samba - Jan 2015 - W7 client cannot adjust file permissions via ADUC

I have been improving my DC. I now have a DC01, DC02 and a DCMEMBER01.
All running sernet-samba 4.1.16 on Debian 7.8.0 thanks to Louis' (old)
scripts. (Any linux client work has gone on hold, for the moment.) 

Next step was to adjust the file permissions as instructed on "Setup and
configure file shares with Windows ACLs". When I access the "Computer
Management" (thru ADUC on W7 client) it informs me that I do not have
permission to access anything on the member server and I should contact
my administrator. 

As instructed, I have run the "rpc rights grant" string on the member
server but, still no love! 

I also tried a different W7 client and it was denied access in the same
way. 

I can access both DC's but not the member server from either W7 client. 

Here is a copy of my member-server smb.conf which is basically the
default created via Louis' script; 

cat /etc/samba/smb.conf
[global]
 workgroup = DT***RM
 security = ADS
 realm = DT***RM.LAN

 netbios name = dtmember01
 domain master = no
 host msdfs = no

 dedicated keytab file = /etc/krb5.keytab
 kerberos method = secrets and keytab
 client signing = if_required

 ## map id's outside to domain to tdb files.
 idmap config *:backend = tdb
 idmap config *:range = 50001-80000
 ## map ids from the domain the range may not overlap !
 idmap config INTERNAL:backend = ad
 idmap config INTERNAL:schema_mode = rfc2307
 idmap config INTERNAL:range = 2000-40000

 winbind nss info = rfc2307
 winbind trusted domains only = no
 winbind use default domain = yes
 winbind enum users = yes
 winbind enum groups = yes
 winbind refresh tickets = yes
 winbind offline logon = yes

 wins server = 192.168.***.54, 192.168.***.55

 template shell = /bin/bash
 template homedir = /home/samba/DT***RM/users/%USERNAME%

 # user Administrator workaround, without it you are unable to set
privileges
 username map = /etc/samba/samba_usermapping

 # For ACL support on member file server
 vfs objects = acl_xattr
 map acl inherit = yes
 store dos attributes = yes

 # Share Setting Globally
 usershare allow guests = no
 unix extensions = no
 wide links = no
 reset on zero vc = yes
 veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
 hide unreadable = yes

 # disable printing completely
 load printers = no
 printing = bsd
 printcap name = /dev/null
 disable spoolss = yes

[home]
 path = /home/samba/DT***RM/users
 read only = no

[profiles$]
 path = /home/samba/DT***RM/profiles
 read only = no
 admin users = +"DT***RMDomain Admins"
 profile acls = yes
 csc policy = disable

[data]
 path = /home/samba/DT***RM/companydata
 read only = no

[software]
 path = /home/samba/software
 read only = no 

Help? Thoughts? 

-- 

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"
 

Links:
------
[1] http://www.donelsontrophy.com

Hai Bob, 

A few questions.

- is the client computer member of the domain?
- Are you logged in as "DOMAIN\Administrator" ?
- it the time on pc and server the same. 

and for example. change this one to 
>[profiles$]
> path = /home/samba/DT***RM/profiles
> acl_xattr:ignore system acl = yes
> read only = no
> csc policy = disable

now check if : /etc/samba/samba_usermapping 
contains "!root = DOMAIN\Administrator DOMAIN\administrator

now check the rights..  set all to root:root 
at least 
rwx	 rwx 	 rwx 		x
755    775   775      777
/home/samba/DT***RM/profiles


acl_xattr:ignore system acl  ignores the linux rights, but !! 
if you change rights on linux after you set rights on windows, 
it can get messie, and you need to reset the rights from windows again. !  

now read : https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles 
as from : Creating a profiles share and setting permissions 
and stop/skip  reading when you see..  "Profile share with using POSIX ACLs
" skip that part.
start reading again as of "Configuring roaming profiles for a user "
and skip "In a NT4 domain"
and start again "Configuring folder redirection " 

I think this part of the wiki can be better.. 

a "NT4 style setup"  with only that needed info 
and a "AD DC" style setup.. so 2 pages imo. 

and about the same for other shares.. 

this is also nice explained here with more examples.. 

http://blogging.dragon.org.uk/administering-ad-dc-via-windows/ 


Have a try and let us know. 

Greetz, 

Louis

>-----Oorspronkelijk bericht-----
>Van: bob at donelsontrophy.net 
>[mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy
>Verzonden: dinsdag 27 januari 2015 0:30
>Aan: SAMBA MailList
>Onderwerp: [Samba] W7 client cannot adjust file permissions via ADUC
>
> 
>
>I have been improving my DC. I now have a DC01, DC02 and a DCMEMBER01.
>All running sernet-samba 4.1.16 on Debian 7.8.0 thanks to Louis' (old)
>scripts. (Any linux client work has gone on hold, for the moment.) 
>
>Next step was to adjust the file permissions as instructed on 
>"Setup and
>configure file shares with Windows ACLs". When I access the
"Computer
>Management" (thru ADUC on W7 client) it informs me that I do not have
>permission to access anything on the member server and I should contact
>my administrator. 
>
>As instructed, I have run the "rpc rights grant" string on the
member
>server but, still no love! 
>
>I also tried a different W7 client and it was denied access in the same
>way. 
>
>I can access both DC's but not the member server from either 
>W7 client. 
>
>Here is a copy of my member-server smb.conf which is basically the
>default created via Louis' script; 
>
>cat /etc/samba/smb.conf
>[global]
> workgroup = DT***RM
> security = ADS
> realm = DT***RM.LAN
>
> netbios name = dtmember01
> domain master = no
> host msdfs = no
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> client signing = if_required
>
> ## map id's outside to domain to tdb files.
> idmap config *:backend = tdb
> idmap config *:range = 50001-80000
> ## map ids from the domain the range may not overlap !
> idmap config INTERNAL:backend = ad
> idmap config INTERNAL:schema_mode = rfc2307
> idmap config INTERNAL:range = 2000-40000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
> winbind offline logon = yes
>
> wins server = 192.168.***.54, 192.168.***.55
>
> template shell = /bin/bash
> template homedir = /home/samba/DT***RM/users/%USERNAME%
>
> # user Administrator workaround, without it you are unable to set
>privileges
> username map = /etc/samba/samba_usermapping
>
> # For ACL support on member file server
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> # Share Setting Globally
> usershare allow guests = no
> unix extensions = no
> wide links = no
> reset on zero vc = yes
> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
> hide unreadable = yes
>
> # disable printing completely
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
>[home]
> path = /home/samba/DT***RM/users
> read only = no
>
>[profiles$]
> path = /home/samba/DT***RM/profiles
> read only = no
> admin users = +"DT***RMDomain Admins"
> profile acls = yes
> csc policy = disable
>
>[data]
> path = /home/samba/DT***RM/companydata
> read only = no
>
>[software]
> path = /home/samba/software
> read only = no 
>
>Help? Thoughts? 
>
>-- 
>
>-------------------------
>
>Bob Wooden of Donelson Trophy
>
>615.885.2846 (main)
>www.donelsontrophy.com [1]
>
>"Everyone deserves an award!!"
> 
>
>Links:
>------
>[1] http://www.donelsontrophy.com
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

Answers: 

W7 client domain member? yes 

Logged in as "DOMAINAdministrator? yes 

W7client and server time set by ntp? yes 

Adjusted smb.conf as you indicated. 

Adjusted the file permissions as you indicated. (Was slightly unclear as
to what the "755 775 775 777" meant?) 

So, still might be a linux permissions issue? Current file permissions
is set as: 

 /home drwxr-xr-x (755?) 

 /home/samba drwxr-xr-x (755?) 

 /home/samba/DT***RM drwxr-xr-t ( t?? ) 

 /home/samba/DT***RM/profiles drwxrwxr-x (775?) 

Have read through the suggestions you posted (yes, I agree, that part of
the wiki could be better.) 

I have attached a small *.png image (hope it does not get dropped by
mailing list.) 

While logged into the W7 client as "DOMAINAdministrator" can still
connect to either of the two DC's but, the member connection is refused
(see image.) So, at this moment, I cannot proceed with any instructions
at the wiki regarding "Samba_%26_Windows_Profiles" because I cannot
access them via the client. 

What do you need to know, now? 
---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-01-28 03:18, L.P.H. van Belle wrote: 
> Hai Bob, 
> 
> A few questions.
> 
> - is the client computer member of the domain?
> - Are you logged in as "DOMAINAdministrator" ?
> - it the time on pc and server the same. 
> 
> and for example. change this one to
> 
>> [profiles$] path = /home/samba/DT***RM/profiles acl_xattr:ignore system
acl = yes read only = no csc policy = disable
> 
> now check if : /etc/samba/samba_usermapping 
> contains "!root = DOMAINAdministrator DOMAINadministrator
> 
> now check the rights.. set all to root:root 
> at least 
> rwx rwx rwx x
> 755 775 775 777
> /home/samba/DT***RM/profiles
> 
> acl_xattr:ignore system acl ignores the linux rights, but !! 
> if you change rights on linux after you set rights on windows, 
> it can get messie, and you need to reset the rights from windows again. ! 
> 
> now read : https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles [3] 
> as from : Creating a profiles share and setting permissions 
> and stop/skip reading when you see.. "Profile share with using POSIX
ACLs " skip that part.
> start reading again as of "Configuring roaming profiles for a user
" and skip "In a NT4 domain"
> and start again "Configuring folder redirection " 
> 
> I think this part of the wiki can be better.. 
> 
> a "NT4 style setup" with only that needed info 
> and a "AD DC" style setup.. so 2 pages imo. 
> 
> and about the same for other shares.. 
> 
> this is also nice explained here with more examples.. 
> 
> http://blogging.dragon.org.uk/administering-ad-dc-via-windows/ [4] 
> 
> Have a try and let us know. 
> 
> Greetz, 
> 
> Louis
> 
>> -----Oorspronkelijk bericht----- Van: bob at donelsontrophy.net
[mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy
Verzonden: dinsdag 27 januari 2015 0:30 Aan: SAMBA MailList Onderwerp: [Samba]
W7 client cannot adjust file permissions via ADUC I have been improving my DC. I
now have a DC01, DC02 and a DCMEMBER01. All running sernet-samba 4.1.16 on
Debian 7.8.0 thanks to Louis' (old) scripts. (Any linux client work has gone
on hold, for the moment.) Next step was to adjust the file permissions as
instructed on "Setup and configure file shares with Windows ACLs".
When I access the "Computer Management" (thru ADUC on W7 client) it
informs me that I do not have permission to access anything on the member server
and I should contact my administrator. As instructed, I have run the "rpc
rights grant" string on the member server but, still no love! I also tried
a different W7 client and it was denied access in the same way. I can access
both DC's but not the member
 server
from either W7 client. Here is a copy of my member-server smb.conf which is
basically the default created via Louis' script; cat /etc/samba/smb.conf
[global] workgroup = DT***RM security = ADS realm = DT***RM.LAN netbios name =
dtmember01 domain master = no host msdfs = no dedicated keytab file =
/etc/krb5.keytab kerberos method = secrets and keytab client signing =
if_required ## map id's outside to domain to tdb files. idmap config
*:backend = tdb idmap config *:range = 50001-80000 ## map ids from the domain
the range may not overlap ! idmap config INTERNAL:backend = ad idmap config
INTERNAL:schema_mode = rfc2307 idmap config INTERNAL:range = 2000-40000 winbind
nss info = rfc2307 winbind trusted domains only = no winbind use default domain
= yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets
= yes winbind offline logon = yes wins server = 192.168.***.54, 192.168.***.55
template shell = /bin/bash template homedir = /home/samba/DT***RM/users/%USERN
 AME% #
user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/samba_usermapping # For ACL support on member file
server vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes
# Share Setting Globally usershare allow guests = no unix extensions = no wide
links = no reset on zero vc = yes veto files =
/.bash_logout/.bash_profile/.bash_history/.bashrc/ hide unreadable = yes #
disable printing completely load printers = no printing = bsd printcap name =
/dev/null disable spoolss = yes [home] path = /home/samba/DT***RM/users read
only = no [profiles$] path = /home/samba/DT***RM/profiles read only = no admin
users = +"DT***RMDomain Admins" profile acls = yes csc policy =
disable [data] path = /home/samba/DT***RM/companydata read only = no [software]
path = /home/samba/software read only = no Help? Thoughts? --
------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main)
www.donelsontrophy.com [1] [1 [1]] "Every
 one
deserves an award!!" Links: ------ [1] http://www.donelsontrophy.com [1] --
To unsubscribe from this list go to the following URL and read the instructions:
https://lists.samba.org/mailman/options/samba [2]
 

Links:
------
[1] http://www.donelsontrophy.com
[2] https://lists.samba.org/mailman/options/samba
[3] https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
[4] http://blogging.dragon.org.uk/administering-ad-dc-via-windows/

Hi Bob, 

Set the rights like this. 
> /home  775
>
> /home/samba 775 
>
> /home/samba/DT***RM  775 
>
> /home/samba/DT***RM/profiles 777
for the profiles, after you set the rights in windows, 
user profiles folders wil be created with the correct rights. 
and only accessable by the user.. 

and from here you shoule be able to set the correct rights. 

Can you give it a try? 

greetz, 

Louis

>-----Oorspronkelijk bericht-----
>Van: bob at donelsontrophy.net 
>[mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy
>Verzonden: woensdag 28 januari 2015 15:25
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] W7 client cannot adjust file 
>permissions via ADUC
>
> 
>
>Answers: 
>
>W7 client domain member? yes 
>
>Logged in as "DOMAIN\Administrator? yes 
>
>W7client and server time set by ntp? yes 
>
>Adjusted smb.conf as you indicated. 
>
>Adjusted the file permissions as you indicated. (Was slightly 
>unclear as
>to what the "755 775 775 777" meant?) 
>
>So, still might be a linux permissions issue? Current file permissions
>is set as: 
>
> /home drwxr-xr-x (755?) 
>
> /home/samba drwxr-xr-x (755?) 
>
> /home/samba/DT***RM drwxr-xr-t ( t?? ) 
>
> /home/samba/DT***RM/profiles drwxrwxr-x (775?) 
>
>Have read through the suggestions you posted (yes, I agree, 
>that part of
>the wiki could be better.) 
>
>I have attached a small *.png image (hope it does not get dropped by
>mailing list.) 
>
>While logged into the W7 client as "DOMAIN\Administrator" can
still
>connect to either of the two DC's but, the member connection is refused
>(see image.) So, at this moment, I cannot proceed with any instructions
>at the wiki regarding "Samba_%26_Windows_Profiles" because I
cannot
>access them via the client. 
>
>What do you need to know, now? 
>---
>
>-------------------------
>
>Bob Wooden of Donelson Trophy
>
>615.885.2846 (main)
>www.donelsontrophy.com [1]
>
>"Everyone deserves an award!!"
>
>On 2015-01-28 03:18, L.P.H. van Belle wrote: 
>
>> Hai Bob, 
>> 
>> A few questions.
>> 
>> - is the client computer member of the domain?
>> - Are you logged in as "DOMAINAdministrator" ?
>> - it the time on pc and server the same. 
>> 
>> and for example. change this one to
>> 
>>> [profiles$] path = /home/samba/DT***RM/profiles 
>acl_xattr:ignore system acl = yes read only = no csc policy = disable
>> 
>> now check if : /etc/samba/samba_usermapping 
>> contains "!root = DOMAINAdministrator DOMAINadministrator
>> 
>> now check the rights.. set all to root:root 
>> at least 
>> rwx rwx rwx x
>> 755 775 775 777
>> /home/samba/DT***RM/profiles
>> 
>> acl_xattr:ignore system acl ignores the linux rights, but !! 
>> if you change rights on linux after you set rights on windows, 
>> it can get messie, and you need to reset the rights from 
>windows again. ! 
>> 
>> now read : 
>https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles [3] 
>> as from : Creating a profiles share and setting permissions 
>> and stop/skip reading when you see.. "Profile share with 
>using POSIX ACLs " skip that part. 
>> start reading again as of "Configuring roaming profiles for 
>a user " and skip "In a NT4 domain" 
>> and start again "Configuring folder redirection " 
>> 
>> I think this part of the wiki can be better.. 
>> 
>> a "NT4 style setup" with only that needed info 
>> and a "AD DC" style setup.. so 2 pages imo. 
>> 
>> and about the same for other shares.. 
>> 
>> this is also nice explained here with more examples.. 
>> 
>> http://blogging.dragon.org.uk/administering-ad-dc-via-windows/ [4] 
>> 
>> Have a try and let us know. 
>> 
>> Greetz, 
>> 
>> Louis
>> 
>>> -----Oorspronkelijk bericht----- Van: 
>bob at donelsontrophy.net [mailto:samba-bounces at lists.samba.org] 
>Namens Bob of Donelson Trophy Verzonden: dinsdag 27 januari 
>2015 0:30 Aan: SAMBA MailList Onderwerp: [Samba] W7 client 
>cannot adjust file permissions via ADUC I have been improving 
>my DC. I now have a DC01, DC02 and a DCMEMBER01. All running 
>sernet-samba 4.1.16 on Debian 7.8.0 thanks to Louis' (old) 
>scripts. (Any linux client work has gone on hold, for the 
>moment.) Next step was to adjust the file permissions as 
>instructed on "Setup and configure file shares with Windows 
>ACLs". When I access the "Computer Management" (thru ADUC on 
>W7 client) it informs me that I do not have permission to 
>access anything on the member server and I should contact my 
>administrator. As instructed, I have run the "rpc rights 
>grant" string on the member server but, still no love! I also 
>tried a different W7 client and it was denied access in the 
>same way. I can access both DC's but not the member 
> server
>from either W7 client. Here is a copy of my member-server 
>smb.conf which is basically the default created via Louis' 
>script; cat /etc/samba/smb.conf [global] workgroup = DT***RM 
>security = ADS realm = DT***RM.LAN netbios name = dtmember01 
>domain master = no host msdfs = no dedicated keytab file = 
>/etc/krb5.keytab kerberos method = secrets and keytab client 
>signing = if_required ## map id's outside to domain to tdb 
>files. idmap config *:backend = tdb idmap config *:range = 
>50001-80000 ## map ids from the domain the range may not 
>overlap ! idmap config INTERNAL:backend = ad idmap config 
>INTERNAL:schema_mode = rfc2307 idmap config INTERNAL:range = 
>2000-40000 winbind nss info = rfc2307 winbind trusted domains 
>only = no winbind use default domain = yes winbind enum users 
>= yes winbind enum groups = yes winbind refresh tickets = yes 
>winbind offline logon = yes wins server = 192.168.***.54, 
>192.168.***.55 template shell = /bin/bash template homedir = 
>/home/samba/DT***RM/users/%USERN
> AME% #
>user Administrator workaround, without it you are unable to 
>set privileges username map = /etc/samba/samba_usermapping # 
>For ACL support on member file server vfs objects = acl_xattr 
>map acl inherit = yes store dos attributes = yes # Share 
>Setting Globally usershare allow guests = no unix extensions = 
>no wide links = no reset on zero vc = yes veto files = 
>/.bash_logout/.bash_profile/.bash_history/.bashrc/ hide 
>unreadable = yes # disable printing completely load printers = 
>no printing = bsd printcap name = /dev/null disable spoolss = 
>yes [home] path = /home/samba/DT***RM/users read only = no 
>[profiles$] path = /home/samba/DT***RM/profiles read only = no 
>admin users = +"DT***RMDomain Admins" profile acls = yes csc 
>policy = disable [data] path = /home/samba/DT***RM/companydata 
>read only = no [software] path = /home/samba/software read 
>only = no Help? Thoughts? -- ------------------------- Bob 
>Wooden of Donelson Trophy 615.885.2846 (main) 
>www.donelsontrophy.com [1] [1 [1]] "Every
> one
>deserves an award!!" Links: ------ [1] 
>http://www.donelsontrophy.com [1] -- To unsubscribe from this 
>list go to the following URL and read the instructions: 
>https://lists.samba.org/mailman/options/samba [2]
> 
>
>Links:
>------
>[1] http://www.donelsontrophy.com
>[2] https://lists.samba.org/mailman/options/samba
>[3] https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>[4] http://blogging.dragon.org.uk/administering-ad-dc-via-windows/
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>

2015-01-27 0:29 GMT+01:00 Bob of Donelson Trophy <bob at
donelsontrophy.net>:
>
>
> I have been improving my DC. I now have a DC01, DC02 and a DCMEMBER01.
> All running sernet-samba 4.1.16 on Debian 7.8.0 thanks to Louis' (old)
> scripts. (Any linux client work has gone on hold, for the moment.)
>
> Next step was to adjust the file permissions as instructed on "Setup
and
> configure file shares with Windows ACLs". When I access the
"Computer
> Management" (thru ADUC on W7 client) it informs me that I do not have
> permission to access anything on the member server and I should contact
> my administrator.
>
>
Is your W7 pc a domain member and are you logged in as domain administrator
on that Windows client?
Has the domain administrator the "SeDiskOperatorPrivilege" set? See 
for
the details: https://wiki.samba.org/index.php
/Setup_and_configure_file_shares_with_Windows_ACLs#SeDiskOperatorPrivilege

Regards,
Marcel

W7 client domain member? yes. 

Logged in as domainAdministrator? yes. 

"SeDiskOperatorPrivilege" set? yes

Read "/Setup_and_configure_file_shares_with_Windows_ACLs"? yes.

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [2]

"Everyone deserves an award!!"

On 2015-01-28 10:40, Marcel de Reuver wrote: 
> 2015-01-27 0:29 GMT+01:00 Bob of Donelson Trophy <bob at
donelsontrophy.net>:
> 
>> I have been improving my DC. I now have a DC01, DC02 and a DCMEMBER01.
All running sernet-samba 4.1.16 on Debian 7.8.0 thanks to Louis' (old)
scripts. (Any linux client work has gone on hold, for the moment.) Next step was
to adjust the file permissions as instructed on "Setup and configure file
shares with Windows ACLs". When I access the "Computer
Management" (thru ADUC on W7 client) it informs me that I do not have
permission to access anything on the member server and I should contact my
administrator.
> 
> Is your W7 pc a domain member and are you logged in as domain administrator
> on that Windows client?
> Has the domain administrator the "SeDiskOperatorPrivilege" set?
See for
> the details: https://wiki.samba.org/index.php [1]
> /Setup_and_configure_file_shares_with_Windows_ACLs#SeDiskOperatorPrivilege
> 
> Regards,
> Marcel
 

Links:
------
[1] https://wiki.samba.org/index.php
[2] http://www.donelsontrophy.com