Okay, so I did this to myself. I overlooked an important sentence on the "https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles". The sentence that instructs to do "Profile share using Windows ACLs" ***OR*** "Profile share with using POSIX ACLs". So, I have reset the permissions to how they were before I messed them up doing the "POSIX ACLs" part. Went back through the W7 client and correctly set permissions (via Windows Explorer) as instructed on the wiki. I still cannot write profiles to the /home/samba/NTDOM/profiles directory. I think I am confused on the "Administrator" portion of the wiki page. In the text box, the top line discusses the "Administrator" permission settings. (Below "Administrator" lists "Domain Users" and "CREATOR OWNER".) In the graphic that appears just above the text box, the graphic illustrates setting permissions for the "\SAMDOMadmin . . ." so, am I setting for my DCAdministrator or the member server administrator? And then begs the question, am I looking for 'getent group Domain Users' on the DC or the member server? --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] "Everyone deserves an award!!" On 2015-03-05 11:49, Rowland Penny wrote:> On 05/03/15 17:22, Bob of Donelson Trophy wrote: > Rowland, 'getent group DomainUsers' indeed returns nothing. Now, I know, you know this like the "back of your hand" but, am I wrong, are the permissions for **profiles** somewhat (not alot) different from permissions for file shares? Because I see that instructions (on the wiki) for file sharing reads differently. Thanks, again. --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" On 2015-03-05 07:38, Rowland Penny wrote: On 05/03/15 13:25, Bob of Donelson Trophy wrote: I am setting up W7 profiles following the "Samba & Windows Profiles" on the Sambawiki. If it matters, I have two functional DC's and one member server. When I run '# chmod 1770 /srv/samba/profiles' (on the member server) the permissions changed to: root at mbr01:~# ls -alh /srv/samba/profiles total 12K drwxrwx--T+ 2 root root 4.0K Mar 1 10:21 . drwxr-xr-t 5 root root 4.0K Mar 1 10:21 .. The first line changed from 'drwxr-xr-t' to 'drwxrwx--T+' and the second did not change. Under "Profile share with using POSIX ACLs" it is indicated that we should change the '# chgrp ?Domain Users" /srv/samba/profiles' I am getting "chgrp: invalid group: `Domain Users' " When I run "wbinfo -g" there listed is "domain users". I have tried lower case "# chgrp ?domain users" /srv/samba/profiles" with the same result "chgrp: invalid group: `domain users' ". Suggestions? Hi Bob, 'wbinfo -g' does indeed show 'domain users' but this is not what is used when you try to use chgrp. What does 'getent group Domain Users' show ? If it doesn't return anything, then we need to find out why not Rowland Links: ------ [1] http://www.donelsontrophy.com [1] OK, the problem here is that Unix has to know who 'Domain Users' is before it will/can change the group ownership of a directory. I take it that the passwd & group lines in /etc/nsswitch.conf have had 'winbind' added to them and if you run 'pam-auth-update' it shows winbind amongst the authentication methods. Does Domain Users have a gidNumber ? If not then modify the 'Domain Users' object in AD and add one. You have to get 'getent group Domain Users' to return the group info before you can go any further. Rowland Links: ------ [1] http://www.donelsontrophy.com
On 06/03/15 17:45, Bob of Donelson Trophy wrote:> > Okay, so I did this to myself. I overlooked an important sentence on the > "https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles". The > sentence that instructs to do "Profile share using Windows ACLs" > ***OR*** "Profile share with using POSIX ACLs". > > So, I have reset the permissions to how they were before I messed them > up doing the "POSIX ACLs" part. Went back through the W7 client and > correctly set permissions (via Windows Explorer) as instructed on the > wiki. > > I still cannot write profiles to the /home/samba/NTDOM/profiles > directory. I think I am confused on the "Administrator" portion of the > wiki page. > > In the text box, the top line discusses the "Administrator" permission > settings. (Below "Administrator" lists "Domain Users" and "CREATOR > OWNER".) In the graphic that appears just above the text box, the > graphic illustrates setting permissions for the "\SAMDOMadmin . . ." so, > am I setting for my DCAdministrator or the member server administrator?If you replace 'SAMDOM' with your domain name does it make it any easier to understand, it means the administrator with the SID 'S-1-5-21-domainsid-500' who gets mapped to '0' on samba AD DC servers as standard.> > And then begs the question, am I looking for 'getent group Domain Users' > on the DC or the member server? >The member server, if this is where you are storing the profiles. Rowland
