samba - Jan 2015 - W7 client cannot adjust file permissions via ADUC

Hi bob, 

Yes, i have corrected the script online.

I replaced the %USERNAME with %U in the old member script,
and please dont give the user DOMAIN\Administrator any uid. not 0, nothing.. .no
uid..

My best advice, leave Administrator as is and create a new user.. 
Add that one in "Domain Admins" and that user can have a uid. 

For setting the rights. 

Use setfacl to set the base rights on the folder structure, 
and set "DOMAIN Admins" as group with full access on /home/samba  (
and subfolders )
I'll wil change this in the new member server script. 

Greetz, 

Louis




>-----Oorspronkelijk bericht-----
>Van: bob at donelsontrophy.net 
>[mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy
>Verzonden: vrijdag 30 januari 2015 3:52
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] W7 client cannot adjust file 
>permissions via ADUC
>
> 
>
>Thursday's emails were erratic due to a server (somewhere in 
>email land)
>that had gone haywire. Here in the midwest United States peaceful
>silence from the samba-list. Then about mid-afternoon, BAM! Email's
>began to arrive in a very erratic manner. Emails from 1300 hours were
>arriving before emails from 0900 hours and I began reading and
>responding and got I confused as I am sure everyone was. 
>
>Tranquility has settled, we have all had time to "take a breath"
and
>once again it is time to move forward. 
>
>Rowland, 
>
>Thanks for your help and patience, so far. 
>
>Louis, 
>
>From what I can understand from your email, there was an error within
>your "4-setup-sernet-samba4-MEMBER-wheezy.sh" script that caused
my
>domainAdministrator to create a uidNumber when it should not have had a
>uidNumber (should be "0" for root.) And now you have corrected the
>script so it will not do that again. 
>
>The simplest solution for me is this. Revert to my initial Debian
>installation backup (created just prior to my running the uidNumber
>creation script the first time) and re-run the now revised
>"4-setup-sernet-samba4-MEMBER-wheezy.sh". 
>
>This is what I am going to do. 
>
>Now, Louis, the script has been corrected, yes? 
>---
>
>-------------------------
>
>Bob Wooden of Donelson Trophy
>
>615.885.2846 (main)
>www.donelsontrophy.com [1]
>
>"Everyone deserves an award!!"
>
>On 2015-01-29 08:05, L.P.H. van Belle wrote: 
>
>> ok, seen it.. 
>> 
>> "administratorSERNAME%"? 
>> 
>> I'll change that, i did only some tests from windows. 
>> and i dont never set uid/gid to Administrator. 
>> 
>> -- Changed in the old script. 
>> 
>> but remember, you should NEVER set UID/GID for adminstrator, 
>because... 
>> 
>> Now administrator has uid 50001 ... 
>> and this should be 0 ( root ) 
>> This is why we also use the user mapping !root = 
>"DOMAINAdministrator" .... 
>> 
>> Always create a new user and add this one to the group 
>"Domain Admins" 
>> 
>> Also, i have set profile/uid/gid/nis for the Domain Administrator. 
>> And if you set a other user for "Domain Administrator, 
>> on the member servers also add a line for this user in the 
>usermapping file. 
>> since you need root access. or.. 
>> try set the rights as starter like : 
>> 
>> something like.. 
>> setfacl -R -m default:user:Administrator:rwx /home/samba 
>> setfacl -R -m default:group:domain admins:rwx /home/samba 
>> 
>> Louis
>> -----Oorspronkelijk bericht----- Van: 
>rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny 
>Verzonden: donderdag 29 januari 2015 14:24 Aan: 
>samba at lists.samba.org Onderwerp: Re: [Samba] W7 client cannot 
>adjust file permissions via ADUC On 29/01/15 12:54, Bob of 
>Donelson Trophy wrote: Rowland, I have tried your various 
>alteration suggestions and it is a "negative" result. Here is 
>the output from wbinfo -u & wbinfo -g root at dtmbr01:~# wbinfo 
>-u administrator dns-dtdc02 dns-dtdc01 krbtgt guest 
>root at dtmbr01:~# wbinfo -g allowed rodc password replication 
>group enterprise read-only domain controllers denied rodc 
>password replication group read-only domain controllers group 
>policy creator owners ras and ias servers domain controllers 
>enterprise admins domain computers cert publishers 
>dnsupdateproxy domain admins domain guests schema admins 
>domain users dnsadmins root at dtmbr01:~# getent passwd Administrator
>administrator:*:50001:50006::/home/samba/DT***RM/users/administ
> ratorSERNAME%:/bin/bash Say what, "administratorSERNAME%"? 
>After running the 'generation one' script to create the member 
>server, I have changed nothing except the suggestions that 
>have been made on this mailing list. Attempting to gain access 
>to the member server to re-adjust the file permissions on 
>"profiles" per the instructions on the samba wiki. Please, 
>thoughts? --- ------------------------- Bob Wooden of Donelson 
>Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] 
>"Everyone deserves an award!!" On 2015-01-28 13:09, Rowland 
>Penny wrote: On 28/01/15 18:55, Bob of Donelson Trophy wrote: 
>No, I did not try the alterations but, Louis had me remove
> the "domain users" line earlier. Put the line back in and try
>alterations? (If so, I will not have time until you are asleep,
>tonight.) 
>
>>> By all means try it, you have nothing to lose :-) I take it 
>that 'wbinfo -u' shows all the domain users on
> the member server and 'wbinfo -g' shows all the domain groups. Also
>'getent passwd <domain user> shows the user. 
>
>>> Rowland
>> Links: ------ [1] http://www.donelsontrophy.com [1]
> Louis's script puts this line in smb.conf: template homedir
>/home/samba/DT***RM/users/%USERNAME% Perhaps it should be changed to
>this: template homedir = /home/samba/DT***RM/users/%U I say 
>this because
>your Administrators homedir seems to be the above line plus what I am
>suggesting should be removed. But what is worrying me more,
>Administrator has the uid of '50001', have you set this in AD ?
Rowland
>-- To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba [2] 
>
>Links:
>------
>[1] http://www.donelsontrophy.com
>[2] https://lists.samba.org/mailman/options/samba
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

