Rowland Penny
2015-Jan-30 18:58 UTC
[Samba] W7 client cannot adjust file permissions via ADUC
On 30/01/15 18:28, Bob of Donelson Trophy wrote:> > > After restoring the member server and re-running the improved > "4-setup-samba4-MEMBER-wheezy.sh" script I am still having the same > issue. W7 client still not allowed to access the member server. > > Administrator still has a uidNumber: > > getent passwd Administrator > administrator:*:50001:50006::/home/samba/DTS***M/users/administrator:/bin/bash > > > I have added a couple is test admin users (must have done it wrong.) > Joined them to the 'Domain Admins' group and they cannot access the > member server either. > > wbinfo -u output is: > adminrob > administrator > dns-dtdc02 > dns-dtdc01 > adminnew > krbtgt > guest > > wbinfo -g output is: > allowed rodc password replication group > enterprise read-only domain controllers > denied rodc password replication group > read-only domain controllers > group policy creator owners > ras and ias servers > domain controllers > enterprise admins > domain computers > cert publishers > dnsupdateproxy > domain admins > domain guests > schema admins > domain users > dnsadmins > > How do I remove the uidNumber from the domainAdministrator and > re-associate domainAdminstrator to root '0'?OK, lets check if Administrator has a 'uidNumber', run this on your first DC: ldbedit -e nano -H /var/lib/samba/private/sam.ldb -b "DC=example,DC=com" -s sub '(&(objectclass=user)(cn=Administrator))' this should display all the information about the Administrator user, if there is a 'uidNumber' attribute, delete the entire line,same goes for a 'gidNumber' attribute, save and close nano. You should not have any rfc2307 attributes related to Administrator now, so go to your member server, login as a normal user and run this: sudo net cache flush then: getent passwd administrator Rowland
Bob of Donelson Trophy
2015-Jan-30 19:14 UTC
[Samba] W7 client cannot adjust file permissions via ADUC
There is no uidNumber or gidNumber specifically listed (there is an objectGuid and an objectSid.) Did nothing. Now? --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] "Everyone deserves an award!!" On 2015-01-30 12:58, Rowland Penny wrote:> On 30/01/15 18:28, Bob of Donelson Trophy wrote: > >> After restoring the member server and re-running the improved "4-setup-samba4-MEMBER-wheezy.sh" script I am still having the same issue. W7 client still not allowed to access the member server. Administrator still has a uidNumber: getent passwd Administrator administrator:*:50001:50006::/home/samba/DTS***M/users/administrator:/bin/bash I have added a couple is test admin users (must have done it wrong.) Joined them to the 'Domain Admins' group and they cannot access the member server either. wbinfo -u output is: adminrob administrator dns-dtdc02 dns-dtdc01 adminnew krbtgt guest wbinfo -g output is: allowed rodc password replication group enterprise read-only domain controllers denied rodc password replication group read-only domain controllers group policy creator owners ras and ias servers domain controllers enterprise admins domain computers cert publishers dnsupdateproxy domain admins domain guests schema admins domain users dnsadmins How do I remove the uidNumber fromthe domainAdministrator and re-associate domainAdminstrator to root '0'?> > OK, lets check if Administrator has a 'uidNumber', run this on your first DC: > > ldbedit -e nano -H /var/lib/samba/private/sam.ldb -b "DC=example,DC=com" -s sub '(&(objectclass=user)(cn=Administrator))' > > this should display all the information about the Administrator user, if there is a 'uidNumber' attribute, delete the entire line,same goes for a 'gidNumber' attribute, save and close nano. > > You should not have any rfc2307 attributes related to Administrator now, so go to your member server, login as a normal user and run this: > > sudo net cache flush > > then: > > getent passwd administrator > > RowlandLinks: ------ [1] http://www.donelsontrophy.com
Rowland Penny
2015-Jan-30 19:28 UTC
[Samba] W7 client cannot adjust file permissions via ADUC
On 30/01/15 19:14, Bob of Donelson Trophy wrote:> > > There is no uidNumber or gidNumber specifically listed (there is an > objectGuid and an objectSid.) > > Did nothing. > > Now? > > --- > > ------------------------- > > Bob Wooden of Donelson Trophy > > 615.885.2846 (main) > www.donelsontrophy.com [1] > > "Everyone deserves an award!!" > > On 2015-01-30 12:58, Rowland Penny wrote: > >> On 30/01/15 18:28, Bob of Donelson Trophy wrote: >> >>> After restoring the member server and re-running the improved "4-setup-samba4-MEMBER-wheezy.sh" script I am still having the same issue. W7 client still not allowed to access the member server. Administrator still has a uidNumber: getent passwd Administrator administrator:*:50001:50006::/home/samba/DTS***M/users/administrator:/bin/bash I have added a couple is test admin users (must have done it wrong.) Joined them to the 'Domain Admins' group and they cannot access the member server either. wbinfo -u output is: adminrob administrator dns-dtdc02 dns-dtdc01 adminnew krbtgt guest wbinfo -g output is: allowed rodc password replication group enterprise read-only domain controllers denied rodc password replication group read-only domain controllers group policy creator owners ras and ias servers domain controllers enterprise admins domain computers cert publishers dnsupdateproxy domain admins domain guests schema admins domain users dnsadmins How do I remove the uidNumber from > the > domainAdministrator and re-associate domainAdminstrator to root '0'? >> OK, lets check if Administrator has a 'uidNumber', run this on your first DC: >> >> ldbedit -e nano -H /var/lib/samba/private/sam.ldb -b "DC=example,DC=com" -s sub '(&(objectclass=user)(cn=Administrator))' >> >> this should display all the information about the Administrator user, if there is a 'uidNumber' attribute, delete the entire line,same goes for a 'gidNumber' attribute, save and close nano. >> >> You should not have any rfc2307 attributes related to Administrator now, so go to your member server, login as a normal user and run this: >> >> sudo net cache flush >> >> then: >> >> getent passwd administrator >> >> Rowland > > > Links: > ------ > [1] http://www.donelsontrophy.comOK, right you posted this part of your smb.conf earlier: ## map id's outside to domain to tdb files. idmap config *:backend = tdb idmap config *:range = 50001-80000 ## map ids from the domain the range may not overlap ! idmap config INTERNAL:backend = ad idmap config INTERNAL:schema_mode = rfc2307 idmap config INTERNAL:range = 2000-40000 and you just posted this: getent passwd Administrator administrator:*:50001:50006::/home/samba/DTS***M/users/administrator:/bin/bash Can you see where '50001' is coming from ? Is 'INTERNAL' actually in your smb.conf ? What I mean is, did you change it before you posted it ? If 'INTERNAL' is in your smb.conf, change it to your workgroup name, flush the net cache and try again. Rowland