samba - Sep 2017 - user cannot access shares on new ad-dc

Now with this email also, you at least 3 problems. 

1) incorrect hosts file. ( see previous post of me ) 
2) incorrect resolv.conf  ( see previous post of me ) 
3) you did hit the "Group bug"  ( group 100 should be minimal 10000) 
https://bugzilla.samba.org/show_bug.cgi?id=13054

Fix that with 
wbinfo -G 10000
net cache flush
> Then I used ADUC from RSAT to create an OU and a user.
> User can see the shares (and can map them to a drive letter), but is 
> denied to look inside.
> Same for another share which I added.
> Even when administrator grants permission to everybody.
Did you "copy" an other user? 
Or did you create a templete for you users? 

If you copy from an other user, and if you have set the Unix attributes. 
Try this, remove the profile and user folder, goto the ADUC , Profile tab. 
Change something in the user and profile field so windows see's a change. 
Then klik apply. 


For other quick fix.
You see the 2005 there, make sure that matchs your own 
wbinfo -G 2005
S-1-5-18

wbinfo -Y S-1-5-18


#!/bin/bash

RIGHTSFILE="default-rights-user-profile.acl"
GROUP_WRITE_RIGHTS="domain\040users"
USER_SYSTEM="$(wbinfo -Y S-1-5-18)"

cat << EOF > ${RIGHTSFILE}
# file: user.V6/
# owner: user
# group: domain\040users
user::rwx
user:${1}:rwx
group::---
group:${USER_SYSTEM}:rwx
group:${GROUP_WRITE_RIGHTS:---
mask::rwx
other::---
default:user::rwx
default:user:${1}:rwx
default:group::---
default:group:2005:rwx
default:group:${GROUP_WRITE_RIGHTS):---
default:mask::rwx
default:other::---
EOF

echo "Run : setfacl -R -b -M $RIGHTSFILE The_Users_Profile_Folder"

As Administrator check the rights on the share. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Klaus Hartnegg via samba
> Verzonden: vrijdag 29 september 2017 15:42
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] user cannot access shares on new ad-dc
> 
> 
> > On 29.09.2017 14:32 Rowland Penny wrote:
> > I cannot see where it says not to use on a DC
> 
> I misread the first section.
> 
> > What does 'getent passwd username' actually produce ?
> 
> root at dc1:~# getent passwd administrator
> COMPANY\administrator:*:0:100::/home/COMPANY/administrator:/bin/false
> root at dc1:~# getent passwd klaus
> COMPANY\klaus:*:10000:100::/home/COMPANY/klaus:/bin/false
> 
> > if PAM isn't set up, then set it up by installing the required 
> > packages and try again
> 
> Ok, I ran "pam-auth-update" and pressed enter twice.
> Have no idea what this does.
> 
> But is PAM really necessary on a DC?
> The Wiki says that winbindd is optional.
> Should not at least sysvol work without it?
> 
> Klaus
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Fri, 29 Sep 2017 15:57:44 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Now with this email also, you at least 3 problems. 
> 
> 1) incorrect hosts file. ( see previous post of me ) 
> 2) incorrect resolv.conf  ( see previous post of me ) 
> 3) you did hit the "Group bug"  ( group 100 should be minimal
10000)
> https://bugzilla.samba.org/show_bug.cgi?id=13054
> 
He might not have hit the bug, this is a DC and on a DC '100' is valid.

Rowland

Yes, the 100 "maybe" valid. 

wbinfo --group-info="Domain Users" wil show what its set to. 

I did believe that at time of provisioning with RFC2307, the UID en GID start is
set at 10000
But please correct what i missed.. 



Greetz, 

Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: vrijdag 29 september 2017 16:36
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] user cannot access shares on new ad-dc
> 
> On Fri, 29 Sep 2017 15:57:44 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> 
> > Now with this email also, you at least 3 problems. 
> > 
> > 1) incorrect hosts file. ( see previous post of me )
> > 2) incorrect resolv.conf  ( see previous post of me )
> > 3) you did hit the "Group bug"  ( group 100 should be
minimal 10000)
> > https://bugzilla.samba.org/show_bug.cgi?id=13054
> > 
> 
> He might not have hit the bug, this is a DC and on a DC '100' 
> is valid.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 29.09.2017 16:44 L.P.H. van Belle wrote:
> Yes, the 100 "maybe" valid.
> 
> wbinfo --group-info="Domain Users" wil show what its set to.
root at dc1:~# wbinfo --group-info="Domain Users"
COMPANY\domain users:x:100:

On Fri, 29 Sep 2017 16:44:31 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Yes, the 100 "maybe" valid. 
> 
> wbinfo --group-info="Domain Users" wil show what its set to. 
> 
> I did believe that at time of provisioning with RFC2307, the UID en
> GID start is set at 10000 But please correct what i missed.. 
> 
You missed that the provision doesn't set any start UID or GID numbers.
This is left to the sysadmin, but ADUC by default starts at '10000'

Rowland