAS.DE
   3 cifs/groupware.jonas.de@JONAS.DE
   3 cifs/GROUPWARE@JONAS.DE
   3 cifs/GROUPWARE@JONAS.DE
   3 cifs/GROUPWARE@JONAS.DE
   3 cifs/GROUPWARE@JONAS.DE
   3 cifs/GROUPWARE@JONAS.DE
   3 http/groupware.jonas.de@JONAS.DE
   3 http/groupware.jonas.de@JONAS.DE
   3 http/groupware.jonas.de@JONAS.DE
   3 http/groupware.jonas.de@JONAS.DE
   3 http/groupware.jonas.de@JONAS.DE
   3 http/GROUPWARE@JONAS.DE
   3 http/GROUPWARE@JONAS.DE
   3 http/GROUPWARE@JONAS.DE
   3 http/GROUPWARE@JONAS.DE
   3 http/GROUPWARE@JONAS.DE
   3 GROUPWARE$@JONAS.DE
   3 GROUPWARE$@JONAS.DE
   3 GROUPWARE$@JONAS.DE
   3 GROUPWARE$@JONAS.DE
   3 GROUPWARE$@JONAS.DE
   3 HTTP/groupware.jonas.de@JONAS.DE
   3 HTTP/groupware.jonas.de@JONAS.DE
   3 HTTP/groupware.jonas.de@JONAS.DE
   3 HTTP/groupware.jonas.de@JONAS.DE
   3 HTTP/groupware.jonas.de@JONAS.DE
   3 HTTP/GROUPWARE@JONAS.DE
   3 HTTP/GROUPWARE@JONAS.DE
   3 HTTP/GROUPWARE@JONAS.DE
   3 HTTP/GROUPWARE@JONAS.DE
   3 HTTP/GROUPWARE@JONAS.DE

So can someone help me out understanding what is what here … ?

Nethserver acts as a VM host here. It is silently a member server of the NSDC-.. which runs as container on it. Correct ?

The aforementioned container is what is running the actual Samba4 AD domain.

DNS wise this puts us in a strange place, as I can configure DNS records on Nethserver’s DNS page. These are, however, not propagated to the Samba4 AD server. The Samba4 AD records can be queried by using the Nethserver as DNS server (albeit non-authorative).

This will work in most situations, but isnt correct as far as I know, and a direct result of running a container to which the Nethserver is not really really joined.

Can someone unravel this a bit for me ? What design choice am I not appreciating here ?

@m.traeumner … thats what I am trying to achieve … but when I set the hostname of my to-be-ad-server to domain.com, and then try to create the domain domain.com, I get an error about the realm already being defined in sssd.

I setup a quick testvm.
In my case no problem to choose “domain.tld” without “ad” / subdomain

[root@ns7test ~]# hostname -f
ns7test.jeckel.lan
[root@ns7test ~]# hostname -d
jeckel.lan
[root@ns7test ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/ns7test.jeckel.lan@JECKEL.LAN
   2 host/NS7TEST@JECKEL.LAN
   2 host/ns7test.jeckel.lan@JECKEL.LAN
   2 host/NS7TEST@JECKEL.LAN
   2 host/ns7test.jeckel.lan@JECKEL.LAN
   2 host/NS7TEST@JECKEL.LAN
   2 host/ns7test.jeckel.lan@JECKEL.LAN
   2 host/NS7TEST@JECKEL.LAN
   2 host/ns7test.jeckel.lan@JECKEL.LAN
   2 host/NS7TEST@JECKEL.LAN
   2 NS7TEST$@JECKEL.LAN
   2 NS7TEST$@JECKEL.LAN
   2 NS7TEST$@JECKEL.LAN
   2 NS7TEST$@JECKEL.LAN
   2 NS7TEST$@JECKEL.LAN
[root@ns7test ~]# net ads testjoin
Join is OK

Maybe this procedure helps
http://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-dc.html#factory-reset

I just created a new VM, did not update it before creating the domain, and I can confirm that it works as expected and as you show. I will now proceed to try to reset samba on my dc and see what survives. sigh

I will also try to recreate this issue, as I am sure that I did not do much alse besides update all packages before installing AD on the machine with the current issue.

My mistake seems to have been accepting an sssd error when trying to name my domain, and wrongfully deducing it has to be named differently. To be continued …

So, ran a factory reset, and DO get new packages. So this might have been something that is now resolved. I swear to my sanity (for as far as I got it) that I used to get an sssd error about the realm already existing.

