[Samba] W7 client cannot adjust file permissions via ADUC

L.P.H. van Belle belle at bazuin.nl
Fri Jan 30 01:05:10 MST 2015 

Hi bob, 

Yes, i have corrected the script online.

I replaced the %USERNAME with %U in the old member script,
and please dont give the user DOMAIN\Administrator any uid. not 0, nothing.. .no uid.. 

My best advice, leave Administrator as is and create a new user.. 
Add that one in "Domain Admins" and that user can have a uid. 

For setting the rights. 

Use setfacl to set the base rights on the folder structure, 
and set "DOMAIN Admins" as group with full access on /home/samba  ( and subfolders ) 
I'll wil change this in the new member server script. 

Greetz, 

Louis





>-----Oorspronkelijk bericht-----
>Van: bob at donelsontrophy.net 
>[mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy
>Verzonden: vrijdag 30 januari 2015 3:52
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] W7 client cannot adjust file 
>permissions via ADUC
>
> 
>
>Thursday's emails were erratic due to a server (somewhere in 
>email land)
>that had gone haywire. Here in the midwest United States peaceful
>silence from the samba-list. Then about mid-afternoon, BAM! Email's
>began to arrive in a very erratic manner. Emails from 1300 hours were
>arriving before emails from 0900 hours and I began reading and
>responding and got I confused as I am sure everyone was. 
>
>Tranquility has settled, we have all had time to "take a breath" and
>once again it is time to move forward. 
>
>Rowland, 
>
>Thanks for your help and patience, so far. 
>
>Louis, 
>
>From what I can understand from your email, there was an error within
>your "4-setup-sernet-samba4-MEMBER-wheezy.sh" script that caused my
>domainAdministrator to create a uidNumber when it should not have had a
>uidNumber (should be "0" for root.) And now you have corrected the
>script so it will not do that again. 
>
>The simplest solution for me is this. Revert to my initial Debian
>installation backup (created just prior to my running the uidNumber
>creation script the first time) and re-run the now revised
>"4-setup-sernet-samba4-MEMBER-wheezy.sh". 
>
>This is what I am going to do. 
>
>Now, Louis, the script has been corrected, yes? 
>---
>
>-------------------------
>
>Bob Wooden of Donelson Trophy
>
>615.885.2846 (main)
>www.donelsontrophy.com [1]
>
>"Everyone deserves an award!!"
>
>On 2015-01-29 08:05, L.P.H. van Belle wrote: 
>
>> ok, seen it.. 
>> 
>> "administratorSERNAME%"? 
>> 
>> I'll change that, i did only some tests from windows. 
>> and i dont never set uid/gid to Administrator. 
>> 
>> -- Changed in the old script. 
>> 
>> but remember, you should NEVER set UID/GID for adminstrator, 
>because... 
>> 
>> Now administrator has uid 50001 ... 
>> and this should be 0 ( root ) 
>> This is why we also use the user mapping !root = 
>"DOMAINAdministrator" .... 
>> 
>> Always create a new user and add this one to the group 
>"Domain Admins" 
>> 
>> Also, i have set profile/uid/gid/nis for the Domain Administrator. 
>> And if you set a other user for "Domain Administrator, 
>> on the member servers also add a line for this user in the 
>usermapping file. 
>> since you need root access. or.. 
>> try set the rights as starter like : 
>> 
>> something like.. 
>> setfacl -R -m default:user:Administrator:rwx /home/samba 
>> setfacl -R -m default:group:domain admins:rwx /home/samba 
>> 
>> Louis
>> -----Oorspronkelijk bericht----- Van: 
>rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny 
>Verzonden: donderdag 29 januari 2015 14:24 Aan: 
>samba at lists.samba.org Onderwerp: Re: [Samba] W7 client cannot 
>adjust file permissions via ADUC On 29/01/15 12:54, Bob of 
>Donelson Trophy wrote: Rowland, I have tried your various 
>alteration suggestions and it is a "negative" result. Here is 
>the output from wbinfo -u & wbinfo -g root at dtmbr01:~# wbinfo 
>-u administrator dns-dtdc02 dns-dtdc01 krbtgt guest 
>root at dtmbr01:~# wbinfo -g allowed rodc password replication 
>group enterprise read-only domain controllers denied rodc 
>password replication group read-only domain controllers group 
>policy creator owners ras and ias servers domain controllers 
>enterprise admins domain computers cert publishers 
>dnsupdateproxy domain admins domain guests schema admins 
>domain users dnsadmins root at dtmbr01:~# getent passwd Administrator
>administrator:*:50001:50006::/home/samba/DT***RM/users/administ
> ratorSERNAME%:/bin/bash Say what, "administratorSERNAME%"? 
>After running the 'generation one' script to create the member 
>server, I have changed nothing except the suggestions that 
>have been made on this mailing list. Attempting to gain access 
>to the member server to re-adjust the file permissions on 
>"profiles" per the instructions on the samba wiki. Please, 
>thoughts? --- ------------------------- Bob Wooden of Donelson 
>Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] 
>"Everyone deserves an award!!" On 2015-01-28 13:09, Rowland 
>Penny wrote: On 28/01/15 18:55, Bob of Donelson Trophy wrote: 
>No, I did not try the alterations but, Louis had me remove
> the "domain users" line earlier. Put the line back in and try
>alterations? (If so, I will not have time until you are asleep,
>tonight.) 
>
>>> By all means try it, you have nothing to lose :-) I take it 
>that 'wbinfo -u' shows all the domain users on
> the member server and 'wbinfo -g' shows all the domain groups. Also
>'getent passwd <domain user> shows the user. 
>
>>> Rowland
>> Links: ------ [1] http://www.donelsontrophy.com [1]
> Louis's script puts this line in smb.conf: template homedir =
>/home/samba/DT***RM/users/%USERNAME% Perhaps it should be changed to
>this: template homedir = /home/samba/DT***RM/users/%U I say 
>this because
>your Administrators homedir seems to be the above line plus what I am
>suggesting should be removed. But what is worrying me more,
>Administrator has the uid of '50001', have you set this in AD ? Rowland
>-- To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba [2] 
>
>Links:
>------
>[1] http://www.donelsontrophy.com
>[2] https://lists.samba.org/mailman/options/samba
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list