[Samba] W7 client cannot adjust file permissions via ADUC

Bob of Donelson Trophy bob at donelsontrophy.net
Wed Jan 28 09:15:26 MST 2015 

 

Still no connection. 

If the W7 client cannot connect to the member server because it is being
denied by "Windows security" how is changing the file permissions within
the server on a specific directory going to allow access to the server? 

It appears to me (novice that I am) that the 'member server' is denying
access from the client and not the directory. Client continues to
complain "Logon failure: unknown user name or bad password." Said
directories cannot appear if client cannot connect to server, in this
case member server. 

Suggestions? 

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-01-28 08:57, L.P.H. van Belle wrote: 

> Hi Bob, 
> 
> Set the rights like this.
> 
>> /home 775 /home/samba 775 /home/samba/DT***RM 775 /home/samba/DT***RM/profiles 777
> 
> for the profiles, after you set the rights in windows, 
> user profiles folders wil be created with the correct rights. 
> and only accessable by the user.. 
> 
> and from here you shoule be able to set the correct rights. 
> 
> Can you give it a try? 
> 
> greetz, 
> 
> Louis
> -----Oorspronkelijk bericht----- Van: bob at donelsontrophy.net [mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy Verzonden: woensdag 28 januari 2015 15:25 Aan: samba at lists.samba.org Onderwerp: Re: [Samba] W7 client cannot adjust file permissions via ADUC Answers: W7 client domain member? yes Logged in as "DOMAINAdministrator? yes W7client and server time set by ntp? yes Adjusted smb.conf as you indicated. Adjusted the file permissions as you indicated. (Was slightly unclear as to what the "755 775 775 777" meant?) So, still might be a linux permissions issue? Current file permissions is set as: /home drwxr-xr-x (755?) /home/samba drwxr-xr-x (755?) /home/samba/DT***RM drwxr-xr-t ( t?? ) /home/samba/DT***RM/profiles drwxrwxr-x (775?) Have read through the suggestions you posted (yes, I agree, that part of the wiki could be better.) I have attached a small *.png image (hope it does not get dropped by mailing list.) While logged into the W7 client as
"DOMAINAdministrator" can still connect to either of the two DC's but, the member connection is refused (see image.) So, at this moment, I cannot proceed with any instructions at the wiki regarding "Samba_%26_Windows_Profiles" because I cannot access them via the client. What do you need to know, now? --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" On 2015-01-28 03:18, L.P.H. van Belle wrote: Hai Bob, A few questions. - is the client computer member of the domain? - Are you logged in as "DOMAINAdministrator" ? - it the time on pc and server the same. and for example. change this one to [profiles$] path = /home/samba/DT***RM/profiles
 acl_xattr:ignore system acl = yes read only = no csc policy = disable 

> now check if : /etc/samba/samba_usermapping contains "!root = DOMAINAdministrator DOMAINadministrator now check the rights.. set all to root:root at least rwx rwx rwx x 755 775 775 777 /home/samba/DT***RM/profiles acl_xattr:ignore system acl ignores the linux rights, but !! if you change rights on linux after you set rights on windows, it can get messie, and you need to reset the rights from
 windows again. ! 

> now read :
 https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles [3] [3 [3]]


> as from : Creating a profiles share and setting permissions and stop/skip reading when you see.. "Profile share with
 using POSIX ACLs " skip that part. 

> start reading again as of "Configuring roaming profiles for
 a user " and skip "In a NT4 domain" 

> and start again "Configuring folder redirection " I think this part of the wiki can be better.. a "NT4 style setup" with only that needed info and a "AD DC" style setup.. so 2 pages imo. and about the same for other shares.. this is also nice explained here with more examples.. http://blogging.dragon.org.uk/administering-ad-dc-via-windows/ [2] [4 [2]] Have a try and let us know. Greetz, Louis 
> 
>> -----Oorspronkelijk bericht----- Van:
 bob at donelsontrophy.net [mailto:samba-bounces at lists.samba.org] Namens
Bob of Donelson Trophy Verzonden: dinsdag 27 januari 2015 0:30 Aan:
SAMBA MailList Onderwerp: [Samba] W7 client cannot adjust file
permissions via ADUC I have been improving my DC. I now have a DC01,
DC02 and a DCMEMBER01. All running sernet-samba 4.1.16 on Debian 7.8.0
thanks to Louis' (old) scripts. (Any linux client work has gone on hold,
for the moment.) Next step was to adjust the file permissions as
instructed on "Setup and configure file shares with Windows ACLs". When
I access the "Computer Management" (thru ADUC on W7 client) it informs
me that I do not have permission to access anything on the member server
and I should contact my administrator. As instructed, I have run the
"rpc rights grant" string on the member server but, still no love! I
also tried a different W7 client and it was denied access in the same
way. I can access both DC's but not the member server from either W7
client. Here is a copy of my member-server smb.conf which is basically
the default created via Louis' script; cat /etc/samba/smb.conf [global]
workgroup = DT***RM security = ADS realm = DT***RM.LAN netbios name =
dtmember01 domain master = no host msdfs = no dedicated keytab file =
/etc/krb5.keytab kerberos method = secrets and keytab client signing =
if_required ## map id's outside to domain to tdb files. idmap config
*:backend = tdb idmap config *:range = 50001-80000 ## map ids from the
domain the range may not overlap ! idmap config INTERNAL:backend = ad
idmap config INTERNAL:schema_mode = rfc2307 idmap config INTERNAL:range
= 2000-40000 winbind nss info = rfc2307 winbind trusted domains only =
no winbind use default domain = yes winbind enum users = yes winbind
enum groups = yes winbind refresh tickets = yes winbind offline logon =
yes wins server = 192.168.***.54, 192.168.***.55 template shell =
/bin/bash template homedir = /home/samba/DT***RM/users/%USERN AME% #
user Administrator workaround, without it you are unable to set
privileges username map = /etc/samba/samba_usermapping # For ACL support
on member file server vfs objects = acl_xattr map acl inherit = yes
store dos attributes = yes # Share Setting Globally usershare allow
guests = no unix extensions = no wide links = no reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ hide
unreadable = yes # disable printing completely load printers = no
printing = bsd printcap name = /dev/null disable spoolss = yes [home]
path = /home/samba/DT***RM/users read only = no [profiles$] path =
/home/samba/DT***RM/profiles read only = no admin users =
+"DT***RMDomain Admins" profile acls = yes csc policy = disable [data]
path = /home/samba/DT***RM/companydata read only = no [software] path =
/home/samba/software read only = no Help? Thoughts? --
------------------------- Bob Wooden of Donelson Trophy 615.885.2846
(main) www.donelsontrophy.com [1] [1 [1]] [1 [1]] "Every one deserves an
award!!" Links: ------ [1 [1]] http://www.donelsontrophy.com [1] [1 [1]]
-- To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba [4] [2 [4]]
Links: ------ [1] http://www.donelsontrophy.com [1] [2]
https://lists.samba.org/mailman/options/samba [4] [3]
https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles [3] [4]
http://blogging.dragon.org.uk/administering-ad-dc-via-windows/ [2] -- To
unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba [4] 

Links:
------
[1] http://www.donelsontrophy.com
[2] http://blogging.dragon.org.uk/administering-ad-dc-via-windows/
[3] https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
[4] https://lists.samba.org/mailman/options/samba

More information about the samba mailing list