Thank you. 

BTW, I think (cannot be sure) that when I accessed ADUC under
DomainAdministrator user and set it to store the DomainAdministrator
profile in the default "profiles" folder is when Windows created a
uidNumber for the Administrator. (I think.) As this was one of the first
things I did with ADUC and I "locked myself out" (for lack of a better
term) of permissions adjustment. 

See, you (as a person who works with the code daily) understand better
what I did and I didn't even realize I had created my own mess. 

Time to study "setfacl". 

Let me restore and re-run the revised script and "go" from there. 
---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-01-30 02:05, L.P.H. van Belle wrote: 
> Hi bob, 
> 
> Yes, i have corrected the script online.
> 
> I replaced the %USERNAME with %U in the old member script,
> and please dont give the user DOMAINAdministrator any uid. not 0, nothing..
.no uid..
> 
> My best advice, leave Administrator as is and create a new user.. 
> Add that one in "Domain Admins" and that user can have a uid. 
> 
> For setting the rights. 
> 
> Use setfacl to set the base rights on the folder structure, 
> and set "DOMAIN Admins" as group with full access on /home/samba
( and subfolders )
> I'll wil change this in the new member server script. 
> 
> Greetz, 
> 
> Louis
> -----Oorspronkelijk bericht----- Van: bob at donelsontrophy.net
[mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy
Verzonden: vrijdag 30 januari 2015 3:52 Aan: samba at lists.samba.org Onderwerp:
Re: [Samba] W7 client cannot adjust file permissions via ADUC Thursday's
emails were erratic due to a server (somewhere in email land) that had gone
haywire. Here in the midwest United States peaceful silence from the samba-list.
Then about mid-afternoon, BAM! Email's began to arrive in a very erratic
manner. Emails from 1300 hours were arriving before emails from 0900 hours and I
began reading and responding and got I confused as I am sure everyone was.
Tranquility has settled, we have all had time to "take a breath" and
once again it is time to move forward. Rowland, Thanks for your help and
patience, so far. Louis, From what I can understand from your email, there was
an error within your "4-setup-sernet-samba4-MEMBER-wheezy.sh" script
that caused my domainAdministra
 tor to
create a uidNumber when it should not have had a uidNumber (should be
"0" for root.) And now you have corrected the script so it will not do
that again. The simplest solution for me is this. Revert to my initial Debian
installation backup (created just prior to my running the uidNumber creation
script the first time) and re-run the now revised
"4-setup-sernet-samba4-MEMBER-wheezy.sh". This is what I am going to
do. Now, Louis, the script has been corrected, yes? ---
------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main)
www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" On
2015-01-29 08:05, L.P.H. van Belle wrote: ok, seen it..
"administratorSERNAME%"? I'll change that, i did only some tests
from windows. and i dont never set uid/gid to Administrator. -- Changed in the
old script. but remember, you should NEVER set UID/GID for adminstrator,
because... Now administrator has uid 50001 ... and this should be 0 ( root )
This is why we also use
 the user
mapping !root = "DOMAINAdministrator" .... Always create a new user
and add this one to the group "Domain Admins" Also, i have set
profile/uid/gid/nis for the Domain Administrator. And if you set a other user
