[Samba] W7 client cannot adjust file permissions via ADUC

L.P.H. van Belle belle at bazuin.nl
Wed Jan 28 07:57:45 MST 2015

Hi Bob, 

Set the rights like this. 

> /home  775
> /home/samba 775 
> /home/samba/DT***RM  775 
> /home/samba/DT***RM/profiles 777
for the profiles, after you set the rights in windows, 
user profiles folders wil be created with the correct rights. 
and only accessable by the user.. 

and from here you shoule be able to set the correct rights. 

Can you give it a try? 



>-----Oorspronkelijk bericht-----
>Van: bob at donelsontrophy.net 
>[mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy
>Verzonden: woensdag 28 januari 2015 15:25
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] W7 client cannot adjust file 
>permissions via ADUC
>W7 client domain member? yes 
>Logged in as "DOMAIN\Administrator? yes 
>W7client and server time set by ntp? yes 
>Adjusted smb.conf as you indicated. 
>Adjusted the file permissions as you indicated. (Was slightly 
>unclear as
>to what the "755 775 775 777" meant?) 
>So, still might be a linux permissions issue? Current file permissions
>is set as: 
> /home drwxr-xr-x (755?) 
> /home/samba drwxr-xr-x (755?) 
> /home/samba/DT***RM drwxr-xr-t ( t?? ) 
> /home/samba/DT***RM/profiles drwxrwxr-x (775?) 
>Have read through the suggestions you posted (yes, I agree, 
>that part of
>the wiki could be better.) 
>I have attached a small *.png image (hope it does not get dropped by
>mailing list.) 
>While logged into the W7 client as "DOMAIN\Administrator" can still
>connect to either of the two DC's but, the member connection is refused
>(see image.) So, at this moment, I cannot proceed with any instructions
>at the wiki regarding "Samba_%26_Windows_Profiles" because I cannot
>access them via the client. 
>What do you need to know, now? 
>Bob Wooden of Donelson Trophy
>615.885.2846 (main)
>www.donelsontrophy.com [1]
>"Everyone deserves an award!!"
>On 2015-01-28 03:18, L.P.H. van Belle wrote: 
>> Hai Bob, 
>> A few questions.
>> - is the client computer member of the domain?
>> - Are you logged in as "DOMAINAdministrator" ?
>> - it the time on pc and server the same. 
>> and for example. change this one to
>>> [profiles$] path = /home/samba/DT***RM/profiles 
>acl_xattr:ignore system acl = yes read only = no csc policy = disable
>> now check if : /etc/samba/samba_usermapping 
>> contains "!root = DOMAINAdministrator DOMAINadministrator
>> now check the rights.. set all to root:root 
>> at least 
>> rwx rwx rwx x
>> 755 775 775 777
>> /home/samba/DT***RM/profiles
>> acl_xattr:ignore system acl ignores the linux rights, but !! 
>> if you change rights on linux after you set rights on windows, 
>> it can get messie, and you need to reset the rights from 
>windows again. ! 
>> now read : 
>https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles [3] 
>> as from : Creating a profiles share and setting permissions 
>> and stop/skip reading when you see.. "Profile share with 
>using POSIX ACLs " skip that part. 
>> start reading again as of "Configuring roaming profiles for 
>a user " and skip "In a NT4 domain" 
>> and start again "Configuring folder redirection " 
>> I think this part of the wiki can be better.. 
>> a "NT4 style setup" with only that needed info 
>> and a "AD DC" style setup.. so 2 pages imo. 
>> and about the same for other shares.. 
>> this is also nice explained here with more examples.. 
>> http://blogging.dragon.org.uk/administering-ad-dc-via-windows/ [4] 
>> Have a try and let us know. 
>> Greetz, 
>> Louis
>>> -----Oorspronkelijk bericht----- Van: 
>bob at donelsontrophy.net [mailto:samba-bounces at lists.samba.org] 
>Namens Bob of Donelson Trophy Verzonden: dinsdag 27 januari 
>2015 0:30 Aan: SAMBA MailList Onderwerp: [Samba] W7 client 
>cannot adjust file permissions via ADUC I have been improving 
>my DC. I now have a DC01, DC02 and a DCMEMBER01. All running 
>sernet-samba 4.1.16 on Debian 7.8.0 thanks to Louis' (old) 
>scripts. (Any linux client work has gone on hold, for the 
>moment.) Next step was to adjust the file permissions as 
>instructed on "Setup and configure file shares with Windows 
>ACLs". When I access the "Computer Management" (thru ADUC on 
>W7 client) it informs me that I do not have permission to 
>access anything on the member server and I should contact my 
>administrator. As instructed, I have run the "rpc rights 
>grant" string on the member server but, still no love! I also 
>tried a different W7 client and it was denied access in the 
>same way. I can access both DC's but not the member 
> server
>from either W7 client. Here is a copy of my member-server 
>smb.conf which is basically the default created via Louis' 
>script; cat /etc/samba/smb.conf [global] workgroup = DT***RM 
>security = ADS realm = DT***RM.LAN netbios name = dtmember01 
>domain master = no host msdfs = no dedicated keytab file = 
>/etc/krb5.keytab kerberos method = secrets and keytab client 
>signing = if_required ## map id's outside to domain to tdb 
>files. idmap config *:backend = tdb idmap config *:range = 
>50001-80000 ## map ids from the domain the range may not 
>overlap ! idmap config INTERNAL:backend = ad idmap config 
>INTERNAL:schema_mode = rfc2307 idmap config INTERNAL:range = 
>2000-40000 winbind nss info = rfc2307 winbind trusted domains 
>only = no winbind use default domain = yes winbind enum users 
>= yes winbind enum groups = yes winbind refresh tickets = yes 
>winbind offline logon = yes wins server = 192.168.***.54, 
>192.168.***.55 template shell = /bin/bash template homedir = 
> AME% #
>user Administrator workaround, without it you are unable to 
>set privileges username map = /etc/samba/samba_usermapping # 
>For ACL support on member file server vfs objects = acl_xattr 
>map acl inherit = yes store dos attributes = yes # Share 
>Setting Globally usershare allow guests = no unix extensions = 
>no wide links = no reset on zero vc = yes veto files = 
>/.bash_logout/.bash_profile/.bash_history/.bashrc/ hide 
>unreadable = yes # disable printing completely load printers = 
>no printing = bsd printcap name = /dev/null disable spoolss = 
>yes [home] path = /home/samba/DT***RM/users read only = no 
>[profiles$] path = /home/samba/DT***RM/profiles read only = no 
>admin users = +"DT***RMDomain Admins" profile acls = yes csc 
>policy = disable [data] path = /home/samba/DT***RM/companydata 
>read only = no [software] path = /home/samba/software read 
>only = no Help? Thoughts? -- ------------------------- Bob 
>Wooden of Donelson Trophy 615.885.2846 (main) 
>www.donelsontrophy.com [1] [1 [1]] "Every
> one
>deserves an award!!" Links: ------ [1] 
>http://www.donelsontrophy.com [1] -- To unsubscribe from this 
>list go to the following URL and read the instructions: 
>https://lists.samba.org/mailman/options/samba [2]
>[1] http://www.donelsontrophy.com
>[2] https://lists.samba.org/mailman/options/samba
>[3] https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>[4] http://blogging.dragon.org.uk/administering-ad-dc-via-windows/
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list