On 17/11/15 16:57, Viktor Trojanovic wrote:> Hi Mathias, > > Thanks for replying. It seems you're describing the situation on the > AD DC. Computer and user mode access to my DC works fine and without > any issues but I can't access the shares of my *member* server *in > computer mode*. In user mode, it all works just fine. > > Viktor > > On 17.11.2015 17:19, mathias dufresne wrote: >> Here are my (little) view regarding shares accesses. I write that to >> clarify things. And it could really be of-topic as Louis seems to >> have gave >> solution. >> >> There are 2 levels of authorisation for accessing shares: the share >> level >> and FS level. >> >> For Sysvol I would keep everyone or replace it by "authenticated >> users" in >> paranoid mode as the latter refuse non-authenticated users. >> They are ACLs placed on Shares. >> >> Doing that all users or only authenticated users can access the share >> (ie >> mount it). >> >> Now the FS level happens once the share is mounted (or accessed) and one >> system users tries to open some file or directory. >> They are ACLs on files and directories. >> >> Any users (or computer) must go across these two levels of ACLs to >> access >> files or directories. >> >> Now regarding GPO ACLs which are partly hosted on Sysvol the same >> concepts >> applies: Sysvol share ACLs + File on FS ACLs. >> >> Regarding ACLs for GPO files, if the GPO was created with GPMC.msc, >> the GPO >> is mainly stored in AD (don't ask me what resides on Sysvol) and in >> AD are >> also stored correct ACLs on GPO's files. >> I said that because I naively tried to modify ACLs on my >> GPMC.msc-created-GPO and these changes were automatically reset to >> the ones >> declared in AD. >> >> Perhaps that could help someone... >> >> Cheers, >> >> mathias >> >> >> 2015-11-17 16:44 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>: >> >>> Hai Viktor, >>> >>>> Before posting my share permissions, can you please elaborate what you >>>> mean with "have you removed authenticated users from your share"? I >>>> never had any rights for "authenticated users" on any of my shares. >>> Ah sorry, yes, that was "everybody" ( my error ) keep it >>> >>>> Maybe I'm setting up shares in the wrong way? >>>> ..... >>>> [packages] >>>> path = /srv/samba/packages >>>> read only = no >>>> browsable = yes >>>> comment = "Software Packages" >>>> >>> Your config is ok, but i would add >>> acl_xattr:ignore system acls = yes >>> to the packages share. >>> >>> See man smb.conf for what it exact does, but for a "windows" only >>> share, >>> i would always set it. >>> >>> This is what i have for my distribution share. >>> >>> [public] >>> ## chmod 755 on /home/samba/public >>> ## rights root:root, but due to the ignore this is ignored.. >>> ## >>> browseable = yes >>> path = /home/samba/public >>> read only = no >>> acl_xattr:ignore system acls = yes >>> >>> >>> and i added "veryfied users" to the security tab with read rights. >>> Which the domain computers also need. >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: Viktor Trojanovic [mailto:viktor at troja.ch] >>>> Verzonden: dinsdag 17 november 2015 16:18 >>>> Aan: L.P.H. van Belle; samba at lists.samba.org >>>> Onderwerp: Re: [Samba] Permission Issues with GPO >>>> >>>> Hi Louis, >>>> >>>> As I mentioned, but maybe not clear enough, there is no problem >>>> accessing my Domain Controller, it works fine, even without using the >>>> whole domain. >>>> >>>> Before posting my share permissions, can you please elaborate what you >>>> mean with "have you removed authenticated users from your share"? I >>>> never had any rights for "authenticated users" on any of my shares. >>>> >>>> Maybe I'm setting up shares in the