for "Domain Administrator, on the member servers also add a line for this
user in the usermapping file. since you need root access. or.. try set the
rights as starter like : something like.. setfacl -R -m
default:user:Administrator:rwx /home/samba setfacl -R -m default:group:domain
admins:rwx /home/samba Louis -----Oorspronkelijk bericht----- Van: rowlandpenny
at googlemail.com [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
Verzonden: donderdag 29 januari 2015 14:24 Aan: samba at lists.samba.org
Onderwerp: Re: [Samba] W7 client cannot adjust file permissions via ADUC On
29/01/15 12:54, Bob of Donelson Trophy wrote: Rowland, I have tried your various
alteration suggestions and it is a "negative" result. Here is the
output from wbinfo -u & wbinfo -g root at dtmbr01:~#
 wbinfo
-u administrator dns-dtdc02 dns-dtdc01 krbtgt guest root at dtmbr01:~# wbinfo -g
allowed rodc password replication group enterprise read-only domain controllers
denied rodc password replication group read-only domain controllers group policy
creator owners ras and ias servers domain controllers enterprise admins domain
computers cert publishers dnsupdateproxy domain admins domain guests schema
admins domain users dnsadmins root at dtmbr01:~# getent passwd Administrator
administrator:*:50001:50006::/home/samba/DT***RM/users/administ
ratorSERNAME%:/bin/bash Say what, "administratorSERNAME%"? After
running the 'generation one' script to create the member server, I have
changed nothing except the suggestions that have been made on this mailing list.
Attempting to gain access to the member server to re-adjust the file permissions
on "profiles" per the instructions on the samba wiki. Please,
thoughts? --- ------------------------- Bob Wooden of Donelson Trophy
615.885.2846 (main)
www.donelsontrophy.com [1] [1 [1]] [1 [1]] "Everyone deserves an
award!!" On 2015-01-28 13:09, Rowland Penny wrote: On 28/01/15 18:55, Bob
of Donelson Trophy wrote: No, I did not try the alterations but, Louis had me
remove the "domain users" line earlier. Put the line back in and try
alterations? (If so, I will not have time until you are asleep, tonight.) By all
means try it, you have nothing to lose :-) I take it
 that 'wbinfo -u' shows all the domain users on the member server and
'wbinfo -g' shows all the domain groups. Also 'getent passwd
<domain
user> shows the user. 
>> Rowland
> Links: ------ [1] http://www.donelsontrophy.com [1] [1 [1]]
 Louis's script puts this line in smb.conf: template homedir
/home/samba/DT***RM/users/%USERNAME% Perhaps it should be changed to
this: template homedir = /home/samba/DT***RM/users/%U I say this because
your Administrators homedir seems to be the above line plus what I am
suggesting should be removed. But what is worrying me more,
Administrator has the uid of '50001', have you set this in AD ? Rowland
-- To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba [2] [2 [2]]
Links: ------ [1] http://www.donelsontrophy.com [1] [2]
https://lists.samba.org/mailman/options/samba [2] -- To unsubscribe from
this list go to the following URL and read the instructions:
https://lists.samba.org/mailman/options/samba [2] 

Links:
------
[1] http://www.donelsontrophy.com
[2] https://lists.samba.org/mailman/options/samba

After restoring the member server and re-running the improved
"4-setup-samba4-MEMBER-wheezy.sh" script I am still having the same
issue. W7 client still not allowed to access the member server. 

