[Samba] W7 client cannot adjust file permissions via ADUC

L.P.H. van Belle belle at bazuin.nl
Thu Jan 29 07:05:37 MST 2015

ok, seen it.. 


I'll change that, i did only some tests from windows. 
and i dont never set uid/gid to Administrator. 

-- Changed in the old script. 

but remember, you should NEVER set UID/GID for adminstrator, because... 

Now administrator has uid 50001 ... 
and this should be 0 ( root ) 
This is why we also use the user mapping !root = "DOMAIN\Administrator" .... 

Always create a new user and add this one to the group "Domain Admins" 

Also, i have set profile/uid/gid/nis for the Domain Administrator. 
And if you set a other user for "Domain Administrator, 
on the member servers also add a line for this user in the usermapping file. 
since you need root access. or.. 
try set the rights as starter like : 

something like.. 
setfacl -R -m default:user:Administrator:rwx /home/samba 
setfacl -R -m default:group:domain\ admins:rwx /home/samba 


>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: donderdag 29 januari 2015 14:24
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] W7 client cannot adjust file 
>permissions via ADUC
>On 29/01/15 12:54, Bob of Donelson Trophy wrote:
>> Rowland,
>> I have tried your various alteration suggestions and it is a 
>> result.
>> Here is the output from wbinfo -u & wbinfo -g
>> root at dtmbr01:~# wbinfo -u
>> administrator
>> dns-dtdc02
>> dns-dtdc01
>> krbtgt
>> guest
>> root at dtmbr01:~# wbinfo -g
>> allowed rodc password replication group
>> enterprise read-only domain controllers
>> denied rodc password replication group
>> read-only domain controllers
>> group policy creator owners
>> ras and ias servers
>> domain controllers
>> enterprise admins
>> domain computers
>> cert publishers
>> dnsupdateproxy
>> domain admins
>> domain guests
>> schema admins
>> domain users
>> dnsadmins
>> root at dtmbr01:~# getent passwd Administrator
>> Say what, "administratorSERNAME%"?
>> After running the 'generation one' script to create the 
>member server, I
>> have changed nothing except the suggestions that have been 
>made on this
>> mailing list. Attempting to gain access to the member server to
>> re-adjust the file permissions on "profiles" per the 
>instructions on the
>> samba wiki.
>> Please, thoughts?
>> ---
>> -------------------------
>> Bob Wooden of Donelson Trophy
>> 615.885.2846 (main)
>> www.donelsontrophy.com [1]
>> "Everyone deserves an award!!"
>> On 2015-01-28 13:09, Rowland Penny wrote:
>>> On 28/01/15 18:55, Bob of Donelson Trophy wrote:
>>>> No, I did not try the alterations but, Louis had me remove 
>the "domain users" line earlier. Put the line back in and try 
>alterations? (If so, I will not have time until you are 
>asleep, tonight.)
>>> By all means try it, you have nothing to lose :-)
>>> I take it that 'wbinfo -u' shows all the domain users on 
>the member server and 'wbinfo -g' shows all the domain groups. 
>Also 'getent passwd <domain user> shows the user.
>>> Rowland
>> Links:
>> ------
>> [1] http://www.donelsontrophy.com
>Louis's script puts this line in smb.conf:
>template homedir = /home/samba/DT***RM/users/%USERNAME%
>Perhaps it should be changed to this:
>template homedir = /home/samba/DT***RM/users/%U
>I say this because your Administrators homedir seems to be the above 
>line plus what I am suggesting should be removed.
>But what is worrying me more, Administrator has the uid of 
>'50001', have 
>you set this in AD ?
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list