wrong way? >>>> >>>> [global] >>>> >>>> netbios name = FILESERVER >>>> workgroup = SAMDOM >>>> security = ADS >>>> realm = SAMDOM.EXAMPLE.COM >>>> dedicated keytab file = /etc/krb5.keytab >>>> kerberos method = secrets and keytab >>>> >>>> username map = /etc/samba/samba_usermap >>>> >>>> idmap config *:backend = tdb >>>> idmap config *:range = 2000-9999 >>>> idmap config OFFICE:backend = ad >>>> idmap config OFFICE:schema_mode = rfc2307 >>>> idmap config OFFICE:range = 10000-99999 >>>> >>>> winbind nss info = rfc2307 >>>> winbind trusted domains only = no >>>> winbind use default domain = yes >>>> winbind enum users = yes >>>> winbind enum groups = yes >>>> winbind refresh tickets = Yes >>>> >>>> vfs objects = acl_xattr >>>> map acl inherit = Yes >>>> store dos attributes = yes >>>> >>>> >>>> [packages] >>>> path = /srv/samba/packages >>>> read only = no >>>> browsable = yes >>>> comment = "Software Packages" >>>> >>>> >>>> >>>> >>>> On 17.11.2015 15:30, L.P.H. van Belle wrote: >>>>> Let me guess. >>>>> >>>>> You accessing your server like : >>>>> >>>>> \\servername\netlogon >>>>> of >>>>> \\servername\sysvol >>>>> >>>>> Well thats protected by windows these these days. >>>>> >>>>> Try with >>>>> >>>>> \\servername.domain.tld\netlogon >>>>> or >>>>> \\servername.domain.tld\sysvol >>>>> >>>>> Does that work? Yes, >>>>> >>>>> There is a whole chaper of this on the list somewhere.. >>>>> Best is to read howto override this. >>>>> https://adsecurity.org/?p=1405 >>>>> >>>>> and for you member server, how is you share setup. >>>>> did you remove "authenticated users" ? >>>>> if so best is that you add "domain computer" or authenticated users >>>> back. >>>>> And if you did not remove "authenticated users" from the share. >>>>> >>>>> Please post your share setup and rights for the shared folder. >>>>> AND the rights of the folder below the shared folder. >>>>> >>>>> >>>>> Greetz, >>>>> >>>>> Louis >>>>> >>>>> >>>>> >>>>>> -----Oorspronkelijk bericht----- >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Viktor >>>> Trojanovic >>>>>> Verzonden: dinsdag 17 november 2015 15:01 >>>>>> Aan: mathias dufresne; samba at lists.samba.org >>>>>> Onderwerp: Re: [Samba] Permission Issues with GPO >>>>>> >>>>>> Hi Mathias, >>>>>> >>>>>> The problem is not the GPO itself. The GPO containers are stored, as >>>>>> they should be, in the file system under sysvol/AD-DOMAIN/Policies, >>> and >>>>>> they are being accessed correctly by the respective users and >>>> computers. >>>>>> Maybe my question isn't phrased perfectly but my problem is that any >>>>>> *computer GPO* that is accessing my file server (Samba Member), >>>>>> fails >>>>>> with an access denied error. To give you an example. I might have a >>>>>> startup script that is supposed to copy a file from the file server, >>>>>> let's say an MS Word template, to the AD computer. The GPO itself is >>>>>> saved on the DC and it is called correctly but the access to my file >>>>>> server is being denied, the copy transaction is not happening. >>>>>> >>>>>> There is a permission problem and I'm trying to figure out what >>>>>> it is. >>>>>> The reason I'm posting this here is because I assume there is a link >>>>>> between my Samba settings on the file server, and their >>>>>> connection to >>>>>> the Samba DC that are responsible for this problem as this is not >>>>>> standard behavior. >>>>>> >>>>>> Viktor >>>>>> >>>>>> >>>>>> >>>>>> On 17.11.2015 13:30, mathias dufresne wrote: >>>>>>> Hey, >>>>>>> >>>>>>> If your GPO are stored in AD (they are not template GPO with all >>>>>>> GPO >>>>>>> information in some file, I think this kind of non-pure-AD GPO are >>>>>> stored >>>>>>> in ADMX files, not sure). >>>>>>> In GPMC.msc