[Samba] setting up W7 profiles

Bob of Donelson Trophy bob at donelsontrophy.net
Tue Mar 10 05:48:20 MDT 2015


 

Okay, so I tried a "Bob thing" and it made no difference. So, no comment
on that. However, I am learning. 

This is 'wbinfo -*' from my DC1: 

root at tdc01:~# wbinfo -u
Administrator
Guest
krbtgt
dns-tdc01
dns-TDC02
root at tdc01:~# wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy
root at tdc01:~# wbinfo -t
checking the trust secret for domain TEST via RPC calls succeeded 

Here is 'wbinfo -*' from my sernet based member server: 

root at mbr01:~# wbinfo -u
administrator
dns-tdc02
dns-tdc01
krbtgt
guest
root at mbr01:~# wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins
root at mbr01:~# wbinfo -t
checking the trust secret for domain TEST via RPC calls failed
error code was NT_STATUS_BAD_NETWORK_NAME (0xc00000cc)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret 

And here is the 'wbinfo -*' from my Debian backport member server (now
apparently upgraded to Samba 4.1.17) 

root at RPmbr01:~# wbinfo -u
administrator
dns-tdc02
dns-tdc01
krbtgt
guest
root at RPmbr01:~# wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins
root at RPmbr01:~# wbinfo -t
checking the trust secret for domain TEST via RPC calls failed
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret 

Which raises the question, what is going on with the 'wbinfo -t' on both
member servers? 

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [2]

"Everyone deserves an award!!"

On 2015-03-09 07:10, Bob of Donelson Trophy wrote: 

> Gentlemen, 
> 
> First, let me point out that sometimes (and sometimes not) the mailing
> list will strip out some backslash marks in cut and paste. So, if there
> is a backslash missing . . . well, ignore that missing mark. 
> 
> Louis, 
> 
> When your script runs it creates the following default permissions: 
> 
> root at mbr01:~# ls -alh /home/samba/TEST/profiles
> total 8.0K
> drwxr-xr-t 2 root root 4.0K Feb 21 18:39 .
> drwxr-xr-t 5 root root 4.0K Feb 21 18:39 .. 
> 
> Then, per your instruction, I ran: 
> 
> root at mbr01:~# chmod 1777 /home/samba/TEST/profiles 
> 
> root at mbr01:~# ls -alh /home/samba/TEST/profiles
> total 12K
> drwxrwxrwt+ 2 root root 4.0K Mar 1 10:21 .
> drwxr-xr-t 5 root root 4.0K Mar 1 10:21 .. 
> 
> Then went into W7 client and adjusted permissions (on my member server)
> as instructed by
> "https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles [1]". That
> changed permissions to: 
> 
> root at mbr01:~# ls -alh /home/samba/TEST/profiles
> total 12K
> drwxrwx--T+ 2 root root 4.0K Mar 1 10:21 .
> drwxr-xr-t 5 root root 4.0K Mar 1 10:21 .. 
> 
> So, Louis, go warm up the oven, you **might** be needing it to soften up
> that shoe . . . 
> 
> However, Rowland mentioned (in one of the emails) that if I couldn't get
> 'getent group domain users' (might be missing a backslash or two) to
> return anything, "I was dead in the water" . . . or something like that.
> 
> Well, in my test environment and on real machines, none of the member
> servers (test environment and/or real) return anything with 'getent
> group domain users'. 
> 
> The DC's return info, member servers do not. 
> 
> As we all pull at our hair, trying to figure this out. It has to be the
> user, me. 
> 
> So, tonight when I have more time, I will return to this and try
> something I remember reading in one of the CentOS tutorials. Something
> about Windows being very finicky about permissions (on a CentOS DC,
> anyway) settings and how W7 users have to delete ALL the permissions and
> re-add them. Something about changing the permissions settings not
> "taking" in the Windows client and that they (permissions) need to be
> purged completely and re-added. 
> 
> Wish me luck . . . 
> ---
> 
> -------------------------
> 
> Bob Wooden of Donelson Trophy
> 
> 615.885.2846 (main)
> www.donelsontrophy.com [2] [2 [2]]
> 
> "Everyone deserves an award!!"
> 
> On 2015-03-09 06:32, L.P.H. van Belle wrote:
> 
>> yes, i know.. but its better if he try the new settings, it save to need of any GID for the group rights. im working on that also to make it more uniform and a set with posix and a set without postix rights. Greetz, Louis -----Oorspronkelijk bericht----- Van: rowlandpenny at googlemail.com [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny Verzonden: maandag 9 maart 2015 12:19 Aan: samba at lists.samba.org Onderwerp: Re: [Samba] setting up W7 profiles On 09/03/15 10:59, L.P.H. van Belle wrote: Bob, to the following.. set the in smb.conf not more not less. On the member server. [profiles$] path = /home/samba/TEST/profiles read only = no acl_xattr:ignore system acl = yes restart samba now type chown root:root /home/samba/TEST/profiles chmod 1777 /home/samba/TEST/profiles Now go to the wiki and set the correct rights for a profile share. and ONLY for AD! ( not the POSIX ) Now go set the share rights from withing windows. then set the rights on the folder from within window
 s. if
this does not work, i'll eat my shoe... and for these: admin users = +"TESTDomain Admins" profile acls = yes csc policy = disable You dont need postix settings on the profiles share imo. But these settings come from y
> 
> our
> member server install script ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba [3] [1 [3]]
> 
> Links:
> ------
> [1] https://lists.samba.org/mailman/options/samba [3]
> [2] http://www.donelsontrophy.com [2]
 

Links:
------
[1] https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
[2] http://www.donelsontrophy.com
[3] https://lists.samba.org/mailman/options/samba


More information about the samba mailing list