I may be totally wrong but for what it is worth. Looking at this it looks like your workstation time and server time are out of sync. Check to make sure your timezone is correct and run the following command. net time set /S server [EMAIL PROTECTED] ~]# net ads info LDAP server: 192.168.222.84 LDAP server name: server.TESTDOMAIN.COM Realm: TESTDOMAIN.COM Bind Path: dc=TESTDOMAIN,dc=COM LDAP port: 389 Server time: Wed, 13 Feb 2008 11:19:09 CST KDC server: 192.168.222.84 Server time offset: -29
________________________________ From: [EMAIL PROTECTED] on behalf of Steven Whaley Sent: Wed 2/13/2008 12:26 PM To: [email protected] Subject: [Samba] Access denied when setting permissions I have a windows 2003 AD domain and a server joined to that domain. Winbind is being used as an idmap. Most everything seems to work fine. Winbind gets user info correctly: [EMAIL PROTECTED] ~]# wbinfo -u TESTDOMAIN\administrator TESTDOMAIN\guest TESTDOMAIN\support_388945a0 TESTDOMAIN\krbtgt TESTDOMAIN\swhaley TESTDOMAIN\test [EMAIL PROTECTED] ~]# wbinfo -g BUILTIN\administrators BUILTIN\users TESTDOMAIN\domain computers TESTDOMAIN\domain controllers TESTDOMAIN\schema admins TESTDOMAIN\enterprise admins TESTDOMAIN\domain admins TESTDOMAIN\domain users TESTDOMAIN\domain guests TESTDOMAIN\group policy creator owners TESTDOMAIN\dnsupdateproxy [EMAIL PROTECTED] ~]# wbinfo -a 'TESTDOMAIN\swhaley%password' plaintext password authentication succeeded challenge/response password authentication succeeded Domain functionality seems to work fine. [EMAIL PROTECTED] ~]# net ads testjoin Join is OK [EMAIL PROTECTED] ~]# net ads info LDAP server: 192.168.222.84 LDAP server name: server.TESTDOMAIN.COM Realm: TESTDOMAIN.COM Bind Path: dc=TESTDOMAIN,dc=COM LDAP port: 389 Server time: Wed, 13 Feb 2008 11:19:09 CST KDC server: 192.168.222.84 Server time offset: -29 My user can connect to the samba share from a windows host without entering credentials, so kerberos and authentication is working properly. But whenever I try to set permissions on the share, with a member of the Domain Admins group, from the Computer Management snap in I always get access denied errors. I have nt acl support turned on for the share. Here's my samba config: [global] security = ads encrypt passwords = yes realm = TESTDOMAIN.COM workgroup = TESTDOMAIN idmap uid = 200000 - 300000 idmap gid = 200000 - 300000 server string = Samba Server Version 3 netbios name = SAMBA interfaces = lo eth0 192.168.222.110/24 [public] comment = Public Stuff path = /home/samba public = yes writable = yes printable = no valid users = TESTDOMAIN.COM\swhaley nt acl support = yes map acl inherit = yes inherit acls = yes I've also assigned the SeDiskOperatorPrivilege to the Domain Admins group [EMAIL PROTECTED] ~]# net rpc rights list accounts -Uswhaley Password: TESTDOMAIN\swhaley SeDiskOperatorPrivilege BUILTIN\Print Operators No privileges assigned BUILTIN\Account Operators No privileges assigned BUILTIN\Backup Operators No privileges assigned TESTDOMAIN\Domain Admins SeDiskOperatorPrivilege BUILTIN\Server Operators No privileges assigned BUILTIN\Administrators SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege Everyone No privileges assigned I'm running CentOS5, so POSIX acl support is on by default. I tested it by setting and removing some ACLs just to be sure, and they worked properly. As mentioned, I'm running CentOS5. Samba is version 3.0.25b. Can anyone shed some light on this? It's been driving me crazy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
