[Samba] W7 client cannot adjust file permissions via ADUC
rowlandpenny at googlemail.com
Fri Jan 30 12:28:11 MST 2015
On 30/01/15 19:14, Bob of Donelson Trophy wrote:
> There is no uidNumber or gidNumber specifically listed (there is an
> objectGuid and an objectSid.)
> Did nothing.
> Bob Wooden of Donelson Trophy
> 615.885.2846 (main)
> www.donelsontrophy.com 
> "Everyone deserves an award!!"
> On 2015-01-30 12:58, Rowland Penny wrote:
>> On 30/01/15 18:28, Bob of Donelson Trophy wrote:
>>> After restoring the member server and re-running the improved "4-setup-samba4-MEMBER-wheezy.sh" script I am still having the same issue. W7 client still not allowed to access the member server. Administrator still has a uidNumber: getent passwd Administrator administrator:*:50001:50006::/home/samba/DTS***M/users/administrator:/bin/bash I have added a couple is test admin users (must have done it wrong.) Joined them to the 'Domain Admins' group and they cannot access the member server either. wbinfo -u output is: adminrob administrator dns-dtdc02 dns-dtdc01 adminnew krbtgt guest wbinfo -g output is: allowed rodc password replication group enterprise read-only domain controllers denied rodc password replication group read-only domain controllers group policy creator owners ras and ias servers domain controllers enterprise admins domain computers cert publishers dnsupdateproxy domain admins domain guests schema admins domain users dnsadmins How do I remove the uidNumber from
> domainAdministrator and re-associate domainAdminstrator to root '0'?
>> OK, lets check if Administrator has a 'uidNumber', run this on your first DC:
>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb -b "DC=example,DC=com" -s sub '(&(objectclass=user)(cn=Administrator))'
>> this should display all the information about the Administrator user, if there is a 'uidNumber' attribute, delete the entire line,same goes for a 'gidNumber' attribute, save and close nano.
>> You should not have any rfc2307 attributes related to Administrator now, so go to your member server, login as a normal user and run this:
>> sudo net cache flush
>> getent passwd administrator
>  http://www.donelsontrophy.com
OK, right you posted this part of your smb.conf earlier:
## map id's outside to domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 50001-80000
## map ids from the domain the range may not overlap !
idmap config INTERNAL:backend = ad
idmap config INTERNAL:schema_mode = rfc2307
idmap config INTERNAL:range = 2000-40000
and you just posted this:
getent passwd Administrator
Can you see where '50001' is coming from ?
Is 'INTERNAL' actually in your smb.conf ? What I mean is, did you change
it before you posted it ?
If 'INTERNAL' is in your smb.conf, change it to your workgroup name,
flush the net cache and try again.
More information about the samba