Hai Mourik Jan/Victor.> MJ definitely understands the problem I'm facing....Yes, and i do to but you wont listen... ALL My client pc's, windows and linux computers, dont have any uid/gid assigned. My client pc's do access the DCs and multiple member servers with shares. I do distribute settings and files with GPO and these files are on a member server. Yes also as "COMPUTER$" so the computer can get its file as in the GPO is set. And yes, i know your problem, its all rights where your looking for. But it can be fixed. I have a share "public", in which i have a folder Installers. The share as everybody with full controll as right. For the Security tab rights on public, i have Creator owner special. Only folders and files on underlying folders. Creator group special. Only folders and files on underlying folders. Verified users read+exec This folder underlying folders and files Domain Admins Full This folder underlying folders and files Domain users read+exec This folder underlying folders and files Domain computer read+exec This folder underlying folders and files The subfolders have there own rights as needed. My "Installers" folder, which the domain computers do access has. Root special. Only this folders Verified users read+exec This this folder, underlying folders and files Creator owner special. Only this folders and files on underlying folders. Creator group special. Only this folders and files on underlying folders. It-depertment Full Only this folders and files on underlying folders. Domain Admins Full Only this folders and files on underlying folders. And this is the share in smb.conf : [public] browseable = yes path = /home/samba/public read only = no /home/ 755 root:root /home/samba 755 root:root public : drwxrwx---+ 12 root root 4096 Oct 15 15:25 public And a getfacl # file: /home/samba/public/ # owner: root # group: root user::rwx user:root:rwx group::--- group:root:--- group:2004:r-x group:domain\040users:r-x group:domain\040admins:rwx group:domain\040computers:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::r-x default:group:root:r-x default:group:2004:r-x default:group:domain\040users:r-x default:group:domain\040admins:rwx default:group:domain\040computers:r-x default:mask::rwx default:other::--- Good luck. Its all in the rights.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Viktor Trojanovic > Verzonden: woensdag 18 november 2015 9:52 > Aan: mourik jan c heupink > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Permission Issues with GPO > > MJ definitely understands the problem I'm facing. I will report back by > tmw if the solution works, don't have access to the server at the moment. > > Viktor > > > On 18 Nov 2015, at 09:04, mourik jan c heupink <heupink at merit.unu.edu> > wrote: > > > > Hi, > > > > Well, but do your GPO clients have to access your fileservers (domain > member servers), or only the DCs with the actual sysvol? > > > > Because in our case: accessing the DCs under the machine acounts works > without gid/uid, no problem, but accessing domain member servers does NOT. > > > > MJ > > > >> On 18-11-2015 8:45, L.P.H. van Belle wrote: > >> None of my computers have a UID/GID and my GPO works fine. > >> > >> Add the line i suggested to the share, and setup your rights > >> > >> Gr. > >> > >> Louis > >> > >>> -----Oorspronkelijk bericht----- > >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mourik jan c > >>> heupink > >>> Verzonden: dinsdag 17 november 2015 18:55 > >>> Aan: samba at lists.samba.org > >>> Onderwerp: Re: [Samba] Permission Issues with GPO > >>> > >>> Hi Victor, > >>> > >>> I have had similar issues as you describe. > >>> > >>> Could it be that your computer account has no gidNumber and uidNumber > >>> assigned? > >>> > >>> MJ > >>> > >>> > >>> -- > >>> To unsubscribe from this list go to the following URL and read the > >>> instructions: https://lists.samba.org/mailman/options/samba > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 18-11-2015 10:13, L.P.H. van Belle wrote:> Hai Mourik Jan/Victor. > >> MJ definitely understands the problem I'm facing.... > Yes, and i do to but you wont listen...Could it perhaps be that the vital detail is that Viktor (and me too) are not using windows (security tab) to manage the permissions / acls, but instead use basic fs permissions? (do you, Viktor?) It is very reproducible here: machines without gid/uid cannot access domain member servers using the machine account, the moment I add gid/uid, they start to work. (I'm not trying to say that your solution is not the real answer, just trying to find a reason for the behaviour we're seeing) MJ
Ah, ok, now its getting more clear.. I think problem you face is because of the following. You did setup a share with "unix" rights. https://wiki.samba.org/index.php/Shares_with_POSIX_ACLs While you should setup a share with "windows" rights. https://wiki.samba.org/index.php/Shares_with_Windows_ACLs So, tell me, how do you set your share rights from linux then ? And how the file/folder rights? Because this is your problem, its the way it is setup. For "windows" only shares, use the ignore parameter on the share, really, this saves you a lot of troubles. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mourik jan c > heupink > Verzonden: woensdag 18 november 2015 10:37 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Permission Issues with GPO > > > > On 18-11-2015 10:13, L.P.H. van Belle wrote: > > Hai Mourik Jan/Victor. > > > >> MJ definitely understands the problem I'm facing.... > > Yes, and i do to but you wont listen... > > Could it perhaps be that the vital detail is that Viktor (and me too) > are not using windows (security tab) to manage the permissions / acls, > but instead use basic fs permissions? (do you, Viktor?) > > It is very reproducible here: machines without gid/uid cannot access > domain member servers using the machine account, the moment I add > gid/uid, they start to work. > > (I'm not trying to say that your solution is not the real answer, just > trying to find a reason for the behaviour we're seeing) > > MJ > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 18/11/15 09:37, mourik jan c heupink wrote:> > > On 18-11-2015 10:13, L.P.H. van Belle wrote: >> Hai Mourik Jan/Victor. >> >>> MJ definitely understands the problem I'm facing.... >> Yes, and i do to but you wont listen... > > Could it perhaps be that the vital detail is that Viktor (and me too) > are not using windows (security tab) to manage the permissions / acls, > but instead use basic fs permissions? (do you, Viktor?) > > It is very reproducible here: machines without gid/uid cannot access > domain member servers using the machine account, the moment I add > gid/uid, they start to work.OK, I am trying to understand this as well, I take it that the uidNumber you add is a unique number that is inside the range you have set in smb.conf, but what about the gidNumber? do you set it to '515' and is this also inside the range? Who owns the share on the disk and what are the permissions, also what is the share in smb.conf. Rowland> > (I'm not trying to say that your solution is not the real answer, just > trying to find a reason for the behaviour we're seeing) > > MJ >
On 18-11-2015 10:58, L.P.H. van Belle wrote:> Ah, ok, now its getting more clear.. > I think problem you face is because of the following. > > You did setup a share with "unix" rights. > https://wiki.samba.org/index.php/Shares_with_POSIX_ACLs > > While you should setup a share with "windows" rights. > https://wiki.samba.org/index.php/Shares_with_Windows_ACLs > > So, tell me, how do you set your share rights from linux then ? > And how the file/folder rights? > > Because this is your problem, its the way it is setup. > > For "windows" only shares, use the ignore parameter on the share, > really, this saves you a lot of troubles.Yes, that's what I mean. My shares (and I guess Viktors shares as well) are managed with basic fs permissions as i called it. (wiki calls it Shares_with_POSIX_ACLs) And in that case, users (and computer accounts also) need the uid/gid. In I guess in the case of Shares_with_Windows_ACLs those are not needed.