[Samba] Samba4 DC is not visible in network neighborhood

Andrey Repin anrdaemon at yandex.ru
Sun Nov 22 11:13:49 UTC 2015 

Greetings, Rowland Penny!

>> Err, okay, "windows ACL's", not "native (POSIX)". Was writing in a
>> less-than-sane state of mind.
>>
>>> you should be able to manage access to a share on a domain member from a
>>> windows machine,
>> Should be, that much I've gathered from wiki. But it is already nine months
>> that I'm unable to implement it.
>>
>>> see this page on the wiki:
>>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
>>> If you follow the various pages on the wiki, you should be able make it
>>> work, if you cannot, you are doing something wrong.
>> So, what I'm doing wrong? I've followed the wiki multiple times to the point.
>> If you have any diagnostics in mind, please suggest, because this is tiring.
>>
>> The smb.conf is attached, the member server do see the users correctly.
>>
>> # wbinfo -i domainuser
>> domainuser:*:10000:513::/home/domainuser:/bin/bash
>>
>> # getent passwd domainuser
>> domainuser:*:10000:513::/home/domainuser:/bin/bash
>>
>>

> Firstly I would remove these lines:

>          idmap config * : schema_mode = rfc2307
>          dns forwarder = 192.168.35.4 (AD DC)
>          idmap_ldb:use rfc2307 = yes

> The first one isn't needed and the other two should only be on a DC

> You do not have a 'username map' line, does 'Domain Admins' have a 
> gidNumber and have you given 'Domain Admins' the 'SeDiskOperatorPrivilege' ?

(member server)$ id
uid=1000(anrdaemon) gid=513(domain users) groups=513(domain users),33(www-data),114(lpadmin),512(domain admins)

$ wbinfo --group-info 'TD-ART\Domain Admins'
domain admins:x:512:anrdaemon,administrator

# getent group "Domain Admins"
domain admins:x:512:anrdaemon,administrator

$ net rpc group
Enter anrdaemon's password:
Administrators
Users

$ net rpc rights list accounts
Enter anrdaemon's password:
BUILTIN\Print Operators
No privileges assigned

TD-ART\Domain Admins
SeDiskOperatorPrivilege

BUILTIN\Account Operators
No privileges assigned

BUILTIN\Backup Operators
No privileges assigned

BUILTIN\Server Operators
No privileges assigned

BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege

Everyone
No privileges assigned

> Rowland






-- 
With best regards,
Andrey Repin
Sunday, November 22, 2015 14:02:02

Sorry for my terrible english...

More information about the samba mailing list