[Samba] W7 client cannot adjust file permissions via ADUC
L.P.H. van Belle
belle at bazuin.nl
Fri Jan 30 01:05:10 MST 2015
Hi bob,
Yes, i have corrected the script online.
I replaced the %USERNAME with %U in the old member script,
and please dont give the user DOMAIN\Administrator any uid. not 0, nothing.. .no uid..
My best advice, leave Administrator as is and create a new user..
Add that one in "Domain Admins" and that user can have a uid.
For setting the rights.
Use setfacl to set the base rights on the folder structure,
and set "DOMAIN Admins" as group with full access on /home/samba ( and subfolders )
I'll wil change this in the new member server script.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: bob at donelsontrophy.net
>[mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy
>Verzonden: vrijdag 30 januari 2015 3:52
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] W7 client cannot adjust file
>permissions via ADUC
>
>
>
>Thursday's emails were erratic due to a server (somewhere in
>email land)
>that had gone haywire. Here in the midwest United States peaceful
>silence from the samba-list. Then about mid-afternoon, BAM! Email's
>began to arrive in a very erratic manner. Emails from 1300 hours were
>arriving before emails from 0900 hours and I began reading and
>responding and got I confused as I am sure everyone was.
>
>Tranquility has settled, we have all had time to "take a breath" and
>once again it is time to move forward.
>
>Rowland,
>
>Thanks for your help and patience, so far.
>
>Louis,
>
>From what I can understand from your email, there was an error within
>your "4-setup-sernet-samba4-MEMBER-wheezy.sh" script that caused my
>domainAdministrator to create a uidNumber when it should not have had a
>uidNumber (should be "0" for root.) And now you have corrected the
>script so it will not do that again.
>
>The simplest solution for me is this. Revert to my initial Debian
>installation backup (created just prior to my running the uidNumber
>creation script the first time) and re-run the now revised
>"4-setup-sernet-samba4-MEMBER-wheezy.sh".
>
>This is what I am going to do.
>
>Now, Louis, the script has been corrected, yes?
>---
>
>-------------------------
>
>Bob Wooden of Donelson Trophy
>
>615.885.2846 (main)
>www.donelsontrophy.com [1]
>
>"Everyone deserves an award!!"
>
>On 2015-01-29 08:05, L.P.H. van Belle wrote:
>
>> ok, seen it..
>>
>> "administratorSERNAME%"?
>>
>> I'll change that, i did only some tests from windows.
>> and i dont never set uid/gid to Administrator.
>>
>> -- Changed in the old script.
>>
>> but remember, you should NEVER set UID/GID for adminstrator,
>because...
>>
>> Now administrator has uid 50001 ...
>> and this should be 0 ( root )
>> This is why we also use the user mapping !root =
>"DOMAINAdministrator" ....
>>
>> Always create a new user and add this one to the group
>"Domain Admins"
>>
>> Also, i have set profile/uid/gid/nis for the Domain Administrator.
>> And if you set a other user for "Domain Administrator,
>> on the member servers also add a line for this user in the
>usermapping file.
>> since you need root access. or..
>> try set the rights as starter like :
>>
>> something like..
>> setfacl -R -m default:user:Administrator:rwx /home/samba
>> setfacl -R -m default:group:domain admins:rwx /home/samba
>>
>> Louis
>> -----Oorspronkelijk bericht----- Van:
>rowlandpenny at googlemail.com
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: donderdag 29 januari 2015 14:24 Aan:
>samba at lists.samba.org Onderwerp: Re: [Samba] W7 client cannot
>adjust file permissions via ADUC On 29/01/15 12:54, Bob of
>Donelson Trophy wrote: Rowland, I have tried your various
>alteration suggestions and it is a "negative" result. Here is
>the output from wbinfo -u & wbinfo -g root at dtmbr01:~# wbinfo
>-u administrator dns-dtdc02 dns-dtdc01 krbtgt guest
>root at dtmbr01:~# wbinfo -g allowed rodc password replication
>group enterprise read-only domain controllers denied rodc
>password replication group read-only domain controllers group
>policy creator owners ras and ias servers domain controllers
>enterprise admins domain computers cert publishers
>dnsupdateproxy domain admins domain guests schema admins
>domain users dnsadmins root at dtmbr01:~# getent passwd Administrator
>administrator:*:50001:50006::/home/samba/DT***RM/users/administ
> ratorSERNAME%:/bin/bash Say what, "administratorSERNAME%"?
>After running the 'generation one' script to create the member
>server, I have changed nothing except the suggestions that
>have been made on this mailing list. Attempting to gain access
>to the member server to re-adjust the file permissions on
>"profiles" per the instructions on the samba wiki. Please,
>thoughts? --- ------------------------- Bob Wooden of Donelson
>Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]]
>"Everyone deserves an award!!" On 2015-01-28 13:09, Rowland
>Penny wrote: On 28/01/15 18:55, Bob of Donelson Trophy wrote:
>No, I did not try the alterations but, Louis had me remove
> the "domain users" line earlier. Put the line back in and try
>alterations? (If so, I will not have time until you are asleep,
>tonight.)
>
>>> By all means try it, you have nothing to lose :-) I take it
>that 'wbinfo -u' shows all the domain users on
> the member server and 'wbinfo -g' shows all the domain groups. Also
>'getent passwd <domain user> shows the user.
>
>>> Rowland
>> Links: ------ [1] http://www.donelsontrophy.com [1]
> Louis's script puts this line in smb.conf: template homedir =
>/home/samba/DT***RM/users/%USERNAME% Perhaps it should be changed to
>this: template homedir = /home/samba/DT***RM/users/%U I say
>this because
>your Administrators homedir seems to be the above line plus what I am
>suggesting should be removed. But what is worrying me more,
>Administrator has the uid of '50001', have you set this in AD ? Rowland
>-- To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba [2]
>
>Links:
>------
>[1] http://www.donelsontrophy.com
>[2] https://lists.samba.org/mailman/options/samba
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list