[Samba] W7 client cannot adjust file permissions via ADUC

Bob of Donelson Trophy bob at donelsontrophy.net
Fri Jan 30 11:28:37 MST 2015 

 

After restoring the member server and re-running the improved
"4-setup-samba4-MEMBER-wheezy.sh" script I am still having the same
issue. W7 client still not allowed to access the member server. 

Administrator still has a uidNumber: 

 getent passwd Administrator
administrator:*:50001:50006::/home/samba/DTS***M/users/administrator:/bin/bash


I have added a couple is test admin users (must have done it wrong.)
Joined them to the 'Domain Admins' group and they cannot access the
member server either. 

 wbinfo -u output is:
adminrob
administrator
dns-dtdc02 
dns-dtdc01
adminnew
krbtgt
guest 

 wbinfo -g output is:
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins 

How do I remove the uidNumber from the domainAdministrator and
re-associate domainAdminstrator to root '0'? 

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-01-30 02:05, L.P.H. van Belle wrote: 

> Hi bob, 
> 
> Yes, i have corrected the script online.
> 
> I replaced the %USERNAME with %U in the old member script,
> and please dont give the user DOMAINAdministrator any uid. not 0, nothing.. .no uid.. 
> 
> My best advice, leave Administrator as is and create a new user.. 
> Add that one in "Domain Admins" and that user can have a uid. 
> 
> For setting the rights. 
> 
> Use setfacl to set the base rights on the folder structure, 
> and set "DOMAIN Admins" as group with full access on /home/samba ( and subfolders ) 
> I'll wil change this in the new member server script. 
> 
> Greetz, 
> 
> Louis
> -----Oorspronkelijk bericht----- Van: bob at donelsontrophy.net [mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy Verzonden: vrijdag 30 januari 2015 3:52 Aan: samba at lists.samba.org Onderwerp: Re: [Samba] W7 client cannot adjust file permissions via ADUC Thursday's emails were erratic due to a server (somewhere in email land) that had gone haywire. Here in the midwest United States peaceful silence from the samba-list. Then about mid-afternoon, BAM! Email's began to arrive in a very erratic manner. Emails from 1300 hours were arriving before emails from 0900 hours and I began reading and responding and got I confused as I am sure everyone was. Tranquility has settled, we have all had time to "take a breath" and once again it is time to move forward. Rowland, Thanks for your help and patience, so far. Louis, From what I can understand from your email, there was an error within your "4-setup-sernet-samba4-MEMBER-wheezy.sh" script that caused my domainAdministra
 tor to
create a uidNumber when it should not have had a uidNumber (should be "0" for root.) And now you have corrected the script so it will not do that again. The simplest solution for me is this. Revert to my initial Debian installation backup (created just prior to my running the uidNumber creation script the first time) and re-run the now revised "4-setup-sernet-samba4-MEMBER-wheezy.sh". This is what I am going to do. Now, Louis, the script has been corrected, yes? --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" On 2015-01-29 08:05, L.P.H. van Belle wrote: ok, seen it.. "administratorSERNAME%"? I'll change that, i did only some tests from windows. and i dont never set uid/gid to Administrator. -- Changed in the old script. but remember, you should NEVER set UID/GID for adminstrator, because... Now administrator has uid 50001 ... and this should be 0 ( root ) This is why we also use 
 the user
mapping !root = "DOMAINAdministrator" .... Always create a new user and add this one to the group "Domain Admins" Also, i have set profile/uid/gid/nis for the Domain Administrator. And if you set a other user for "Domain Administrator, on the member servers also add a line for this user in the usermapping file. since you need root access. or.. try set the rights as starter like : something like.. setfacl -R -m default:user:Administrator:rwx /home/samba setfacl -R -m default:group:domain admins:rwx /home/samba Louis -----Oorspronkelijk bericht----- Van: rowlandpenny at googlemail.com [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny Verzonden: donderdag 29 januari 2015 14:24 Aan: samba at lists.samba.org Onderwerp: Re: [Samba] W7 client cannot adjust file permissions via ADUC On 29/01/15 12:54, Bob of Donelson Trophy wrote: Rowland, I have tried your various alteration suggestions and it is a "negative" result. Here is the output from wbinfo -u & wbinfo -g root at dtmbr01:~# 
 wbinfo
-u administrator dns-dtdc02 dns-dtdc01 krbtgt guest root at dtmbr01:~# wbinfo -g allowed rodc password replication group enterprise read-only domain controllers denied rodc password replication group read-only domain controllers group policy creator owners ras and ias servers domain controllers enterprise admins domain computers cert publishers dnsupdateproxy domain admins domain guests schema admins domain users dnsadmins root at dtmbr01:~# getent passwd Administrator administrator:*:50001:50006::/home/samba/DT***RM/users/administ ratorSERNAME%:/bin/bash Say what, "administratorSERNAME%"? After running the 'generation one' script to create the member server, I have changed nothing except the suggestions that have been made on this mailing list. Attempting to gain access to the member server to re-adjust the file permissions on "profiles" per the instructions on the samba wiki. Please, thoughts? --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main)
www.donelsontrophy.com [1] [1 [1]] [1 [1]] "Everyone deserves an award!!" On 2015-01-28 13:09, Rowland Penny wrote: On 28/01/15 18:55, Bob of Donelson Trophy wrote: No, I did not try the alterations but, Louis had me remove the "domain users" line earlier. Put the line back in and try alterations? (If so, I will not have time until you are asleep, tonight.) By all means try it, you have nothing to lose :-) I take it
 that 'wbinfo -u' shows all the domain users on the member server and
'wbinfo -g' shows all the domain groups. Also 'getent passwd <domain
user> shows the user. 

>> Rowland
> Links: ------ [1] http://www.donelsontrophy.com [1] [1 [1]]
 Louis's script puts this line in smb.conf: template homedir =
/home/samba/DT***RM/users/%USERNAME% Perhaps it should be changed to
this: template homedir = /home/samba/DT***RM/users/%U I say this because
your Administrators homedir seems to be the above line plus what I am
suggesting should be removed. But what is worrying me more,
Administrator has the uid of '50001', have you set this in AD ? Rowland
-- To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba [2] [2 [2]]
Links: ------ [1] http://www.donelsontrophy.com [1] [2]
https://lists.samba.org/mailman/options/samba [2] -- To unsubscribe from
this list go to the following URL and read the instructions:
https://lists.samba.org/mailman/options/samba [2] 

Links:
------
[1] http://www.donelsontrophy.com
[2] https://lists.samba.org/mailman/options/samba

More information about the samba mailing list