samba - Jan 2015 - W7 client cannot adjust file permissions via ADUC

That was a cut/paste error. 

I've been thinking (danger, danger) when I test kerberos it returns the
two DC's are available. Should it be including the member server also?
Didn't I see the script setup kerberos on the member server? (Remember
this was installed with the gen one scripts, not the newest scripts.) 

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-01-28 11:02, Rowland Penny wrote: 
> On 28/01/15 16:50, Bob of Donelson Trophy wrote:
> W7 client domain member? yes. Logged in as domainAdministrator? yes.
"SeDiskOperatorPrivilege" set? yes Read
"/Setup_and_configure_file_shares_with_Windows_ACLs"? yes. ---
------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main)
www.donelsontrophy.com [1] [2 [1]] "Everyone deserves an award!!" On
2015-01-28 10:40, Marcel de Reuver wrote: 2015-01-27 0:29 GMT+01:00 Bob of
Donelson Trophy <bob at donelsontrophy.net>: I have been improving my DC.
I now have a DC01, DC02 and a DCMEMBER01. All running sernet-samba 4.1.16 on
Debian 7.8.0 thanks to Louis' (old) scripts. (Any linux client work has gone
on hold, for the moment.) Next step was to adjust the file permissions as
instructed on "Setup and configure file shares with Windows ACLs".
When I access the "Computer Management" (thru ADUC on W7 client) it
informs me that I do not have permission to access anything on the member server
and I should contact my administrator. Is your W7 pc a domain member and are you
 logged
in as domain administrator on that Windows client? Has the domain administrator
the "SeDiskOperatorPrivilege" set? See for the details:
https://wiki.samba.org/index.php [2] [1 [2]]
/Setup_and_configure_file_shares_with_Windows_ACLs#SeDiskOperatorPrivilege
Regards, Marcel
 Links: ------ [1] https://wiki.samba.org/index.php [2] [2]
http://www.donelsontrophy.com [1] 

OK, you posted this earlier:

[profiles$]
 path = /home/samba/DT***RM/profiles
 read only = no
 admin users = +"DT***RMDomain Admins"
 profile acls = yes
 csc policy = disable

Is the admin users line correct or is a cut and paste error ? I would
have expected it to look like this:

admin users = +"DT***RMDomain Admins"

Having said that, because you have this, in smb.conf:

winbind use default domain = yes

It could also be written like this:

admin users = +domain_admins

If that doesn't work, replace '+' with '@'

Rowland
 

Links:
------
[1] http://www.donelsontrophy.com
[2] https://wiki.samba.org/index.php

On 28/01/15 17:57, Bob of Donelson Trophy wrote:
>   
>
> That was a cut/paste error.
>
> I've been thinking (danger, danger) when I test kerberos it returns the
> two DC's are available. Should it be including the member server also?
> Didn't I see the script setup kerberos on the member server? (Remember
> this was installed with the gen one scripts, not the newest scripts.)
>
>
The DC's are KDC's, member servers are clients, so your member server 
will not show up if you run this:

host -t SRV _kerberos._udp.<DOMAIN.NAME.

I take it this was what you meant by testing kerberos.

Did you try the alterations I suggested to your 'admin users' line ?

Rowland

No, I did not try the alterations but, Louis had me remove the "domain
users" line earlier. 

Put the line back in and try alterations? (If so, I will not have time
until you are asleep, tonight.) 

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-01-28 12:34, Rowland Penny wrote: 
> On 28/01/15 17:57, Bob of Donelson Trophy wrote:
> 
>> That was a cut/paste error. I've been thinking (danger, danger)
when I test kerberos it returns the two DC's are available. Should it be
including the member server also? Didn't I see the script setup kerberos on
the member server? (Remember this was installed with the gen one scripts, not
the newest scripts.)
> 
> The DC's are KDC's, member servers are clients, so your member
server will not show up if you run this:
> 
> host -t SRV _kerberos._udp.<DOMAIN.NAME.
> 
> I take it this was what you meant by testing kerberos.
> 
> Did you try the alterations I suggested to your 'admin users' line
?
> 
> Rowland
 

Links:
------
[1] http://www.donelsontrophy.com