Administrator still has a uidNumber: 

 getent passwd Administrator
administrator:*:50001:50006::/home/samba/DTS***M/users/administrator:/bin/bash


I have added a couple is test admin users (must have done it wrong.)
Joined them to the 'Domain Admins' group and they cannot access the
member server either. 

 wbinfo -u output is:
adminrob
administrator
dns-dtdc02 
dns-dtdc01
adminnew
krbtgt
guest 

 wbinfo -g output is:
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins 

How do I remove the uidNumber from the domainAdministrator and
re-associate domainAdminstrator to root '0'? 

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-01-30 02:05, L.P.H. van Belle wrote: 
> Hi bob, 
> 
> Yes, i have corrected the script online.
> 
> I replaced the %USERNAME with %U in the old member script,
> and please dont give the user DOMAINAdministrator any uid. not 0, nothing..
.no uid..
> 
> My best advice, leave Administrator as is and create a new user.. 
> Add that one in "Domain Admins" and that user can have a uid. 
> 
> For setting the rights. 
> 
> Use setfacl to set the base rights on the folder structure, 
> and set "DOMAIN Admins" as group with full access on /home/samba
( and subfolders )
> I'll wil change this in the new member server script. 
> 
> Greetz, 
> 
> Louis
> -----Oorspronkelijk bericht----- Van: bob at donelsontrophy.net
[mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy
Verzonden: vrijdag 30 januari 2015 3:52 Aan: samba at lists.samba.org Onderwerp:
Re: [Samba] W7 client cannot adjust file permissions via ADUC Thursday's
emails were erratic due to a server (somewhere in email land) that had gone
haywire. Here in the midwest United States peaceful silence from the samba-list.
Then about mid-afternoon, BAM! Email's began to arrive in a very erratic
manner. Emails from 1300 hours were arriving before emails from 0900 hours and I
began reading and responding and got I confused as I am sure everyone was.
Tranquility has settled, we have all had time to "take a breath" and
once again it is time to move forward. Rowland, Thanks for your help and
patience, so far. Louis, From what I can understand from your email, there was
an error within your "4-setup-sernet-samba4-MEMBER-wheezy.sh" script
that caused my domainAdministra
 tor to
create a uidNumber when it should not have had a uidNumber (should be
"0" for root.) And now you have corrected the script so it will not do
that again. The simplest solution for me is this. Revert to my initial Debian
installation backup (created just prior to my running the uidNumber creation
script the first time) and re-run the now revised
"4-setup-sernet-samba4-MEMBER-wheezy.sh". This is what I am going to
do. Now, Louis, the script has been corrected, yes? ---
------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main)
www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" On
2015-01-29 08:05, L.P.H. van Belle wrote: ok, seen it..
"administratorSERNAME%"? I'll change that, i did only some tests
from windows. and i dont never set uid/gid to Administrator. -- Changed in the
old script. but remember, you should NEVER set UID/GID for adminstrator,
because... Now administrator has uid 50001 ... and this should be 0 ( root )
This is why we also use
 the user
mapping !root = "DOMAINAdministrator" .... Always create a new user
and add this one to the group "Domain Admins" Also, i have set
profile/uid/gid/nis for the Domain Administrator. And if you set a other user
for "Domain Administrator, on the member servers also add a line for this
user in the usermapping file. since you need root access. or.. try set the
rights as starter like : something like.. setfacl -R -m
default:user:Administrator:rwx /home/samba setfacl -R -m default:group:domain
admins:rwx /home/samba Louis -----Oorspronkelijk bericht----- Van: rowlandpenny
at googlemail.com [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
Verzonden: donderdag 29 januari 2015 14:24 Aan: samba at lists.samba.org
Onderwerp: Re: [Samba] W7 client cannot adjust file permissions via ADUC On
29/01/15 12:54, Bob of Donelson Trophy wrote: Rowland, I have tried your various
alteration suggestions and it is a "negative" result. Here is the
output from wbinfo -u & wbinfo -g root at dtmbr01:~#
 wbinfo
-u administrator dns-dtdc02 dns-dtdc01 krbtgt guest root at dtmbr01:~# wbinfo -g
allowed rodc password replication group enterprise read-only domain controllers
denied rodc password replication group read-only domain controllers group policy
creator owners ras and ias servers domain controllers enterprise admins domain
computers cert publishers dnsupdateproxy domain admins domain guests schema
admins domain users dnsadmins root at dtmbr01:~# getent passwd Administrator
administrator:*:50001:50006::/home/samba/DT***RM/users/administ
ratorSERNAME%:/bin/bash Say what, "administratorSERNAME%"? After
running the 'generation one' script to create the member server, I have
changed nothing except the suggestions that have been made on this mailing list.
Attempting to gain access to the member server to re-adjust the file permissions
on "profiles" per the instructions on the samba wiki. Please,
thoughts? --- ------------------------- Bob Wooden of Donelson Trophy
615.885.2846 (main)
www.donelsontrophy.com [1] [1 [1]] [1 [1]] "Everyone deserves an
award!!" On 2015-01-28 13:09, Rowland Penny wrote: On 28/01/15 18:55, Bob
of Donelson Trophy wrote: No, I did not try the alterations but, Louis had me
remove the "domain users" line earlier. Put the line back in and try
alterations? (If so, I will not have time until you are asleep, tonight.) By all
means try it, you have nothing to lose :-) I take it
 that 'wbinfo -u' shows all the domain users on the member server and
'wbinfo -g' shows all the domain groups. Also 'getent passwd
<domain
user> shows the user. 
>> Rowland
> Links: ------ [1] http://www.donelsontrophy.com [1] [1 [1]]
 Louis's script puts this line in smb.conf: template homedir
/home/samba/DT***RM/users/%USERNAME% Perhaps it should be changed to
this: template homedir = /home/samba/DT***RM/users/%U I say this because
your Administrators homedir seems to be the above line plus what I am
suggesting should be removed. But what is worrying me more,
Administrator has the uid of '50001', have you set this in AD ? Rowland
-- To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba [2] [2 [2]]
Links: ------ [1] http://www.donelsontrophy.com [1] [2]
https://lists.samba.org/mailman/options/samba [2] -- To unsubscribe from
this list go to the following URL and read the instructions:
https://lists.samba.org/mailman/options/samba [2] 