Thanks for the suggestion, it worked wonders … and I feel a bit embarassed that I just days ago said the fine manual contained more then you would expect … only to be referred to it … sorry for not doing my own homework better.

Anyhow, scratch that irritation off my list … now the real issue:

Let’s rejoin the fileserver to the new domain … but wait … what ?? Ah, sanity preserved:

afbeelding.png863×55 2.6 KB

…but by now I’m stubborn, so I just click ‘join’ again:

…whatever … on we go …

[root@fileserver ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/fileserver.mydomain.com@MYDOMAIN.COM
   2 host/fileserver@MYDOMAIN.COM
   2 host/fileserver.mydomain.com@MYDOMAIN.COM
   2 host/fileserver@MYDOMAIN.COM
   2 host/fileserver.mydomain.com@MYDOMAIN.COM
   2 host/fileserver@MYDOMAIN.COM
   2 host/fileserver.mydomain.com@MYDOMAIN.COM
   2 host/fileserver@MYDOMAIN.COM
   2 host/fileserver.mydomain.com@MYDOMAIN.COM
   2 host/fileserver@MYDOMAIN.COM
   2 fileserver$@MYDOMAIN.COM
   2 fileserver$@MYDOMAIN.COM
   2 fileserver$@MYDOMAIN.COM
   2 fileserver$@MYDOMAIN.COM
   2 fileserver$@MYDOMAIN.COM
   3 host/fileserver.mydomain.com@MYDOMAIN.COM
   3 host/fileserver@MYDOMAIN.COM
   3 host/fileserver.mydomain.com@MYDOMAIN.COM
   3 host/fileserver@MYDOMAIN.COM
   3 host/fileserver.mydomain.com@MYDOMAIN.COM
   3 host/fileserver@MYDOMAIN.COM
   3 host/fileserver.mydomain.com@MYDOMAIN.COM
   3 host/fileserver@MYDOMAIN.COM
   3 host/fileserver.mydomain.com@MYDOMAIN.COM
   3 host/fileserver@MYDOMAIN.COM
   3 fileserver$@MYDOMAIN.COM
   3 fileserver$@MYDOMAIN.COM
   3 fileserver$@MYDOMAIN.COM
   3 fileserver$@MYDOMAIN.COM
   3 fileserver$@MYDOMAIN.COM

Allas, no luck on setting seDiskOperatorPrivilege yet

[root@fileserver ~]# hostname -f
fileserver.mydomain.com
[root@fileserver ~]# hostname -d
mydomain.com
[root@fileserver ~]# getent group "domain admins"
domain admins@mydomain.com:*:1262600512:administrator@mydomain.com,admin@mydomain.com
[root@fileserver ~]# net sam rights grant "Domain Admins" seDiskOperatorPrivilege
Could not find name Domain Admins
[root@fileserver ~]# net sam rights grant "mydom\Domain Admins" seDiskOperatorPrivilege
Could not find name mydom\Domain Admins
[root@fileserver ~]# net sam rights grant "mydom\\Domain Admins" seDiskOperatorPrivilege
Could not find name mydom\Domain Admins
[root@fileserver ~]# net sam rights grant "MYDOM\domain admins" seDiskOperatorPrivilege
Could not find name MYDOM\domain admins
[root@fileserver ~]# net sam rights grant "domain admins@mydomain.com" seDiskOperatorPrivilege
Could not find name domain admins@mydomain.com
[root@fileserver ~]# net sam rights list seDiskOperatorPrivilege
BUILTIN\Administrators

I can confirm that we can set rights to BUILTIN groups, but these are server-local and for some reason rights do not propogate correctly. When joining a domain, the domain admins should become member of the local server admins. They are not.

What is worse:

[root@domainserver~]# net sam list groups

…yeah, nothing returned.

However:

[root@domainserver~]# net ads group -Uadministrator
Enter administrator's password:
Allowed RODC Password Replication Group
Enterprise Read-Only Domain Controllers
Denied RODC Password Replication Group
Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
Certificate Service DCOM Access
Network Configuration Operators
Terminal Server License Servers
Incoming Forest Trust Builders
Read-Only Domain Controllers
Group Policy Creator Owners
Performance Monitor Users
Cryptographic Operators
Distributed COM Users
Performance Log Users
Remote Desktop Users
Account Operators
Event Log Readers
RAS and IAS Servers
Backup Operators
Domain Controllers
Server Operators
Enterprise Admins
Print Operators
Administrators
Domain Computers
Cert Publishers
DnsUpdateProxy
Domain Admins
Domain Guests
Schema Admins
Domain Users
Replicator
IIS_IUSRS
DnsAdmins
Guests
Users
support
[root@domainserver ~]#

So, that might be a clue as to why I can not use net rpc rights grant on groups it can not find … my knowledge is lacking tho, so I have no clue how samba normally would get these domaingroups. I’m still reading up. Thanks so far!