you have to define which entities would receive the >>>>>>> GPO. >>>>>> Once >>>>>>> created the GPO, once it is set up, you have in the right panel two >>>>>> parts. >>>>>>> The bottom part is to define to whom this GPO would be applied. >>>>>>> >>>>>>> In that case, GPO ownership should be reset by AD (don't asked me >>>> which >>>>>>> part of AD) if you modify GPO ACLs manually. >>>>>>> >>>>>>> In clear: you must use GPMC.msc to manage GPO ACLs. This if they >>>>>>> are >>>> not >>>>>>> template. >>>>>>> >>>>>>> Hoping this could help to find a solution. >>>>>>> >>>>>>> mathias >>>>>>> >>>>>>> 2015-11-17 4:04 GMT+01:00 Viktor Trojanovic <viktor at troja.ch>: >>>>>>> >>>>>>>> I was experiencing problems with Group Policy Objects. The Windows >>>>>> Event >>>>>>>> Viewer spits out so many different errors, most of them less than >>>>>> helpful, >>>>>>>> so Iwas seeking help here with some of those messages. >>>>>>>> >>>>>>>> In the end, and after many hours and even days of researching this >>>>>>>> problem, I seem to have pin-pointed the main issue to some simple >>>>>>>> permission irregularities that I don't know how to solve. >>>>>>>> >>>>>>>> In my setup, I have an AD DC and a member server, the latter in >>>>>>>> the >>>>>>>> function of a file server. Both are a Samba-only implementation >>> based >>>>>> on >>>>>>>> version 4.3.1 of the server. >>>>>>>> >>>>>>>> Everything seems to work well enough, I never noticed any issue >>>>>>>> when >>>>>>>> working in a user context - I can authenticate, and I can use the >>>> file >>>>>>>> server as intended. But evidently, any policies that require >>>>>>>> access >>>> to >>>>>> the >>>>>>>> file server in a machine context (computer configuration node >>>>>>>> of the >>>>>> GPO), >>>>>>>> fail. I was able to confirm that in multiple tests. >>>>>>>> >>>>>>>> I'm at my wit's end as it seems to me that all the necessary share >>>>>>>> permissions and NTACLs are in place. I even followed the advice I >>>> could >>>>>>>> find on some forum pages to add the group "domain computers" to >>>>>>>> the >>>>>> share >>>>>>>> permissions but that didn't help either. >>>>>>>> >>>>>>>> Any advice or best practices? I can't imagine this should be so >>>>>>>> complicated. >>>>>>>> >>>>>>>> Viktor >>>>>>>> >>>>>>>> -- >>>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> > >Can we have a look at your smb.conf from your domain member Rowland
On 17.11.2015 18:05, Rowland Penny wrote:> On 17/11/15 16:57, Viktor Trojanovic wrote: >> Hi Mathias, >> >> Thanks for replying. It seems you're describing the situation on the >> AD DC. Computer and user mode access to my DC works fine and without >> any issues but I can't access the shares of my *member* server *in >> computer mode*. In user mode, it all works just fine. >> >> Viktor >> >> On 17.11.2015 17:19, mathias dufresne wrote: >>> Here are my (little) view regarding shares accesses. I write that to >>> clarify things. And it could really be of-topic as Louis seems to >>> have gave >>> solution. >>> >>> There are 2 levels of authorisation for accessing shares: the share >>> level >>> and FS level. >>> >>> For Sysvol I would keep everyone or replace it by "authenticated >>> users" in >>> paranoid mode as the latter refuse non-authenticated users. >>> They are ACLs placed on Shares. >>> >>> Doing that all users or only authenticated users can access the >>> share (ie >>> mount it). >>> >>> Now the FS level happens once the share is mounted (or accessed) and >>> one >>> system users tries to open some file or directory. >>> They are ACLs on files and directories. >>> >>> Any users (or computer) must go across these two levels of ACLs to >>> access >>> files or