Bob, to the following.. set the in smb.conf not more not less. On the member server. [profiles$] path = /home/samba/TEST/profiles read only = no acl_xattr:ignore system acl = yes restart samba now type chown root:root /home/samba/TEST/profiles chmod 1777 /home/samba/TEST/profiles Now go to the wiki and set the correct rights for a profile share. and ONLY for AD! ( not the POSIX ) Now go set the share rights from withing windows. then set the rights on the folder from within windows. if this does not work, i'll eat my shoe... and for these: admin users = +"TESTDomain Admins" profile acls = yes csc policy = disable You dont need postix settings on the profiles share imo. Louis>-----Oorspronkelijk bericht----- >Van: bob at donelsontrophy.net >[mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy >Verzonden: vrijdag 6 maart 2015 20:41 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] setting up W7 profiles > > > >On my test system I can only get 'getent -V' to respond. > >Member server smb.conf file: > >root at mbr01:~# cat /etc/samba/smb.conf >[global] > workgroup = TEST > security = ADS > realm = TEST.BOB > > netbios name = mbr01 > domain master = no > host msdfs = no > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > client signing = if_required > > ## map id's outside to domain to tdb files. > idmap config *:backend = tdb > idmap config *:range = 50001-80000 > ## map ids from the domain the range may not overlap ! > idmap config TEST:backend = ad > idmap config TEST:schema_mode = rfc2307 > idmap config TEST:range = 10000-40000 > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > winbind offline logon = yes > > wins server = 192.168.16.41, 192.168.16.42 > > template shell = /bin/bash > template homedir = /home/samba/TEST/users/%U > > # user Administrator workaround, without it you are unable to set >privileges > username map = /etc/samba/samba_usermapping > > # For ACL support on member file server > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > # Share Setting Globally > usershare allow guests = no > unix extensions = no > wide links = no > reset on zero vc = yes > veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ > hide unreadable = yes > > # disable printing completely > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > >[home] > path = /home/samba/TEST/users > read only = no > >[profiles$] > path = /home/samba/TEST/profiles > read only = no > admin users = +"TESTDomain Admins" > profile acls = yes > csc policy = disable > >[data] > path = /home/samba/TEST/companydata > read only = no > >[software] > path = /home/samba/software > read only = no > >And wbinfo: > >root at mbr01:~# wbinfo -u >administrator >dns-tdc02 >dns-tdc01 >krbtgt >guest > >root at mbr01:~# wbinfo -g >allowed rodc password replication group >enterprise read-only domain controllers >denied rodc password replication group >read-only domain controllers >group policy creator owners >ras and ias servers >domain controllers >enterprise admins >domain computers >cert publishers >dnsupdateproxy >domain admins >domain guests >schema admins >domain users >dnsadmins > >All these from the member server. Do I have something set incorrectly? > >--- > >------------------------- > >Bob Wooden of Donelson Trophy > >615.885.2846 (main) >www.donelsontrophy.com [2] > >"Everyone deserves an award!!" > >On 2015-03-06 12:49, Rowland Penny wrote: > >> On 06/03/15 17:45, Bob of Donelson Trophy wrote: >> >>> Okay, so I did this to myself. I overlooked an important >sentence on the >"https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles >[1]". The sentence that instructs to do "Profile share using >Windows ACLs" ***OR*** "Profile share with using POSIX ACLs". >So, I have reset the permissions to how they were before I >messed them up doing the "POSIX ACLs" part. Went back through >the W7 client and correctly set permissions (via Windows >Explorer) as instructed on the wiki. I still cannot write >profiles to the /home/samba/NTDOM/profiles directory. I think >I am confused on the "Administrator" portion of the wiki page. >In the text box, the top line discusses the "Administrator" >permission settings. (Below "Administrator" lists "Domain >Users" and "CREATOR OWNER".) In the graphic that appears just >above the text box, the graphic illustrates setting >permissions for the "SAMDOMadmin . . ." so, am I setting for >my DCAdministrator or the member server administrator? >> >> If you replace 'SAMDOM' with your domain name does it make >it any easier to understand, it means the administrator with >the SID 'S-1-5-21-domainsid-500' who gets mapped to '0' on >samba AD DC servers as standard. >> >>> And then begs the question, am I looking for 'getent group >Domain Users' on the DC or the member server? >> >> The member server, if this is where you are storing the profiles. >> >> Rowland > > >Links: >------ >[1] https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles >[2] http://www.donelsontrophy.com >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
On 09/03/15 10:59, L.P.H. van Belle wrote:> Bob, to the following.. > > set the in smb.conf not more not less. > > On the member server. > > [profiles$] > path = /home/samba/TEST/profiles > read only = no > acl_xattr:ignore system acl = yes > > restart samba > now type > chown root:root /home/samba/TEST/profiles > chmod 1777 /home/samba/TEST/profiles > > Now go to the wiki and set the correct rights for a profile share. > and ONLY for AD! ( not the POSIX ) > > Now go set the share rights from withing windows. > then set the rights on the folder from within windows. > > if this does not work, i'll eat my shoe... > > and for these: > admin users = +"TESTDomain Admins" > profile acls = yes > csc policy = disable > > You dont need postix settings on the profiles share imo. >But these settings come from your member server install script ? Rowland