Any takers on why getent CAN find “Domain Admins” but net sam rights or net rpc group list can not ?

[root@fileserver ~]# getent group "Domain Admins"
domain admins@mydomain.com:*:1262600512:administrator@mydomain.com,lms048@mydomain.com,admin@mydomain.com

[root@fileserver ~]# net rpc group list -Uadministrator   (domain admin password supplied)
Enter administrator's password:
[root@fileserver ~]# net rpc group list -Uadministrator   (fileserver admin password supplied)
Enter administrator's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
[root@fileserver ~]# net rpc group list -UAdministrator   (domain admin password supplied)
Enter Administrator's password:
[root@fileserver ~]#

I think I just might have had a eureka moment. Currently, only the local Administrators group has any permissions assigned:

[root@fileserver ~]# net rpc rights list accounts -Uadministrator
Enter administrator's password:
BUILTIN\Print Operators
No privileges assigned

BUILTIN\Account Operators
No privileges assigned

BUILTIN\Backup Operators
No privileges assigned

BUILTIN\Server Operators
No privileges assigned

BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege

Everyone
No privileges assigned

BUILTIN\Users
No privileges assigned

But this does us no good, as this group has no rights in the domain. They are server-local. I would normally just go to my samba server, and execute the command there first on Domain Admins. But, we cant, as it is a container, and I can not ssh into it.

I thought I had seen a howto somewhere on ssh-ing into that container. Digging away …

Am just making stuff up by now or could this be valid?

I just posted this in the wrong topic … soz.

Partial success:

[root@adserver ~]# systemd-run -M nsdc -t /bin/bash
bash-4.2# net rpc rights grant "MYDOMAIN\Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege SeDiskOperatorPrivilege  -Uadministrator
Enter administrator's password:
Successfully granted rights.

I still can not execute the command on the fileserver, will now check what it did for me in effect …

edit: sadly, nothing. If I execute the same command in the container, but add -Sfileserver to it, it can not find Domain Admins …

edit2: in the nsdc container, the starting situation was the same as on the member server: only the builtin administrators had any permissions. Will now check what rejoining the domain does.

Grant rights from server:

[root@server ~]# systemd-run -M nsdc -t /bin/bash -c 'net rpc rights grant "CMB\Domain Admins" SePrintOperatorPrivilege -U "CMB\admin"'
Running as unit run-14591.service.
Press ^] three times within 1s to disconnect TTY.
Enter CMB\admin's password:
Successfully granted rights.

List the privileged users:

[root@server ~]# systemd-run -M nsdc -t /bin/bash -c 'net rpc rights list privileges SePrintOperatorPrivilege -U "CMB\admin"'
Running as unit run-14893.service.
Press ^] three times within 1s to disconnect TTY.
Enter CMB\admin's password:
SePrintOperatorPrivilege:
  CMB\Domain Admins

Do you know how to check the assigned privileges with some other tool?

Sadly, that will grant rights in the ad container, unless you add -Sserver, and then you wont have rights

I just checked with computer manager on a Win7 client, connected the memberserver, and can not edit security settings. Connected the container, can edit the security settings.

Good news: after it works, it works. Bad news, no clue how to set the permission on the member server.

Sooooooo close. But too tired to continue.

Taken from:

https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting

Create a username map as decribed there, and then enter:

net rpc rights grant "MYDOMAIN\Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege SeDiskOperatorPrivilege -Uadministrator

[root@fileserver ~]# net rpc rights grant "Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege SeDiskOperatorPrivilege  -Uadministrator
Enter administrator's password:
Successfully granted rights.
[root@fileserver ~]# getent group "Domain Admins"
domain admins@mydomain.com:*:1262600512:administrator@mydomain.com,lms048@mydomain.com,admin@mydomain.com
[root@fileserver ~]# net rpc rights list accounts -Uadministrator
Enter administrator's password:
Unix Group\domain admins@mydomain.com
SeMachineAccountPrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege

I can now actually SEE the security settings using Shared Folders and Files on a Windows machine, and actualy click checkboxes on the security tab, whereas they where greyed out, but as soon as I click apply, I get access denied.

This is using my own account which is member from domain admins.

