[Samba] W7 client cannot adjust file permissions via ADUC

L.P.H. van Belle belle at bazuin.nl
Wed Jan 28 02:18:52 MST 2015 

Hai Bob, 

A few questions.

- is the client computer member of the domain?
- Are you logged in as "DOMAIN\Administrator" ?
- it the time on pc and server the same. 

and for example. change this one to 
>[profiles$]
> path = /home/samba/DT***RM/profiles
> acl_xattr:ignore system acl = yes
> read only = no
> csc policy = disable


now check if : /etc/samba/samba_usermapping 
contains "!root = DOMAIN\Administrator DOMAIN\administrator

now check the rights..  set all to root:root 
at least 
rwx	 rwx 	 rwx 		x
755    775   775      777
/home/samba/DT***RM/profiles


acl_xattr:ignore system acl  ignores the linux rights, but !! 
if you change rights on linux after you set rights on windows, 
it can get messie, and you need to reset the rights from windows again. !  

now read : https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles 
as from : Creating a profiles share and setting permissions 
and stop/skip  reading when you see..  "Profile share with using POSIX ACLs  " skip that part. 
start reading again as of "Configuring roaming profiles for a user " and skip "In a NT4 domain" 
and start again "Configuring folder redirection " 

I think this part of the wiki can be better.. 

a "NT4 style setup"  with only that needed info 
and a "AD DC" style setup.. so 2 pages imo. 

and about the same for other shares.. 

this is also nice explained here with more examples.. 

http://blogging.dragon.org.uk/administering-ad-dc-via-windows/ 


Have a try and let us know. 

Greetz, 

Louis


>-----Oorspronkelijk bericht-----
>Van: bob at donelsontrophy.net 
>[mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy
>Verzonden: dinsdag 27 januari 2015 0:30
>Aan: SAMBA MailList
>Onderwerp: [Samba] W7 client cannot adjust file permissions via ADUC
>
> 
>
>I have been improving my DC. I now have a DC01, DC02 and a DCMEMBER01.
>All running sernet-samba 4.1.16 on Debian 7.8.0 thanks to Louis' (old)
>scripts. (Any linux client work has gone on hold, for the moment.) 
>
>Next step was to adjust the file permissions as instructed on 
>"Setup and
>configure file shares with Windows ACLs". When I access the "Computer
>Management" (thru ADUC on W7 client) it informs me that I do not have
>permission to access anything on the member server and I should contact
>my administrator. 
>
>As instructed, I have run the "rpc rights grant" string on the member
>server but, still no love! 
>
>I also tried a different W7 client and it was denied access in the same
>way. 
>
>I can access both DC's but not the member server from either 
>W7 client. 
>
>Here is a copy of my member-server smb.conf which is basically the
>default created via Louis' script; 
>
>cat /etc/samba/smb.conf
>[global]
> workgroup = DT***RM
> security = ADS
> realm = DT***RM.LAN
>
> netbios name = dtmember01
> domain master = no
> host msdfs = no
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> client signing = if_required
>
> ## map id's outside to domain to tdb files.
> idmap config *:backend = tdb
> idmap config *:range = 50001-80000
> ## map ids from the domain the range may not overlap !
> idmap config INTERNAL:backend = ad
> idmap config INTERNAL:schema_mode = rfc2307
> idmap config INTERNAL:range = 2000-40000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
> winbind offline logon = yes
>
> wins server = 192.168.***.54, 192.168.***.55
>
> template shell = /bin/bash
> template homedir = /home/samba/DT***RM/users/%USERNAME%
>
> # user Administrator workaround, without it you are unable to set
>privileges
> username map = /etc/samba/samba_usermapping
>
> # For ACL support on member file server
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> # Share Setting Globally
> usershare allow guests = no
> unix extensions = no
> wide links = no
> reset on zero vc = yes
> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
> hide unreadable = yes
>
> # disable printing completely
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
>[home]
> path = /home/samba/DT***RM/users
> read only = no
>
>[profiles$]
> path = /home/samba/DT***RM/profiles
> read only = no
> admin users = +"DT***RMDomain Admins"
> profile acls = yes
> csc policy = disable
>
>[data]
> path = /home/samba/DT***RM/companydata
> read only = no
>
>[software]
> path = /home/samba/software
> read only = no 
>
>Help? Thoughts? 
>
>-- 
>
>-------------------------
>
>Bob Wooden of Donelson Trophy
>
>615.885.2846 (main)
>www.donelsontrophy.com [1]
>
>"Everyone deserves an award!!"
> 
>
>Links:
>------
>[1] http://www.donelsontrophy.com
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list