[Samba] W7 client cannot adjust file permissions via ADUC

Bob of Donelson Trophy bob at donelsontrophy.net
Fri Jan 30 12:42:09 MST 2015


 

Yes, "INTERNAL" was the actual. Generated by script, I presume. Now
changed to my workgroup name. Restarted member server. 

Now 'getent passwd Administrator' returns nothing but, W7 client still
cannot connect. 

(As I have restored and re-run script this morning doesn't that mean it
has to be coming over from DC's somehow?) 

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-01-30 13:28, Rowland Penny wrote: 

> On 30/01/15 19:14, Bob of Donelson Trophy wrote:
> There is no uidNumber or gidNumber specifically listed (there is an objectGuid and an objectSid.) Did nothing. Now? --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" On 2015-01-30 12:58, Rowland Penny wrote: On 30/01/15 18:28, Bob of Donelson Trophy wrote: After restoring the member server and re-running the improved "4-setup-samba4-MEMBER-wheezy.sh" script I am still having the same issue. W7 client still not allowed to access the member server. Administrator still has a uidNumber: getent passwd Administrator administrator:*:50001:50006::/home/samba/DTS***M/users/administrator:/bin/bash I have added a couple is test admin users (must have done it wrong.) Joined them to the 'Domain Admins' group and they cannot access the member server either. wbinfo -u output is: adminrob administrator dns-dtdc02 dns-dtdc01 adminnew krbtgt guest wbinfo -g output is: allowed rodc password replica
 tion
group enterprise read-only domain controllers denied rodc password replication group read-only domain controllers group policy creator owners ras and ias servers domain controllers enterprise admins domain computers cert publishers dnsupdateproxy domain admins domain guests schema admins domain users dnsadmins How do I remove the uidNumber from
 the domainAdministrator and re-associate domainAdminstrator to root
'0'? 

> OK, lets check if Administrator has a 'uidNumber', run this on your first DC: ldbedit -e nano -H /var/lib/samba/private/sam.ldb -b "DC=example,DC=com" -s sub '(&(objectclass=user)(cn=Administrator))' this should display all the information about the Administrator user, if there is a 'uidNumber' attribute, delete the entire line,same goes for a 'gidNumber' attribute, save and close nano. You should not have any rfc2307 attributes related to Administrator now, so go to your member server, login as a normal user and run this: sudo net cache flush then: getent passwd administrator Rowland
 Links: ------ [1] http://www.donelsontrophy.com [1] 

OK, right you posted this part of your smb.conf earlier:

## map id's outside to domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 50001-80000
## map ids from the domain the range may not overlap !
idmap config INTERNAL:backend = ad
idmap config INTERNAL:schema_mode = rfc2307
idmap config INTERNAL:range = 2000-40000

and you just posted this:

getent passwd Administrator
administrator:*:50001:50006::/home/samba/DTS***M/users/administrator:/bin/bash

Can you see where '50001' is coming from ?

Is 'INTERNAL' actually in your smb.conf ? What I mean is, did you change
it before you posted it ?
If 'INTERNAL' is in your smb.conf, change it to your workgroup name,
flush the net cache and try again.

Rowland

 

Links:
------
[1] http://www.donelsontrophy.com


More information about the samba mailing list