[Samba] Permission Issues with GPO

L.P.H. van Belle belle at bazuin.nl
Wed Nov 18 09:13:21 UTC 2015 

Hai Mourik Jan/Victor. 

> MJ definitely understands the problem I'm facing.... 
Yes, and i do to but you wont listen...  

ALL My client pc's, windows and linux computers, dont have any uid/gid assigned. 

My client pc's do access the DCs and multiple member servers with shares. 

I do distribute settings and files with GPO and these files are on a member server. Yes also as "COMPUTER$" so the computer can get its file as in the GPO is set.

And yes, i know your problem, its all rights where your looking for. 
But it can be fixed. 

I have a share "public", in which i have a folder Installers.
The share as everybody with full controll as right.
For the Security tab rights on public, i have 
Creator owner	special. 	Only folders and files on underlying folders. 
Creator group	special. 	Only folders and files on underlying folders.
Verified users	read+exec	This folder  underlying folders and files
Domain Admins 	Full		This folder  underlying folders and files
Domain users 	read+exec	This folder  underlying folders and files
Domain computer	read+exec	This folder  underlying folders and files

The subfolders have there own rights as needed. 

My "Installers"  folder, which the domain computers do access has. 
Root	 special. 	Only this 	folders
Verified users	read+exec	This this folder, underlying folders and files
Creator owner	special. 	Only this folders and files on underlying folders. 
Creator group	special. 	Only this folders and files on underlying folders.
It-depertment	Full		Only this folders and files on underlying folders.
Domain Admins	Full		Only this folders and files on underlying folders.


And this is the share in smb.conf :
[public]
    browseable = yes
    path = /home/samba/public
    read only = no

/home/ 755		root:root
/home/samba	755 	root:root 
public :  drwxrwx---+ 12 root root  4096 Oct 15 15:25 public 
And a getfacl 

# file: /home/samba/public/
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:2004:r-x
group:domain\040users:r-x
group:domain\040admins:rwx
group:domain\040computers:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:root:r-x
default:group:2004:r-x
default:group:domain\040users:r-x
default:group:domain\040admins:rwx
default:group:domain\040computers:r-x
default:mask::rwx
default:other::---

Good luck. Its all in the rights.. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Viktor Trojanovic
> Verzonden: woensdag 18 november 2015 9:52
> Aan: mourik jan c heupink
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Permission Issues with GPO
> 
> MJ definitely understands the problem I'm facing. I will report back by
> tmw if the solution works, don't have access to the server at the moment.
> 
> Viktor
> 
> > On 18 Nov 2015, at 09:04, mourik jan c heupink <heupink at merit.unu.edu>
> wrote:
> >
> > Hi,
> >
> > Well, but do your GPO clients have to access your fileservers (domain
> member servers), or only the DCs with the actual sysvol?
> >
> > Because in our case: accessing the DCs under the machine acounts works
> without gid/uid, no problem, but accessing domain member servers does NOT.
> >
> > MJ
> >
> >> On 18-11-2015 8:45, L.P.H. van Belle wrote:
> >> None of my computers have a UID/GID and my GPO works fine.
> >>
> >> Add the line i suggested to the share, and setup your rights
> >>
> >> Gr.
> >>
> >> Louis
> >>
> >>> -----Oorspronkelijk bericht-----
> >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mourik jan c
> >>> heupink
> >>> Verzonden: dinsdag 17 november 2015 18:55
> >>> Aan: samba at lists.samba.org
> >>> Onderwerp: Re: [Samba] Permission Issues with GPO
> >>>
> >>> Hi Victor,
> >>>
> >>> I have had similar issues as you describe.
> >>>
> >>> Could it be that your computer account has no gidNumber and uidNumber
> >>> assigned?
> >>>
> >>> MJ
> >>>
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list