On my test system I can only get 'getent -V' to respond. Member server smb.conf file: root at mbr01:~# cat /etc/samba/smb.conf [global] workgroup = TEST security = ADS realm = TEST.BOB netbios name = mbr01 domain master = no host msdfs = no dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab client signing = if_required ## map id's outside to domain to tdb files. idmap config *:backend = tdb idmap config *:range = 50001-80000 ## map ids from the domain the range may not overlap ! idmap config TEST:backend = ad idmap config TEST:schema_mode = rfc2307 idmap config TEST:range = 10000-40000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes winbind offline logon = yes wins server = 192.168.16.41, 192.168.16.42 template shell = /bin/bash template homedir = /home/samba/TEST/users/%U # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/samba_usermapping # For ACL support on member file server vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes # Share Setting Globally usershare allow guests = no unix extensions = no wide links = no reset on zero vc = yes veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ hide unreadable = yes # disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes [home] path = /home/samba/TEST/users read only = no [profiles$] path = /home/samba/TEST/profiles read only = no admin users = +"TESTDomain Admins" profile acls = yes csc policy = disable [data] path = /home/samba/TEST/companydata read only = no [software] path = /home/samba/software read only = no And wbinfo: root at mbr01:~# wbinfo -u administrator dns-tdc02 dns-tdc01 krbtgt guest root at mbr01:~# wbinfo -g allowed rodc password replication group enterprise read-only domain controllers denied rodc password replication group read-only domain controllers group policy creator owners ras and ias servers domain controllers enterprise admins domain computers cert publishers dnsupdateproxy domain admins domain guests schema admins domain users dnsadmins All these from the member server. Do I have something set incorrectly? --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [2] "Everyone deserves an award!!" On 2015-03-06 12:49, Rowland Penny wrote:> On 06/03/15 17:45, Bob of Donelson Trophy wrote: > >> Okay, so I did this to myself. I overlooked an important sentence on the "https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles [1]". The sentence that instructs to do "Profile share using Windows ACLs" ***OR*** "Profile share with using POSIX ACLs". So, I have reset the permissions to how they were before I messed them up doing the "POSIX ACLs" part. Went back through the W7 client and correctly set permissions (via Windows Explorer) as instructed on the wiki. I still cannot write profiles to the /home/samba/NTDOM/profiles directory. I think I am confused on the "Administrator" portion of the wiki page. In the text box, the top line discusses the "Administrator" permission settings. (Below "Administrator" lists "Domain Users" and "CREATOR OWNER".) In the graphic that appears just above the text box, the graphic illustrates setting permissions for the "SAMDOMadmin . . ." so, am I setting for my DCAdministrator or the member server administrator? > > If you replace 'SAMDOM' with your domain name does it make it any easier to understand, it means the administrator with the SID 'S-1-5-21-domainsid-500' who gets mapped to '0' on samba AD DC servers as standard. > >> And then begs the question, am I looking for 'getent group Domain Users' on the DC or the member server? > > The member server, if this is where you are storing the profiles. > > RowlandLinks: ------ [1] https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles [2] http://www.donelsontrophy.com