directories. >>> >>> Now regarding GPO ACLs which are partly hosted on Sysvol the same >>> concepts >>> applies: Sysvol share ACLs + File on FS ACLs. >>> >>> Regarding ACLs for GPO files, if the GPO was created with GPMC.msc, >>> the GPO >>> is mainly stored in AD (don't ask me what resides on Sysvol) and in >>> AD are >>> also stored correct ACLs on GPO's files. >>> I said that because I naively tried to modify ACLs on my >>> GPMC.msc-created-GPO and these changes were automatically reset to >>> the ones >>> declared in AD. >>> >>> Perhaps that could help someone... >>> >>> Cheers, >>> >>> mathias >>> >>> >>> 2015-11-17 16:44 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>: >>> >>>> Hai Viktor, >>>> >>>>> Before posting my share permissions, can you please elaborate what >>>>> you >>>>> mean with "have you removed authenticated users from your share"? I >>>>> never had any rights for "authenticated users" on any of my shares. >>>> Ah sorry, yes, that was "everybody" ( my error ) keep it >>>> >>>>> Maybe I'm setting up shares in the wrong way? >>>>> ..... >>>>> [packages] >>>>> path = /srv/samba/packages >>>>> read only = no >>>>> browsable = yes >>>>> comment = "Software Packages" >>>>> >>>> Your config is ok, but i would add >>>> acl_xattr:ignore system acls = yes >>>> to the packages share. >>>> >>>> See man smb.conf for what it exact does, but for a "windows" only >>>> share, >>>> i would always set it. >>>> >>>> This is what i have for my distribution share. >>>> >>>> [public] >>>> ## chmod 755 on /home/samba/public >>>> ## rights root:root, but due to the ignore this is ignored.. >>>> ## >>>> browseable = yes >>>> path = /home/samba/public >>>> read only = no >>>> acl_xattr:ignore system acls = yes >>>> >>>> >>>> and i added "veryfied users" to the security tab with read rights. >>>> Which the domain computers also need. >>>> >>>> >>>> Greetz, >>>> >>>> Louis >>>> >>>> >>>>> -----Oorspronkelijk bericht----- >>>>> Van: Viktor Trojanovic [mailto:viktor at troja.ch] >>>>> Verzonden: dinsdag 17 november 2015 16:18 >>>>> Aan: L.P.H. van Belle; samba at lists.samba.org >>>>> Onderwerp: Re: [Samba] Permission Issues with GPO >>>>> >>>>> Hi Louis, >>>>> >>>>> As I mentioned, but maybe not clear enough, there is no problem >>>>> accessing my Domain Controller, it works fine, even without using the >>>>> whole domain. >>>>> >>>>> Before posting my share permissions, can you please elaborate what >>>>> you >>>>> mean with "have you removed authenticated users from your share"? I >>>>> never had any rights for "authenticated users" on any of my shares. >>>>> >>>>> Maybe I'm setting up shares in the wrong way? >>>>> >>>>> [global] >>>>> >>>>> netbios name = FILESERVER >>>>> workgroup = SAMDOM >>>>> security = ADS >>>>> realm = SAMDOM.EXAMPLE.COM >>>>> dedicated keytab file = /etc/krb5.keytab >>>>> kerberos method = secrets and keytab >>>>> >>>>> username map = /etc/samba/samba_usermap >>>>> >>>>> idmap config *:backend = tdb >>>>> idmap config *:range = 2000-9999 >>>>> idmap config OFFICE:backend = ad >>>>> idmap config OFFICE:schema_mode = rfc2307 >>>>> idmap config OFFICE:range = 10000-99999 >>>>> >>>>> winbind nss info = rfc2307 >>>>> winbind trusted domains only = no >>>>> winbind use default domain = yes >>>>> winbind enum users = yes >>>>> winbind enum groups = yes >>>>> winbind refresh tickets = Yes >>>>> >>>>> vfs objects = acl_xattr >>>>> map acl inherit = Yes >>>>> store dos attributes = yes >>>>> >>>>> >>>>> [packages] >>>>> path = /srv/samba/packages >>>>> read only = no >>>>> browsable = yes >>>>> comment = "Software Packages" >>>>> >>>>> >>>>> >>>>> >>>>> On 17.11.2015 15:30, L.P.H. van Belle wrote: >>>>>> Let me guess. >>>>>> >>>>>> You accessing