[Samba] can't remove groups in AD
herman at aeronetworks.ca
Tue Oct 30 23:48:30 GMT 2007
Martin Hauptmann wrote:
> I set up a samba 3.0.26a as an ads-member of a windows 2003 Small
> Business Server.
> Every windows user in the domain can read and write their files,
> everyone's happy.
> My Problem is, that I cannot set up security groups in the AD. When I
> try, I do not get an error message, but my changes are being silently
> I cannot set rights exceeding read,write, execute and owner.
> E.g. I cannot remove the group 'everyone' from the file access list.
> When I do and confirm I do not get an error message, but when I review
> the settings, nothing has changed, 'everyone' is still in the list.
> It is the same when I try to set or unset full access to files - no
> error message, but no success.
> I tried different settings concerning heritage, but that did not help.
> There are some other postings in the mailing list that sound quite
> similar, related to versions >3.0.25. Maybe there is a bug in these
> My smb.conf: http://www.pastebin.ca/753491
Did you perhaps change anything in ADS? I have found that one should
NEVER change the spelling of a record, or drag a user or group somewhere
else. Doing so totally screws up winbind.
To fix it, I suggest that you create a new OU with groups and users in
the OU, ensure everything works, then set the security policy of the OU
and finally delete the old dud users and groups. Only delete the users
and groups afterwards, to ensure that the GUIDs won't get re-used for
the new records.
I actually never delete records - I have a special OU called 'trash' and
I drag and drop trashed users and groups there - to prevent GUID re-use
and consequent side effects. I don't know whether that is strictly
necessary, but I was losing a lot of hair at one point so I became
paranoid about never changing *anything* in ADS once created, and it
really seems to work better this way.
More information about the samba