[Samba] W7 client cannot adjust file permissions via ADUC

Bob of Donelson Trophy bob at donelsontrophy.net
Mon Jan 26 16:29:54 MST 2015 

 

I have been improving my DC. I now have a DC01, DC02 and a DCMEMBER01.
All running sernet-samba 4.1.16 on Debian 7.8.0 thanks to Louis' (old)
scripts. (Any linux client work has gone on hold, for the moment.) 

Next step was to adjust the file permissions as instructed on "Setup and
configure file shares with Windows ACLs". When I access the "Computer
Management" (thru ADUC on W7 client) it informs me that I do not have
permission to access anything on the member server and I should contact
my administrator. 

As instructed, I have run the "rpc rights grant" string on the member
server but, still no love! 

I also tried a different W7 client and it was denied access in the same
way. 

I can access both DC's but not the member server from either W7 client. 

Here is a copy of my member-server smb.conf which is basically the
default created via Louis' script; 

cat /etc/samba/smb.conf
[global]
 workgroup = DT***RM
 security = ADS
 realm = DT***RM.LAN

 netbios name = dtmember01
 domain master = no
 host msdfs = no

 dedicated keytab file = /etc/krb5.keytab
 kerberos method = secrets and keytab
 client signing = if_required

 ## map id's outside to domain to tdb files.
 idmap config *:backend = tdb
 idmap config *:range = 50001-80000
 ## map ids from the domain the range may not overlap !
 idmap config INTERNAL:backend = ad
 idmap config INTERNAL:schema_mode = rfc2307
 idmap config INTERNAL:range = 2000-40000

 winbind nss info = rfc2307
 winbind trusted domains only = no
 winbind use default domain = yes
 winbind enum users = yes
 winbind enum groups = yes
 winbind refresh tickets = yes
 winbind offline logon = yes

 wins server = 192.168.***.54, 192.168.***.55

 template shell = /bin/bash
 template homedir = /home/samba/DT***RM/users/%USERNAME%

 # user Administrator workaround, without it you are unable to set
privileges
 username map = /etc/samba/samba_usermapping

 # For ACL support on member file server
 vfs objects = acl_xattr
 map acl inherit = yes
 store dos attributes = yes

 # Share Setting Globally
 usershare allow guests = no
 unix extensions = no
 wide links = no
 reset on zero vc = yes
 veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
 hide unreadable = yes

 # disable printing completely
 load printers = no
 printing = bsd
 printcap name = /dev/null
 disable spoolss = yes

[home]
 path = /home/samba/DT***RM/users
 read only = no

[profiles$]
 path = /home/samba/DT***RM/profiles
 read only = no
 admin users = +"DT***RMDomain Admins"
 profile acls = yes
 csc policy = disable

[data]
 path = /home/samba/DT***RM/companydata
 read only = no

[software]
 path = /home/samba/software
 read only = no 

Help? Thoughts? 

-- 

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"
 

Links:
------
[1] http://www.donelsontrophy.com

More information about the samba mailing list