samba - Jan 2015 - W7 client cannot adjust file permissions via ADUC

On 30/01/15 19:14, Bob of Donelson Trophy wrote:
>   
>
> There is no uidNumber or gidNumber specifically listed (there is an
> objectGuid and an objectSid.)
>
> Did nothing.
>
> Now?
>
> ---
>
> -------------------------
>
> Bob Wooden of Donelson Trophy
>
> 615.885.2846 (main)
> www.donelsontrophy.com [1]
>
> "Everyone deserves an award!!"
>
> On 2015-01-30 12:58, Rowland Penny wrote:
>
>> On 30/01/15 18:28, Bob of Donelson Trophy wrote:
>>
>>> After restoring the member server and re-running the improved
"4-setup-samba4-MEMBER-wheezy.sh" script I am still having the same
issue. W7 client still not allowed to access the member server. Administrator
still has a uidNumber: getent passwd Administrator
administrator:*:50001:50006::/home/samba/DTS***M/users/administrator:/bin/bash I
have added a couple is test admin users (must have done it wrong.) Joined them
to the 'Domain Admins' group and they cannot access the member server
either. wbinfo -u output is: adminrob administrator dns-dtdc02 dns-dtdc01
adminnew krbtgt guest wbinfo -g output is: allowed rodc password replication
group enterprise read-only domain controllers denied rodc password replication
group read-only domain controllers group policy creator owners ras and ias
servers domain controllers enterprise admins domain computers cert publishers
dnsupdateproxy domain admins domain guests schema admins domain users dnsadmins
How do I remove the uidNumber from
>   the
> domainAdministrator and re-associate domainAdminstrator to root
'0'?
>> OK, lets check if Administrator has a 'uidNumber', run this on
your first DC:
>>
>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb -b
"DC=example,DC=com" -s sub
'(&(objectclass=user)(cn=Administrator))'
>>
>> this should display all the information about the Administrator user,
if there is a 'uidNumber' attribute, delete the entire line,same goes
for a 'gidNumber' attribute, save and close nano.
>>
>> You should not have any rfc2307 attributes related to Administrator
now, so go to your member server, login as a normal user and run this:
>>
>> sudo net cache flush
>>
>> then:
>>
>> getent passwd administrator
>>
>> Rowland
>   
>
> Links:
> ------
> [1] http://www.donelsontrophy.com
OK, right you posted this part of your smb.conf earlier:

## map id's outside to domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 50001-80000
## map ids from the domain the range may not overlap !
idmap config INTERNAL:backend = ad
idmap config INTERNAL:schema_mode = rfc2307
idmap config INTERNAL:range = 2000-40000

and you just posted this:

getent passwd Administrator
administrator:*:50001:50006::/home/samba/DTS***M/users/administrator:/bin/bash

Can you see where '50001' is coming from ?

Is 'INTERNAL' actually in your smb.conf ? What I mean is, did you change
it before you posted it ?
If 'INTERNAL' is in your smb.conf, change it to your workgroup name, 
flush the net cache and try again.

Rowland

Yes, "INTERNAL" was the actual. Generated by script, I presume. Now
changed to my workgroup name. Restarted member server. 

Now 'getent passwd Administrator' returns nothing but, W7 client still
cannot connect. 

(As I have restored and re-run script this morning doesn't that mean it
has to be coming over from DC's somehow?) 

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-01-30 13:28, Rowland Penny wrote: 
> On 30/01/15 19:14, Bob of Donelson Trophy wrote:
> There is no uidNumber or gidNumber specifically listed (there is an
objectGuid and an objectSid.) Did nothing. Now? --- -------------------------
Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1
[1]] "Everyone deserves an award!!" On 2015-01-30 12:58, Rowland Penny
wrote: On 30/01/15 18:28, Bob of Donelson Trophy wrote: After restoring the
member server and re-running the improved
"4-setup-samba4-MEMBER-wheezy.sh" script I am still having the same
issue. W7 client still not allowed to access the member server. Administrator
still has a uidNumber: getent passwd Administrator
administrator:*:50001:50006::/home/samba/DTS***M/users/administrator:/bin/bash I
have added a couple is test admin users (must have done it wrong.) Joined them
to the 'Domain Admins' group and they cannot access the member server
either. wbinfo -u output is: adminrob administrator dns-dtdc02 dns-dtdc01
adminnew krbtgt guest wbinfo -g output is: allowed rodc password replica
 tion
group enterprise read-only domain controllers denied rodc password replication
group read-only domain controllers group policy creator owners ras and ias
servers domain controllers enterprise admins domain computers cert publishers
dnsupdateproxy domain admins domain guests schema admins domain users dnsadmins
How do I remove the uidNumber from
 the domainAdministrator and re-associate domainAdminstrator to root
'0'? 
> OK, lets check if Administrator has a 'uidNumber', run this on your
first DC: ldbedit -e nano -H /var/lib/samba/private/sam.ldb -b
"DC=example,DC=com" -s sub
'(&(objectclass=user)(cn=Administrator))' this should display all
the information about the Administrator user, if there is a 'uidNumber'
attribute, delete the entire line,same goes for a 'gidNumber' attribute,
save and close nano. You should not have any rfc2307 attributes related to
Administrator now, so go to your member server, login as a normal user and run
this: sudo net cache flush then: getent passwd administrator Rowland
 Links: ------ [1] http://www.donelsontrophy.com [1] 

OK, right you posted this part of your smb.conf earlier:

## map id's outside to domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 50001-80000
## map ids from the domain the range may not overlap !
idmap config INTERNAL:backend = ad
idmap config INTERNAL:schema_mode = rfc2307
idmap config INTERNAL:range = 2000-40000

and you just posted this:

getent passwd Administrator
administrator:*:50001:50006::/home/samba/DTS***M/users/administrator:/bin/bash

Can you see where '50001' is coming from ?

Is 'INTERNAL' actually in your smb.conf ? What I mean is, did you change
it before you posted it ?
If 'INTERNAL' is in your smb.conf, change it to your workgroup name,
flush the net cache and try again.

Rowland

 

Links:
------
[1] http://www.donelsontrophy.com

On 30/01/15 19:42, Bob of Donelson Trophy wrote:
>   
>
> Yes, "INTERNAL" was the actual. Generated by script, I presume.
Now
> changed to my workgroup name. Restarted member server.
>
> Now 'getent passwd Administrator' returns nothing but, W7 client
still
> cannot connect.
>
> (As I have restored and re-run script this morning doesn't that mean it
> has to be coming over from DC's somehow?)
>
>
OK, we are getting somewhere (not sure where though ;-) )

I don't get anything when I try to get Administrators info either, so 
don't worry about it.

so, you have a user in AD that does have a 'uidNumber', does Domain 
Users have a 'gidNumber', if not give the group one.

After that, does 'getent passwd <username>' return anything, if
not
check that the 'uidNumber' & 'gidNumber' are both inside
'2000-40000'

Is the W7 client joined to the Domain, try leaving the domain and rejoining.

Rowland