I'm running Debian/Jessie (stable) on an AMD64 machine, with Samba Version 4.1.17-Debian. This is the domain controller, DNS server, Time server and File server for the local network. The problem I'm having is that Windows machines sometimes can't open files for editing. Other files in the same directory don't have that problem. When I look at the Unix permissions, the files causing problems have a windows user number as the owner while the ones that don't cause problems are owned by nobody. In both cases the Unix permissions are everyone has read-write-execute access to the files. Changing the Unix permission had no impact. Where I hit the snag however was trying to change the ACLs so that Domain Users should have read/write/execute permissions. I can't log in with the domain administrator account on any of the Windows machines. I get an error message saying user name or password is incorrect. I've used smb-tool on the DC to change the password so I know it is correct. And Domain Admins are in the local Administrators group on the Windows machines. Any tips on tracking down the problem?
On 24/10/15 01:26, Gary Dale wrote:> I'm running Debian/Jessie (stable) on an AMD64 machine, with Samba > Version 4.1.17-Debian. This is the domain controller, DNS server, Time > server and File server for the local network. > > The problem I'm having is that Windows machines sometimes can't open > files for editing. Other files in the same directory don't have that > problem. > > When I look at the Unix permissions, the files causing problems have a > windows user number as the owner while the ones that don't cause > problems are owned by nobody. In both cases the Unix permissions are > everyone has read-write-execute access to the files. Changing the Unix > permission had no impact. > > Where I hit the snag however was trying to change the ACLs so that > Domain Users should have read/write/execute permissions. I can't log > in with the domain administrator account on any of the Windows > machines. I get an error message saying user name or password is > incorrect. > > I've used smb-tool on the DC to change the password so I know it is > correct. And Domain Admins are in the local Administrators group on > the Windows machines. > > Any tips on tracking down the problem? >If you are getting files that belong to numbers instead of names, this usually means that Unix doesn't know who the users are, do your windows users have a uidNumber? Also does 'Domain Users' have a gidNumber? To test your Administrator password, you could try to obtain a kerberos ticket on the Samba4 DC: kinit Administrator You should get asked for the password and then the command should return without error to the prompt i.e. there should be no output. Are the windows machines joined to the domain? and are you trying to log into the windows machines as DOMAIN\Administrator? local Administrator != domain Administrator. Rowland
On 24/10/15 04:41 AM, Rowland Penny wrote:> On 24/10/15 01:26, Gary Dale wrote: >> I'm running Debian/Jessie (stable) on an AMD64 machine, with Samba >> Version 4.1.17-Debian. This is the domain controller, DNS server, >> Time server and File server for the local network. >> >> The problem I'm having is that Windows machines sometimes can't open >> files for editing. Other files in the same directory don't have that >> problem. >> >> When I look at the Unix permissions, the files causing problems have >> a windows user number as the owner while the ones that don't cause >> problems are owned by nobody. In both cases the Unix permissions are >> everyone has read-write-execute access to the files. Changing the >> Unix permission had no impact. >> >> Where I hit the snag however was trying to change the ACLs so that >> Domain Users should have read/write/execute permissions. I can't log >> in with the domain administrator account on any of the Windows >> machines. I get an error message saying user name or password is >> incorrect. >> >> I've used smb-tool on the DC to change the password so I know it is >> correct. And Domain Admins are in the local Administrators group on >> the Windows machines. >> >> Any tips on tracking down the problem? >> > > If you are getting files that belong to numbers instead of names, this > usually means that Unix doesn't know who the users are, do your > windows users have a uidNumber? Also does 'Domain Users' have a > gidNumber? > > To test your Administrator password, you could try to obtain a > kerberos ticket on the Samba4 DC: > > kinit Administrator > > You should get asked for the password and then the command should > return without error to the prompt i.e. there should be no output. > > Are the windows machines joined to the domain? and are you trying to > log into the windows machines as DOMAIN\Administrator? local > Administrator != domain Administrator. > > Rowland >kinit returns Configuration file does not specify default realm when parsing name Administrator And I hoped I was being clear that I was trying to log in as a Domain Admin, not a local one. All the machines are joined to domain and the users are logging with domain accounts.
On 24/10/15 04:41 AM, Rowland Penny wrote:> On 24/10/15 01:26, Gary Dale wrote: >> I'm running Debian/Jessie (stable) on an AMD64 machine, with Samba >> Version 4.1.17-Debian. This is the domain controller, DNS server, >> Time server and File server for the local network. >> >> The problem I'm having is that Windows machines sometimes can't open >> files for editing. Other files in the same directory don't have that >> problem. >> >> When I look at the Unix permissions, the files causing problems have >> a windows user number as the owner while the ones that don't cause >> problems are owned by nobody. In both cases the Unix permissions are >> everyone has read-write-execute access to the files. Changing the >> Unix permission had no impact. >> >> Where I hit the snag however was trying to change the ACLs so that >> Domain Users should have read/write/execute permissions. I can't log >> in with the domain administrator account on any of the Windows >> machines. I get an error message saying user name or password is >> incorrect. >> >> I've used smb-tool on the DC to change the password so I know it is >> correct. And Domain Admins are in the local Administrators group on >> the Windows machines. >> >> Any tips on tracking down the problem? >> > > If you are getting files that belong to numbers instead of names, this > usually means that Unix doesn't know who the users are, do your > windows users have a uidNumber? Also does 'Domain Users' have a > gidNumber? > > To test your Administrator password, you could try to obtain a > kerberos ticket on the Samba4 DC: > > kinit Administrator > > You should get asked for the password and then the command should > return without error to the prompt i.e. there should be no output. > > Are the windows machines joined to the domain? and are you trying to > log into the windows machines as DOMAIN\Administrator? local > Administrator != domain Administrator. > > Rowland >OK, got it. The /etc/krb5.conf link was pointing to a non-existent file. ----------------- kinit returns Configuration file does not specify default realm when parsing name Administrator And I hoped I was being clear that I was trying to log in as a Domain Admin, not a local one. All the machines are joined to domain and the users are logging with domain accounts.