Next I tried MYDOMAIN\administrator as Windows login, and after removing some stuff from my profile share definition, I can now set rights. Still not entirely working, as the owner is root, and that needs to be the local administrators group. Getting close tho.

I’m not that awake anymore tho … to be continued.

TL;DR: username map is your friend.

Thanks @des, @mrmarkuz, @m.traeumner, @flatspin and earlier @stephdl for thinking along during this adventure. And special thanks to @alefattorini for getting their attention in another topic regarding this issue a while ago. You all rock!

I do think this needs to be added to Nethserver once this is figured out … I grew a couple of extra grey hairs during this.

It is not at all obvious to the casual linux admin how this works, and while we are replacing microsoft, being able to set rights as we where used to, really will help adopt this. Linux rights, to windows admins, are alien.

It would be greatly appreciated to have a checkbox while creating a share, turn on advanced sharing, and be able to create an ibay with the following content in smb.conf:

[windows acls enabled share]
comment = Profiles directory
browsable = yes
path = /var/lib/nethserver/profiles
read only = no
store dos attributes = Yes
csc policy = disable

This, and SeDiskOperatorPrivilege (and possibly some more privileges) are needed to be able to set security settings from within windows, as if it is windows. I need to test if there are limits, and what they are, but for now I really really call it quits.

P.S.

Content of /etc/samba/user.map
[root@fileserver ~]# cat /etc/samba/user.map
!root = MYDOMAIN\Administrator MYDOMAIN\administrator

And you need to add username map = /etc/samba/user.map to the [global] section of smb.conf

I decided to use this thread, as it is the technical one.
First I’d like to thank you for your incredible work and it would be great to be able to set network share rights via Windows.
I tried to set it up with custom templates and NethServer shared folder profile to have specific shares as windows acled ones and leave other shares as they are:

http://docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-samba.html#shared-folder-profile

Created /etc/samba/user.map as it is no template

!root = CMB\Administrator CMB\administrator

Created custom template /etc/e-smith/templates-custom/etc/samba/smb.conf/11usermap:

#
# 11usermap - username map
#
username map = /etc/samba/user.map

Set the new profile for the specific shared folder:

db accounts setprop SHAREDFOLDER SmbProfileType winacls

Created shared folder profile named winacls (ibay-winacls). This shared folder profile dir has to be in templates dir, it doesn’t work in templates-custom.

mkdir -p /etc/e-smith/templates/etc/samba/smb.conf/ibay-winacls
cp /etc/e-smith/templates/etc/samba/smb.conf/ibay-default/* /etc/e-smith/templates/etc/samba/smb.conf/ibay-winacls

Browseable setting for specific folder may be changed via web UI or with

db accounts setprop SHAREDFOLDER SmbShareBrowseable enabled

but it seems to be enabled by default as not shown by samba testparm.

Then I changed /etc/e-smith/templates/etc/samba/smb.conf/ibay-winacls/20profile_default and uncommented the lines like you described and added csc policy setting at the end.

# 20profile_default:
read only            = no
#inherit permissions  = yes
; Add group write bit to default create mask, remove DOS archive bit (see below$
#create mask          = 0664
#inherit owner        = yes
; Use extended attribute to store DOS attributes (see man page)
store dos attributes = yes
#map archive          = no
#map readonly         = no
#inherit acls         = yes
#map acl inherit      = yes
#guest ok             = { ($ibay{SmbGuestAccessType} || 'none') =~ /^rw?$/ ? 'y$
browseable           = { ($ibay{SmbShareBrowseable} || 'enabled') eq 'enabled' $
# IMPORTANT! only value to add:
csc policy = disable

Apply changes:

signal-event nethserver-samba-update

Check if it worked and smb.conf has the new entries:

[root@server ~]# testparm -s
...
username map = /etc/samba/user.map
...
[SHAREDFOLDER]
        comment = Samba share
        path = /var/lib/nethserver/ibay/test
        store dos attributes = Yes
        csc policy = disable
        read only = No
        vfs objects = full_audit

Check shared folder settings:

Set rights as you described:

net rpc rights grant "Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege SeDiskOperatorPrivilege -Uadministrator

I am able to change shared folder network rights via computer management - this seems to work .
I noticed that after these changes the root folder appears when browsing \\myserver.
Maybe you have some different smb.conf global settings I am missing?

You could set browseable to disabled … the regular $ after the share name doesnt impress Samba

Yes @planet_jeroen did a great contribution here!

Please continue this discussion under the Feature category thread