[Samba] W7 client cannot adjust file permissions via ADUC

Bob of Donelson Trophy bob at donelsontrophy.net
Wed Jan 28 07:25:00 MST 2015



W7 client domain member? yes 

Logged in as "DOMAINAdministrator? yes 

W7client and server time set by ntp? yes 

Adjusted smb.conf as you indicated. 

Adjusted the file permissions as you indicated. (Was slightly unclear as
to what the "755 775 775 777" meant?) 

So, still might be a linux permissions issue? Current file permissions
is set as: 

 /home drwxr-xr-x (755?) 

 /home/samba drwxr-xr-x (755?) 

 /home/samba/DT***RM drwxr-xr-t ( t?? ) 

 /home/samba/DT***RM/profiles drwxrwxr-x (775?) 

Have read through the suggestions you posted (yes, I agree, that part of
the wiki could be better.) 

I have attached a small *.png image (hope it does not get dropped by
mailing list.) 

While logged into the W7 client as "DOMAINAdministrator" can still
connect to either of the two DC's but, the member connection is refused
(see image.) So, at this moment, I cannot proceed with any instructions
at the wiki regarding "Samba_%26_Windows_Profiles" because I cannot
access them via the client. 

What do you need to know, now? 


Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-01-28 03:18, L.P.H. van Belle wrote: 

> Hai Bob, 
> A few questions.
> - is the client computer member of the domain?
> - Are you logged in as "DOMAINAdministrator" ?
> - it the time on pc and server the same. 
> and for example. change this one to
>> [profiles$] path = /home/samba/DT***RM/profiles acl_xattr:ignore system acl = yes read only = no csc policy = disable
> now check if : /etc/samba/samba_usermapping 
> contains "!root = DOMAINAdministrator DOMAINadministrator
> now check the rights.. set all to root:root 
> at least 
> rwx rwx rwx x
> 755 775 775 777
> /home/samba/DT***RM/profiles
> acl_xattr:ignore system acl ignores the linux rights, but !! 
> if you change rights on linux after you set rights on windows, 
> it can get messie, and you need to reset the rights from windows again. ! 
> now read : https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles [3] 
> as from : Creating a profiles share and setting permissions 
> and stop/skip reading when you see.. "Profile share with using POSIX ACLs " skip that part. 
> start reading again as of "Configuring roaming profiles for a user " and skip "In a NT4 domain" 
> and start again "Configuring folder redirection " 
> I think this part of the wiki can be better.. 
> a "NT4 style setup" with only that needed info 
> and a "AD DC" style setup.. so 2 pages imo. 
> and about the same for other shares.. 
> this is also nice explained here with more examples.. 
> http://blogging.dragon.org.uk/administering-ad-dc-via-windows/ [4] 
> Have a try and let us know. 
> Greetz, 
> Louis
>> -----Oorspronkelijk bericht----- Van: bob at donelsontrophy.net [mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy Verzonden: dinsdag 27 januari 2015 0:30 Aan: SAMBA MailList Onderwerp: [Samba] W7 client cannot adjust file permissions via ADUC I have been improving my DC. I now have a DC01, DC02 and a DCMEMBER01. All running sernet-samba 4.1.16 on Debian 7.8.0 thanks to Louis' (old) scripts. (Any linux client work has gone on hold, for the moment.) Next step was to adjust the file permissions as instructed on "Setup and configure file shares with Windows ACLs". When I access the "Computer Management" (thru ADUC on W7 client) it informs me that I do not have permission to access anything on the member server and I should contact my administrator. As instructed, I have run the "rpc rights grant" string on the member server but, still no love! I also tried a different W7 client and it was denied access in the same way. I can access both DC's but not the member 
from either W7 client. Here is a copy of my member-server smb.conf which is basically the default created via Louis' script; cat /etc/samba/smb.conf [global] workgroup = DT***RM security = ADS realm = DT***RM.LAN netbios name = dtmember01 domain master = no host msdfs = no dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab client signing = if_required ## map id's outside to domain to tdb files. idmap config *:backend = tdb idmap config *:range = 50001-80000 ## map ids from the domain the range may not overlap ! idmap config INTERNAL:backend = ad idmap config INTERNAL:schema_mode = rfc2307 idmap config INTERNAL:range = 2000-40000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes winbind offline logon = yes wins server = 192.168.***.54, 192.168.***.55 template shell = /bin/bash template homedir = /home/samba/DT***RM/users/%USERN
 AME% #
user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/samba_usermapping # For ACL support on member file server vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes # Share Setting Globally usershare allow guests = no unix extensions = no wide links = no reset on zero vc = yes veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ hide unreadable = yes # disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes [home] path = /home/samba/DT***RM/users read only = no [profiles$] path = /home/samba/DT***RM/profiles read only = no admin users = +"DT***RMDomain Admins" profile acls = yes csc policy = disable [data] path = /home/samba/DT***RM/companydata read only = no [software] path = /home/samba/software read only = no Help? Thoughts? -- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Every
deserves an award!!" Links: ------ [1] http://www.donelsontrophy.com [1] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba [2]

[1] http://www.donelsontrophy.com
[2] https://lists.samba.org/mailman/options/samba
[3] https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
[4] http://blogging.dragon.org.uk/administering-ad-dc-via-windows/

More information about the samba mailing list