Bob, to the following.. set the in smb.conf not more not less. On the member server. [profiles$] path = /home/samba/TEST/profiles read only = no acl_xattr:ignore system acl = yes restart samba now type chown root:root /home/samba/TEST/profiles chmod 1777 /home/samba/TEST/profiles Now go to the wiki and set the correct rights for a profile share. and ONLY for AD! ( not the POSIX ) Now go set the share rights from withing windows. then set the rights on the folder from within windows. if this does not work, i'll eat my shoe... and for these: admin users = +"TESTDomain Admins" profile acls = yes csc policy = disable You dont need postix settings on the profiles share imo. Louis>-----Oorspronkelijk bericht----- >Van: bob at donelsontrophy.net >[mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy >Verzonden: vrijdag 6 maart 2015 20:41 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] setting up W7 profiles > > > >On my test system I can only get 'getent -V' to respond. > >Member server smb.conf file: > >root at mbr01:~# cat /etc/samba/smb.conf >[global] > workgroup = TEST > security = ADS > realm = TEST.BOB > > netbios name = mbr01 > domain master = no > host msdfs = no > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > client signing = if_required > > ## map id's outside to domain to tdb files. > idmap config *:backend = tdb > idmap config *:range = 50001-80000 > ## map ids from the domain the range may not overlap ! > idmap config TEST:backend = ad > idmap config TEST:schema_mode = rfc2307 > idmap config TEST:range = 10000-40000 > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > winbind offline logon = yes > > wins server = 192.168.16.41, 192.168.16.42 > > template shell = /bin/bash > template homedir = /home/samba/TEST/users/%U > > # user Administrator workaround, without it you are unable to set >privileges > username map = /etc/samba/samba_usermapping > > # For ACL support on member file server > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > # Share Setting Globally > usershare allow guests = no > unix extensions = no > wide links = no > reset on zero vc = yes > veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ > hide unreadable = yes > > # disable printing completely > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > >[home] > path = /home/samba/TEST/users > read only = no > >[profiles$] > path = /home/samba/TEST/profiles > read only = no > admin users = +"TESTDomain Admins" > profile acls = yes > csc policy = disable > >[data] > path = /home/samba/TEST/companydata > read only = no > >[software] > path = /home/samba/software > read only = no > >And wbinfo: > >root at mbr01:~# wbinfo -u >administrator >dns-tdc02 >dns-tdc01 >krbtgt >guest > >root at mbr01:~# wbinfo -g >allowed rodc password replication group >enterprise read-only domain controllers >denied rodc password replication group >read-only domain controllers >group policy creator owners >ras and ias servers >domain controllers >enterprise admins >domain computers >cert publishers >dnsupdateproxy >domain admins >domain guests >schema admins >domain users >dnsadmins > >All these from the member server. Do I have something set incorrectly? > >--- > >------------------------- > >Bob Wooden of Donelson Trophy > >615.885.2846 (main) >www.donelsontrophy.com [2] > >"Everyone deserves an award!!" > >On 2015-03-06 12:49, Rowland Penny wrote: > >> On 06/03/15 17:45, Bob of Donelson Trophy wrote: >> >>> Okay, so I did this to myself. I overlooked an important >sentence on the >"https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles >[1]". The sentence that instructs to do "Profile share using >Windows ACLs" ***OR*** "Profile share with using POSIX ACLs". >So, I have reset the permissions to how they were before I >messed them up doing the "POSIX ACLs" part. Went back through >the W7 client and correctly set permissions (via Windows >Explorer) as instructed on the wiki. I still cannot write >profiles to the /home/samba/NTDOM/profiles directory. I think >I am confused on the "Administrator" portion of the wiki page. >In the text box, the top line discusses the "Administrator" >permission settings. (Below "Administrator" lists "Domain >Users" and "CREATOR OWNER".) In the graphic that appears just >above the text box, the graphic illustrates setting >permissions for the "SAMDOMadmin . . ." so, am I setting for >my DCAdministrator or the member server administrator? >> >> If you replace 'SAMDOM' with your domain name does it make >it any easier to understand, it means the administrator with >the SID 'S-1-5-21-domainsid-500' who gets mapped to '0' on >samba AD DC servers as standard. >> >>> And then begs the question, am I looking for 'getent group >Domain Users' on the DC or the member server? >> >> The member server, if this is where you are storing the profiles. >> >> Rowland > > >Links: >------ >[1] https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles >[2] http://www.donelsontrophy.com >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >