[Samba] user cannot access shares on new ad-dc

Fri Sep 29 13:57:44 UTC 2017

Now with this email also, you at least 3 problems. 

1) incorrect hosts file. ( see previous post of me ) 
2) incorrect resolv.conf  ( see previous post of me ) 
3) you did hit the "Group bug"  ( group 100 should be minimal 10000) 
https://bugzilla.samba.org/show_bug.cgi?id=13054

Fix that with 
wbinfo -G 10000
net cache flush

> Then I used ADUC from RSAT to create an OU and a user.
> User can see the shares (and can map them to a drive letter), but is 
> denied to look inside.
> Same for another share which I added.
> Even when administrator grants permission to everybody.

Did you "copy" an other user? 
Or did you create a templete for you users? 

If you copy from an other user, and if you have set the Unix attributes. 
Try this, remove the profile and user folder, goto the ADUC , Profile tab. 
Change something in the user and profile field so windows see's a change. 
Then klik apply. 

For other quick fix.
You see the 2005 there, make sure that matchs your own 
wbinfo -G 2005
S-1-5-18

wbinfo -Y S-1-5-18

#!/bin/bash

RIGHTSFILE="default-rights-user-profile.acl"
GROUP_WRITE_RIGHTS="domain\040users"
USER_SYSTEM="$(wbinfo -Y S-1-5-18)"

cat << EOF > ${RIGHTSFILE}
# file: user.V6/
# owner: user
# group: domain\040users
user::rwx
user:${1}:rwx
group::---
group:${USER_SYSTEM}:rwx
group:${GROUP_WRITE_RIGHTS:---
mask::rwx
other::---
default:user::rwx
default:user:${1}:rwx
default:group::---
default:group:2005:rwx
default:group:${GROUP_WRITE_RIGHTS):---
default:mask::rwx
default:other::---
EOF

echo "Run : setfacl -R -b -M $RIGHTSFILE The_Users_Profile_Folder"

As Administrator check the rights on the share. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Klaus Hartnegg via samba
> Verzonden: vrijdag 29 september 2017 15:42
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] user cannot access shares on new ad-dc
> 
> 
> > On 29.09.2017 14:32 Rowland Penny wrote:
> > I cannot see where it says not to use on a DC
> 
> I misread the first section.
> 
> > What does 'getent passwd username' actually produce ?
> 
> root at dc1:~# getent passwd administrator
> COMPANY\administrator:*:0:100::/home/COMPANY/administrator:/bin/false
> root at dc1:~# getent passwd klaus
> COMPANY\klaus:*:10000:100::/home/COMPANY/klaus:/bin/false
> 
> > if PAM isn't set up, then set it up by installing the required 
> > packages and try again
> 
> Ok, I ran "pam-auth-update" and pressed enter twice.
> Have no idea what this does.
> 
> But is PAM really necessary on a DC?
> The Wiki says that winbindd is optional.
> Should not at least sysvol work without it?
> 
> Klaus
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 