your server like : >>>>>> >>>>>> \\servername\netlogon >>>>>> of >>>>>> \\servername\sysvol >>>>>> >>>>>> Well thats protected by windows these these days. >>>>>> >>>>>> Try with >>>>>> >>>>>> \\servername.domain.tld\netlogon >>>>>> or >>>>>> \\servername.domain.tld\sysvol >>>>>> >>>>>> Does that work? Yes, >>>>>> >>>>>> There is a whole chaper of this on the list somewhere.. >>>>>> Best is to read howto override this. >>>>>> https://adsecurity.org/?p=1405 >>>>>> >>>>>> and for you member server, how is you share setup. >>>>>> did you remove "authenticated users" ? >>>>>> if so best is that you add "domain computer" or authenticated users >>>>> back. >>>>>> And if you did not remove "authenticated users" from the share. >>>>>> >>>>>> Please post your share setup and rights for the shared folder. >>>>>> AND the rights of the folder below the shared folder. >>>>>> >>>>>> >>>>>> Greetz, >>>>>> >>>>>> Louis >>>>>> >>>>>> >>>>>> >>>>>>> -----Oorspronkelijk bericht----- >>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Viktor >>>>> Trojanovic >>>>>>> Verzonden: dinsdag 17 november 2015 15:01 >>>>>>> Aan: mathias dufresne; samba at lists.samba.org >>>>>>> Onderwerp: Re: [Samba] Permission Issues with GPO >>>>>>> >>>>>>> Hi Mathias, >>>>>>> >>>>>>> The problem is not the GPO itself. The GPO containers are >>>>>>> stored, as >>>>>>> they should be, in the file system under sysvol/AD-DOMAIN/Policies, >>>> and >>>>>>> they are being accessed correctly by the respective users and >>>>> computers. >>>>>>> Maybe my question isn't phrased perfectly but my problem is that >>>>>>> any >>>>>>> *computer GPO* that is accessing my file server (Samba Member), >>>>>>> fails >>>>>>> with an access denied error. To give you an example. I might have a >>>>>>> startup script that is supposed to copy a file from the file >>>>>>> server, >>>>>>> let's say an MS Word template, to the AD computer. The GPO >>>>>>> itself is >>>>>>> saved on the DC and it is called correctly but the access to my >>>>>>> file >>>>>>> server is being denied, the copy transaction is not happening. >>>>>>> >>>>>>> There is a permission problem and I'm trying to figure out what >>>>>>> it is. >>>>>>> The reason I'm posting this here is because I assume there is a >>>>>>> link >>>>>>> between my Samba settings on the file server, and their >>>>>>> connection to >>>>>>> the Samba DC that are responsible for this problem as this is not >>>>>>> standard behavior. >>>>>>> >>>>>>> Viktor >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 17.11.2015 13:30, mathias dufresne wrote: >>>>>>>> Hey, >>>>>>>> >>>>>>>> If your GPO are stored in AD (they are not template GPO with >>>>>>>> all GPO >>>>>>>> information in some file, I think this kind of non-pure-AD GPO are >>>>>>> stored >>>>>>>> in ADMX files, not sure). >>>>>>>> In GPMC.msc you have to define which entities would receive the >>>>>>>> GPO. >>>>>>> Once >>>>>>>> created the GPO, once it is set up, you have in the right panel >>>>>>>> two >>>>>>> parts. >>>>>>>> The bottom part is to define to whom this GPO would be applied. >>>>>>>> >>>>>>>> In that case, GPO ownership should be reset by AD (don't asked me >>>>> which >>>>>>>> part of AD) if you modify GPO ACLs manually. >>>>>>>> >>>>>>>> In clear: you must use GPMC.msc to manage GPO ACLs. This if >>>>>>>> they are >>>>> not >>>>>>>> template. >>>>>>>> >>>>>>>> Hoping this could help to find a solution. >>>>>>>> >>>>>>>> mathias >>>>>>>> >>>>>>>> 2015-11-17 4:04 GMT+01:00 Viktor Trojanovic <viktor at troja.ch>: >>>>>>>> >>>>>>>>> I was experiencing problems with Group Policy Objects. The >>>>>>>>> Windows >>>>>>> Event >>>>>>>>> Viewer spits out so many different errors, most of them less than >>>>>>> helpful, >>>>>>>>> so Iwas seeking help here with some of those messages. >>>>>>>>> >>>>>>>>> In the end, and after many hours and even days of researching >>>>>>>>> this >>>>>>>>> problem, I seem to have pin-pointed the main issue to some simple >>>>>>>>> permission irregularities that I don't know how to solve. >>>>>>>>> >>>>>>>>> In my setup, I have an AD DC and a member server, the latter >>>>>>>>> in the >>>>>>>>> function of a file server. Both are a Samba-only implementation >>>> based >>>>>>> on >>>>>>>>> version 4.3.1 of the server. >>>>>>>>> >>>>>>>>> Everything seems to work well enough, I never noticed any >>>>>>>>> issue when >>>>>>>>> working in a user context - I can authenticate, and I can use the >>>>> file >>>>>>>>> server as intended. But evidently, any policies that require >>>>>>>>> access >>>>> to >>>>>>> the >>>>>>>>> file server in a machine context (computer configuration node >>>>>>>>> of the >>>>>>> GPO), >>>>>>>>> fail. I was able to confirm that in multiple tests. >>>>>>>>> >>>>>>>>> I'm at my wit's end as it seems to me that all the necessary >>>>>>>>> share >>>>>>>>> permissions and NTACLs are in place. I even followed the advice I >>>>> could >>>>>>>>> find on some forum pages to add the group "domain computers" >>>>>>>>> to the >>>>>>> share >>>>>>>>> permissions but that didn't help either. >>>>>>>>> >>>>>>>>> Any advice or best practices? I can't imagine this should be so >>>>>>>>> complicated. >>>>>>>>> >>>>>>>>> Viktor >>>>>>>>> >>>>>>>>> -- >>>>>>>>> To unsubscribe from this list go to the following URL and read >>>>>>>>> the >>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>>>> >>>>>>> -- >>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >> >> > > Can we have a look at your smb.conf from your domain member > > Rowland >Hi Rowland, I posted it just before in answer to Louis' email, here it is again: [global] netbios name = FILESERVER workgroup = SAMDOM security = ADS realm = SAMDOM.EXAMPLE.COM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab username map = /etc/samba/samba_usermap idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config OFFICE:backend = ad idmap config OFFICE:schema_mode = rfc2307 idmap config OFFICE:range = 10000-99999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = yes [packages] path = /srv/samba/packages read only = no browsable = yes comment = "Software Packages" Viktor
On 17/11/15 17:33, Viktor Trojanovic wrote:> [global] > > netbios name = FILESERVER > workgroup = SAMDOM > security = ADS > realm = SAMDOM.EXAMPLE.COM > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > username map = /etc/samba/samba_usermap > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config OFFICE:backend = ad > idmap config OFFICE:schema_mode = rfc2307 > idmap config OFFICE:range = 10000-99999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = yes > > > [packages] > path = /srv/samba/packages > read only = no > browsable = yes > comment = "Software Packages" > > > ViktorDoes 'getent passwd adomainuser' work ? Rowland
Hi Victor, I have had similar issues as you describe. Could it be that your computer account has no gidNumber and uidNumber assigned? MJ
None of my computers have a UID/GID and my GPO works fine. Add the line i suggested to the share, and setup your rights Gr. Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mourik jan c > heupink > Verzonden: dinsdag 17 november 2015 18:55 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Permission Issues with GPO > > Hi Victor, > > I have had similar issues as you describe. > > Could it be that your computer account has no gidNumber and uidNumber > assigned? > > MJ > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba