samba - Jan 2015 - W7 client cannot adjust file permissions via ADUC

W7 client domain member? yes. 

Logged in as domainAdministrator? yes. 

"SeDiskOperatorPrivilege" set? yes

Read "/Setup_and_configure_file_shares_with_Windows_ACLs"? yes.

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [2]

"Everyone deserves an award!!"

On 2015-01-28 10:40, Marcel de Reuver wrote: 
> 2015-01-27 0:29 GMT+01:00 Bob of Donelson Trophy <bob at
donelsontrophy.net>:
> 
>> I have been improving my DC. I now have a DC01, DC02 and a DCMEMBER01.
All running sernet-samba 4.1.16 on Debian 7.8.0 thanks to Louis' (old)
scripts. (Any linux client work has gone on hold, for the moment.) Next step was
to adjust the file permissions as instructed on "Setup and configure file
shares with Windows ACLs". When I access the "Computer
Management" (thru ADUC on W7 client) it informs me that I do not have
permission to access anything on the member server and I should contact my
administrator.
> 
> Is your W7 pc a domain member and are you logged in as domain administrator
> on that Windows client?
> Has the domain administrator the "SeDiskOperatorPrivilege" set?
See for
> the details: https://wiki.samba.org/index.php [1]
> /Setup_and_configure_file_shares_with_Windows_ACLs#SeDiskOperatorPrivilege
> 
> Regards,
> Marcel
 

Links:
------
[1] https://wiki.samba.org/index.php
[2] http://www.donelsontrophy.com

On 28/01/15 16:50, Bob of Donelson Trophy wrote:
>   
>
> W7 client domain member? yes.
>
> Logged in as domainAdministrator? yes.
>
> "SeDiskOperatorPrivilege" set? yes
>
> Read "/Setup_and_configure_file_shares_with_Windows_ACLs"? yes.
>
> ---
>
> -------------------------
>
> Bob Wooden of Donelson Trophy
>
> 615.885.2846 (main)
> www.donelsontrophy.com [2]
>
> "Everyone deserves an award!!"
>
> On 2015-01-28 10:40, Marcel de Reuver wrote:
>
>> 2015-01-27 0:29 GMT+01:00 Bob of Donelson Trophy <bob at
donelsontrophy.net>:
>>
>>> I have been improving my DC. I now have a DC01, DC02 and a
DCMEMBER01. All running sernet-samba 4.1.16 on Debian 7.8.0 thanks to Louis'
(old) scripts. (Any linux client work has gone on hold, for the moment.) Next
step was to adjust the file permissions as instructed on "Setup and
configure file shares with Windows ACLs". When I access the "Computer
Management" (thru ADUC on W7 client) it informs me that I do not have
permission to access anything on the member server and I should contact my
administrator.
>> Is your W7 pc a domain member and are you logged in as domain
administrator
>> on that Windows client?
>> Has the domain administrator the "SeDiskOperatorPrivilege"
set? See for
>> the details: https://wiki.samba.org/index.php [1]
>>
/Setup_and_configure_file_shares_with_Windows_ACLs#SeDiskOperatorPrivilege
>>
>> Regards,
>> Marcel
>   
>
> Links:
> ------
> [1] https://wiki.samba.org/index.php
> [2] http://www.donelsontrophy.com
OK, you posted this earlier:

[profiles$]
  path = /home/samba/DT***RM/profiles
  read only = no
  admin users = +"DT***RMDomain Admins"
  profile acls = yes
  csc policy = disable

Is the admin users line correct or is a cut and paste error ? I would 
have expected it to look like this:

admin users = +"DT***RM\Domain Admins"

Having said that, because you have this, in smb.conf:

winbind use default domain = yes

It could also be written like this:

admin users = +domain_admins

If that doesn't work, replace '+' with '@'

Rowland

That was a cut/paste error. 

I've been thinking (danger, danger) when I test kerberos it returns the
two DC's are available. Should it be including the member server also?
Didn't I see the script setup kerberos on the member server? (Remember
this was installed with the gen one scripts, not the newest scripts.) 

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-01-28 11:02, Rowland Penny wrote: 
> On 28/01/15 16:50, Bob of Donelson Trophy wrote:
> W7 client domain member? yes. Logged in as domainAdministrator? yes.
"SeDiskOperatorPrivilege" set? yes Read
"/Setup_and_configure_file_shares_with_Windows_ACLs"? yes. ---
------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main)
www.donelsontrophy.com [1] [2 [1]] "Everyone deserves an award!!" On
2015-01-28 10:40, Marcel de Reuver wrote: 2015-01-27 0:29 GMT+01:00 Bob of
Donelson Trophy <bob at donelsontrophy.net>: I have been improving my DC.
I now have a DC01, DC02 and a DCMEMBER01. All running sernet-samba 4.1.16 on
Debian 7.8.0 thanks to Louis' (old) scripts. (Any linux client work has gone
on hold, for the moment.) Next step was to adjust the file permissions as
instructed on "Setup and configure file shares with Windows ACLs".
When I access the "Computer Management" (thru ADUC on W7 client) it
informs me that I do not have permission to access anything on the member server
and I should contact my administrator. Is your W7 pc a domain member and are you
 logged
in as domain administrator on that Windows client? Has the domain administrator
the "SeDiskOperatorPrivilege" set? See for the details:
https://wiki.samba.org/index.php [2] [1 [2]]
/Setup_and_configure_file_shares_with_Windows_ACLs#SeDiskOperatorPrivilege
Regards, Marcel
 Links: ------ [1] https://wiki.samba.org/index.php [2] [2]
http://www.donelsontrophy.com [1] 

OK, you posted this earlier:

[profiles$]
 path = /home/samba/DT***RM/profiles
 read only = no
 admin users = +"DT***RMDomain Admins"
 profile acls = yes
 csc policy = disable

Is the admin users line correct or is a cut and paste error ? I would
have expected it to look like this:

admin users = +"DT***RMDomain Admins"

Having said that, because you have this, in smb.conf:

winbind use default domain = yes

It could also be written like this:

admin users = +domain_admins

If that doesn't work, replace '+' with '@'

Rowland
 

Links:
------
[1] http://www.donelsontrophy.com
[2] https://wiki.samba.org/index.php