[Samba] W7 client cannot adjust file permissions via ADUC
Bob of Donelson Trophy
bob at donelsontrophy.net
Mon Jan 26 16:29:54 MST 2015
I have been improving my DC. I now have a DC01, DC02 and a DCMEMBER01.
All running sernet-samba 4.1.16 on Debian 7.8.0 thanks to Louis' (old)
scripts. (Any linux client work has gone on hold, for the moment.)
Next step was to adjust the file permissions as instructed on "Setup and
configure file shares with Windows ACLs". When I access the "Computer
Management" (thru ADUC on W7 client) it informs me that I do not have
permission to access anything on the member server and I should contact
my administrator.
As instructed, I have run the "rpc rights grant" string on the member
server but, still no love!
I also tried a different W7 client and it was denied access in the same
way.
I can access both DC's but not the member server from either W7 client.
Here is a copy of my member-server smb.conf which is basically the
default created via Louis' script;
cat /etc/samba/smb.conf
[global]
workgroup = DT***RM
security = ADS
realm = DT***RM.LAN
netbios name = dtmember01
domain master = no
host msdfs = no
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
client signing = if_required
## map id's outside to domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 50001-80000
## map ids from the domain the range may not overlap !
idmap config INTERNAL:backend = ad
idmap config INTERNAL:schema_mode = rfc2307
idmap config INTERNAL:range = 2000-40000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind offline logon = yes
wins server = 192.168.***.54, 192.168.***.55
template shell = /bin/bash
template homedir = /home/samba/DT***RM/users/%USERNAME%
# user Administrator workaround, without it you are unable to set
privileges
username map = /etc/samba/samba_usermapping
# For ACL support on member file server
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# Share Setting Globally
usershare allow guests = no
unix extensions = no
wide links = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
# disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[home]
path = /home/samba/DT***RM/users
read only = no
[profiles$]
path = /home/samba/DT***RM/profiles
read only = no
admin users = +"DT***RMDomain Admins"
profile acls = yes
csc policy = disable
[data]
path = /home/samba/DT***RM/companydata
read only = no
[software]
path = /home/samba/software
read only = no
Help? Thoughts?
--
-------------------------
Bob Wooden of Donelson Trophy
615.885.2846 (main)
www.donelsontrophy.com [1]
"Everyone deserves an award!!"
Links:
------
[1] http://www.donelsontrophy.com
More information about the samba
mailing list