yes, i know.. but its better if he try the new settings, it save to need of any GID for the group rights. im working on that also to make it more uniform and a set with posix and a set without postix rights. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: rowlandpenny at googlemail.com >[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >Verzonden: maandag 9 maart 2015 12:19 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] setting up W7 profiles > >On 09/03/15 10:59, L.P.H. van Belle wrote: >> Bob, to the following.. >> >> set the in smb.conf not more not less. >> >> On the member server. >> >> [profiles$] >> path = /home/samba/TEST/profiles >> read only = no >> acl_xattr:ignore system acl = yes >> >> restart samba >> now type >> chown root:root /home/samba/TEST/profiles >> chmod 1777 /home/samba/TEST/profiles >> >> Now go to the wiki and set the correct rights for a profile share. >> and ONLY for AD! ( not the POSIX ) >> >> Now go set the share rights from withing windows. >> then set the rights on the folder from within windows. >> >> if this does not work, i'll eat my shoe... >> >> and for these: >> admin users = +"TESTDomain Admins" >> profile acls = yes >> csc policy = disable >> >> You dont need postix settings on the profiles share imo. >> > >But these settings come from your member server install script ? > >Rowland > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
On 09/03/15 11:32, L.P.H. van Belle wrote:> yes, i know.. > > but its better if he try the new settings, it save to need of any GID for the group rights. > im working on that also to make it more uniform and a set with posix and a set without postix rights. > > > > Greetz, > > Louis >I was just trying to point out where the settings came from :-) I would also agree with removing the lines from the profile share, but I would also suggest that you forget any idea you might have about posix rights on the profiles share. Rowland
Gentlemen, First, let me point out that sometimes (and sometimes not) the mailing list will strip out some backslash marks in cut and paste. So, if there is a backslash missing . . . well, ignore that missing mark. Louis, When your script runs it creates the following default permissions: root at mbr01:~# ls -alh /home/samba/TEST/profiles total 8.0K drwxr-xr-t 2 root root 4.0K Feb 21 18:39 . drwxr-xr-t 5 root root 4.0K Feb 21 18:39 .. Then, per your instruction, I ran: root at mbr01:~# chmod 1777 /home/samba/TEST/profiles root at mbr01:~# ls -alh /home/samba/TEST/profiles total 12K drwxrwxrwt+ 2 root root 4.0K Mar 1 10:21 . drwxr-xr-t 5 root root 4.0K Mar 1 10:21 .. Then went into W7 client and adjusted permissions (on my member server) as instructed by "https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles". That changed permissions to: root at mbr01:~# ls -alh /home/samba/TEST/profiles total 12K drwxrwx--T+ 2 root root 4.0K Mar 1 10:21 . drwxr-xr-t 5 root root 4.0K Mar 1 10:21 .. So, Louis, go warm up the oven, you **might** be needing it to soften up that shoe . . . However, Rowland mentioned (in one of the emails) that if I couldn't get 'getent group domain users' (might be missing a backslash or two) to return anything, "I was dead in the water" . . . or something like that. Well, in my test environment and on real machines, none of the member servers (test environment and/or real) return anything with 'getent group domain users'. The DC's return info, member servers do not. As we all pull at our hair, trying to figure this out. It has to be the user, me. So, tonight when I have more time, I will return to this and try something I remember reading in one of the CentOS tutorials. Something about Windows being very finicky about permissions (on a CentOS DC, anyway) settings and how W7 users have to delete ALL the permissions and re-add them. Something about changing the permissions settings not "taking" in the Windows client and that they (permissions) need to be purged completely and re-added. Wish me luck . . . --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [2] "Everyone deserves an award!!" On 2015-03-09 06:32, L.P.H. van Belle wrote:> yes, i know.. > > but its better if he try the new settings, it save to need of any GID for the group rights. > im working on that also to make it more uniform and a set with posix and a set without postix rights. > > Greetz, > > Louis > -----Oorspronkelijk bericht----- Van: rowlandpenny at googlemail.com [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny Verzonden: maandag 9 maart 2015 12:19 Aan: samba at lists.samba.org Onderwerp: Re: [Samba] setting up W7 profiles On 09/03/15 10:59, L.P.H. van Belle wrote: Bob, to the following.. set the in smb.conf not more not less. On the member server. [profiles$] path = /home/samba/TEST/profiles read only = no acl_xattr:ignore system acl = yes restart samba now type chown root:root /home/samba/TEST/profiles chmod 1777 /home/samba/TEST/profiles Now go to the wiki and set the correct rights for a profile share. and ONLY for AD! ( not the POSIX ) Now go set the share rights from withing windows. then set the rights on the folder from within windows. if this does not work, i'll eat my shoe... and for these: admin users = +"TESTDomain Admins" profile acls = yes csc policy = disable You dont need postix settings on the profiles share imo. But these settings come from your member server install script ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba [1] Links: ------ [1] https://lists.samba.org/mailman/options/samba [2] http://www.donelsontrophy.com