Links:
------
[1] http://www.donelsontrophy.com
[2] https://lists.samba.org/mailman/options/samba

On 30/01/15 18:28, Bob of Donelson Trophy wrote:
>   
>
> After restoring the member server and re-running the improved
> "4-setup-samba4-MEMBER-wheezy.sh" script I am still having the
same
> issue. W7 client still not allowed to access the member server.
>
> Administrator still has a uidNumber:
>
>   getent passwd Administrator
>
administrator:*:50001:50006::/home/samba/DTS***M/users/administrator:/bin/bash
>
>
> I have added a couple is test admin users (must have done it wrong.)
> Joined them to the 'Domain Admins' group and they cannot access the
> member server either.
>
>   wbinfo -u output is:
> adminrob
> administrator
> dns-dtdc02
> dns-dtdc01
> adminnew
> krbtgt
> guest
>
>   wbinfo -g output is:
> allowed rodc password replication group
> enterprise read-only domain controllers
> denied rodc password replication group
> read-only domain controllers
> group policy creator owners
> ras and ias servers
> domain controllers
> enterprise admins
> domain computers
> cert publishers
> dnsupdateproxy
> domain admins
> domain guests
> schema admins
> domain users
> dnsadmins
>
> How do I remove the uidNumber from the domainAdministrator and
> re-associate domainAdminstrator to root '0'?
OK, lets check if Administrator has a 'uidNumber', run this on your 
first DC:

ldbedit -e nano -H /var/lib/samba/private/sam.ldb -b
"DC=example,DC=com"
-s sub '(&(objectclass=user)(cn=Administrator))'

this should display all the information about the Administrator user, if 
there is a 'uidNumber' attribute, delete the entire line,same goes for a
'gidNumber' attribute, save and close nano.

You should not have any rfc2307 attributes related to Administrator now, 
so go to your member server, login as a normal user and run this:

sudo net cache flush

then:

getent passwd administrator

Rowland