similar to: SYSTEM gid=70006 in POSIX ACLs ?

Hi list, I am experimenting with two member servers (both samba4). I am using following configuration: membersrv:/etc/samba/smb.conf: ========================== [...] username map = /etc/samba/smbmap [...] membersrv:/etc/samba/smbmap: ========================= !root = MYDOM\johndoe MYDOM\foo MYDOM\bar MYDOM\Administrator Administrator So the domain users from my AD called "John Doe",

I am facing an issue which I cannot explain myself. The roaming profiles don't work for users that are members of the group "Domain Admins". The [profiles] share on the member server was configured exactly as explained on the wiki for roaming profiles. It works like a charm for all domain users, *BUT*: if a user is member of the group "Domain Admins" it *doesn't* :-(

Hello list, I am facing an issue which I cannot explain myself. The roaming profiles don't work for users that are members of the group "Domain Admins". The [profiles] share on the member server was configured exactly as explained on the wiki for roaming profiles. It works like a charm for all domain users, *BUT*: if a user is member of the group "Domain Admins" it

Hello, I am running Samba 4.1.12/Sernet on Debian Wheezy 64bit and I am about to setup my member server. The DC was provisioned with rfc2307 and extended attributes. I have assigned to the domain group called "Domain Users" the GID=10000. My member server was prepared with ACL+user_xattr and winbind support. My /etc/nsswitch.conf is using "winbind" for passwd+group, and

Hello list, I am not sure if this is a bug or known already but I will describe it. I have two domain controllers running on 4.1.12/sernet which are linked together. I am using unison for bidirectional sync for the sysvol directory as described on samba's wiki, although in my opinion the problem I will describe in the following has nothing to do with the sync process. The sync occurs every

> Comment from Rowland: > [...]an AD user without a uidNumber is merely a windows user Hi Rowland, just for my understanding, I have a question. If a domain user in my samba4 AD domain does not have been assigned with a "uid" on the [UNIX Attribute] tab of my ADUC tool, that user in general *cannot* access any of the shares of that particular member server? Is that correct? My

Hello list, I am using the Microsoft ADUC (Active Directory Users & Computers) tool from the RSAT suite for creating and modifying my domain users. I am aware of the "copy" functionality which really is very nice to use. Unfortunately I am missing two important actions during the user-creation process which I try to describe: 1.) When I use the template feauture (by using the

Hey all, according to the whitepaper http://technet.microsoft.com/en-us/library/cc736591%28v=ws.10%29.aspx I would like to a windows shortcut on the desktop that allows me to open and run the "Group Policy Editor" *for my samba4/AD domain*. The shortcut command should be: "gpedit.msc /gpobject:"LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=mydom,

Hello list, my DC and member server is running Samba 4.1.12. The DC was provisioned with rfc2307 and NIS extensions. Through ADUC tool and the [UNIX Attribute] tab I assigned a uid to the AD user "testuser1" and I also assigned a gid to the AD group "Domain Users". The member server was configured according the official wiki of samba.org. Winbind was configured on the member

Hello list, using AD with rfc2307 provisioned and NIS extensions are available. In ADUC tool I choose the group "Domain Admins" and click on the [UNIX Attributes] tab. I activate it for my domain and choose the GID=500. When I execute on my member server "net cache flush && getent group 500" I get the result domain admins:x:500:johndoe,name1,name2 So far so good,

Hello list, I'm stuck since 2 days and I have no clue how to troubleshoot and solve that problem. Any help really really appreciated. Scenario: ========= I am using Samba 4.1.12/sernet on DC1 (172.19.100.1) and DC2 (172.19.100.2) with default [netlogon] and [sysvol] share only. I installed an additional samba4 server with fileserving role which is called MEMBERSRV1 (172.19.100.3), which is

Oh! I think I did find the error now :-) If I understand "NOW" correctly, I have also to assign a UID to EACH of my AD users in ADUC tool in the [UNIX Attribute] tab, is that correct? I just tried out. In ADUC tool I did choose "testuser3", and on the [UNIX Attribute] tab I activated the NIS domain so it reflects to "MYDOM". Then by default there was UID=10000, I

> You are very nearly correct, your smb.conf on the member server has > these lines: > > idmap config MYDOM:backend = ad > idmap config MYDOM:schema_mode = rfc2307 > idmap config MYDOM:range = 500-40000 > > The first line makes winbind use the ad backend, the second ensures that > the rfc2307 attributes are used and the third line sets the range of > users to

> OK, make sure that the two idmap.ldb files match and then run > 'samba-tool ntacl sysvolreset' on both machines and see if this cured > this problem. I did: root at dc1:~$ service sernet-samba-ad stop root at dc2:~$ service sernet-samba-ad stop root at dc2:~$ mv /var/lib/samba/private/idmap.ldb /root/idmap.ldb.bak root at dc1:~$ scp /var/lib/samba/private/idmap.ldb

Hi all, I am referring to the official wiki here: https://wiki.samba.org/index.php/Setting_up_a_home_share#Setting_up_the_share_and_filesystem_permissions I was struggling around for many hours before I have found out what caused my issue. Well, I have created the [home] share exactly as epxlained on the How-To, in detail: I am creating on the linux prompt at the member server the directory with

I just tried that and I got the same error. I think there is some extended acl support that I'm missing somewhere. It's like the setfacl command is not recognizing the AD groups as valid groups. I should also add the following information: This server is built up on CentOS 6.6 Minimal using the Sernet-Samba Enterprise packages. It looks like the binary that is running is

On 19/12/14 13:22, Rich Webb wrote: > Matt, > > Thanks for the reply. I'm not trying to add the "users" group. I'm > trying to add the "Domain Users" group. That is the reason for the \ in > front of the space. It's translated as a literal. I think I could also > put quotes around it and not have to use the \ and the space. > > The

I've set up a profiles share according to the wiki article: https://wiki.samba.org/index.php/Implementing_roaming_profiles Users are able to create new roaming profiles and they cannot browse each others' profiles, so all that is working. The only issue is that the group "domain admins" does not have privileges to read or delete user profiles. The acls on the profiles directory

Im did not follow the complete thread, but you can check the following. smb.conf ## map id's outside to domain to tdb files. idmap config *:backend = tdb idmap config *:range = 50001-80000 ## map ids from the domain the range may not overlap ! idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 10000-40000 winbind

What's the content of your /etc/nsswitch.conf? Am 19. Dezember 2014 14:22:56 MEZ, schrieb Rich Webb <rwebb at zylatech.com>: >Matt, > >Thanks for the reply. I'm not trying to add the "users" group. I'm >trying to add the "Domain Users" group. That is the reason for the \ >in >front of the space. It's translated as a literal. I think