[Samba] W7 client cannot adjust file permissions via ADUC
Bob of Donelson Trophy
bob at donelsontrophy.net
Fri Jan 30 05:20:44 MST 2015
BTW, I think (cannot be sure) that when I accessed ADUC under
DomainAdministrator user and set it to store the DomainAdministrator
profile in the default "profiles" folder is when Windows created a
uidNumber for the Administrator. (I think.) As this was one of the first
things I did with ADUC and I "locked myself out" (for lack of a better
term) of permissions adjustment.
See, you (as a person who works with the code daily) understand better
what I did and I didn't even realize I had created my own mess.
Time to study "setfacl".
Let me restore and re-run the revised script and "go" from there.
Bob Wooden of Donelson Trophy
"Everyone deserves an award!!"
On 2015-01-30 02:05, L.P.H. van Belle wrote:
> Hi bob,
> Yes, i have corrected the script online.
> I replaced the %USERNAME with %U in the old member script,
> and please dont give the user DOMAINAdministrator any uid. not 0, nothing.. .no uid..
> My best advice, leave Administrator as is and create a new user..
> Add that one in "Domain Admins" and that user can have a uid.
> For setting the rights.
> Use setfacl to set the base rights on the folder structure,
> and set "DOMAIN Admins" as group with full access on /home/samba ( and subfolders )
> I'll wil change this in the new member server script.
> -----Oorspronkelijk bericht----- Van: bob at donelsontrophy.net [mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy Verzonden: vrijdag 30 januari 2015 3:52 Aan: samba at lists.samba.org Onderwerp: Re: [Samba] W7 client cannot adjust file permissions via ADUC Thursday's emails were erratic due to a server (somewhere in email land) that had gone haywire. Here in the midwest United States peaceful silence from the samba-list. Then about mid-afternoon, BAM! Email's began to arrive in a very erratic manner. Emails from 1300 hours were arriving before emails from 0900 hours and I began reading and responding and got I confused as I am sure everyone was. Tranquility has settled, we have all had time to "take a breath" and once again it is time to move forward. Rowland, Thanks for your help and patience, so far. Louis, From what I can understand from your email, there was an error within your "4-setup-sernet-samba4-MEMBER-wheezy.sh" script that caused my domainAdministra
create a uidNumber when it should not have had a uidNumber (should be "0" for root.) And now you have corrected the script so it will not do that again. The simplest solution for me is this. Revert to my initial Debian installation backup (created just prior to my running the uidNumber creation script the first time) and re-run the now revised "4-setup-sernet-samba4-MEMBER-wheezy.sh". This is what I am going to do. Now, Louis, the script has been corrected, yes? --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com  [1 ] "Everyone deserves an award!!" On 2015-01-29 08:05, L.P.H. van Belle wrote: ok, seen it.. "administratorSERNAME%"? I'll change that, i did only some tests from windows. and i dont never set uid/gid to Administrator. -- Changed in the old script. but remember, you should NEVER set UID/GID for adminstrator, because... Now administrator has uid 50001 ... and this should be 0 ( root ) This is why we also use
mapping !root = "DOMAINAdministrator" .... Always create a new user and add this one to the group "Domain Admins" Also, i have set profile/uid/gid/nis for the Domain Administrator. And if you set a other user for "Domain Administrator, on the member servers also add a line for this user in the usermapping file. since you need root access. or.. try set the rights as starter like : something like.. setfacl -R -m default:user:Administrator:rwx /home/samba setfacl -R -m default:group:domain admins:rwx /home/samba Louis -----Oorspronkelijk bericht----- Van: rowlandpenny at googlemail.com [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny Verzonden: donderdag 29 januari 2015 14:24 Aan: samba at lists.samba.org Onderwerp: Re: [Samba] W7 client cannot adjust file permissions via ADUC On 29/01/15 12:54, Bob of Donelson Trophy wrote: Rowland, I have tried your various alteration suggestions and it is a "negative" result. Here is the output from wbinfo -u & wbinfo -g root at dtmbr01:~#
-u administrator dns-dtdc02 dns-dtdc01 krbtgt guest root at dtmbr01:~# wbinfo -g allowed rodc password replication group enterprise read-only domain controllers denied rodc password replication group read-only domain controllers group policy creator owners ras and ias servers domain controllers enterprise admins domain computers cert publishers dnsupdateproxy domain admins domain guests schema admins domain users dnsadmins root at dtmbr01:~# getent passwd Administrator administrator:*:50001:50006::/home/samba/DT***RM/users/administ ratorSERNAME%:/bin/bash Say what, "administratorSERNAME%"? After running the 'generation one' script to create the member server, I have changed nothing except the suggestions that have been made on this mailing list. Attempting to gain access to the member server to re-adjust the file permissions on "profiles" per the instructions on the samba wiki. Please, thoughts? --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main)
www.donelsontrophy.com  [1 ] [1 ] "Everyone deserves an award!!" On 2015-01-28 13:09, Rowland Penny wrote: On 28/01/15 18:55, Bob of Donelson Trophy wrote: No, I did not try the alterations but, Louis had me remove the "domain users" line earlier. Put the line back in and try alterations? (If so, I will not have time until you are asleep, tonight.) By all means try it, you have nothing to lose :-) I take it
that 'wbinfo -u' shows all the domain users on the member server and
'wbinfo -g' shows all the domain groups. Also 'getent passwd <domain
user> shows the user.
> Links: ------  http://www.donelsontrophy.com  [1 ]
Louis's script puts this line in smb.conf: template homedir =
/home/samba/DT***RM/users/%USERNAME% Perhaps it should be changed to
this: template homedir = /home/samba/DT***RM/users/%U I say this because
your Administrators homedir seems to be the above line plus what I am
suggesting should be removed. But what is worrying me more,
Administrator has the uid of '50001', have you set this in AD ? Rowland
-- To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba  [2 ]
Links: ------  http://www.donelsontrophy.com  
https://lists.samba.org/mailman/options/samba  -- To unsubscribe from
this list go to the following URL and read the instructions:
More information about the samba