Web lists-archives.com

Re: [Samba] Deploy software in fileserver folder




Hi Elias,

Hello Denis, thanks for the answer!!!

    so for accessing a share on the file server, you'll need to add read
    rights for "domain computers" group


Is this read permission for the domain computer I need to configure in
the deploy software GPO, sharing folder or both?

When you create GPO through RSAT it will set the proper rights on the sysvol share. If you messed up with your rights, then use samba-tool ntacl sysvolcheck / sysvolreset.

On the other hand, you'll have to properly set up the rights on your file share with "domain computer" read privileges.


     psexec -i -s cmd
        net use F: \\server\sharename
        dir f:


At first I was able to execute the commands above. At first I had to run
a cmd with adm privileges, because in the normal user it was denied
access. After that the mapping worked and I got the access in F:

Yes, you'll need elevated privileges to run this command. You can check if you you have enough privileges using the command below. In the listing, you should have "High Mandatory Level" at the end of the list.
 whoami /groups

But anyway, I'd say it is not a friendly move from me to help you fix that, you should really look into a software deployement solution, it will make your life much easier! :-)

Cheers,

Denis




On Thu, Jan 11, 2018 at 2:06 PM, Denis Cardon <dcardon@xxxxxxxxxxx
<mailto:dcardon@xxxxxxxxxxx>> wrote:

    Hi Elias,

        I thought it worked, but after I uninstalled the software that I
        deployed
        via user scope, it did not reinstall. I selected the "Redeploy
        application"
        option, but it also did not work.


    The user scope GPO are run with the privileges and access tokens of
    the logged on user, so the user have local admin rights for install
    and need access rights to the share you are putting your
    installation files (read rights for "domain users" group for example).

    The computer scope GPO are run with maximum privileges using
    LocalSystem account. LocalSystem has access to machine kerberos
    credentials, so for accessing a share on the file server, you'll
    need to add read rights for "domain computers" group. You can check
    that your computer account can connect to a share by login in as
    LocalSystem using psexec:
      psexec -i -s cmd
        net use F: \\server\sharename
        dir f:

    Any way, you'd be better at using a software deployment solution for
    that task (GPO are really not good at that, even Microsoft would
    advise you to use ConfigMgr/SCCM). I'm partial on that point as I'm
    one of the developers, but I'd advise you to check out WAPT [2].

    Cheers,

    Denis

    [1] https://docs.microsoft.com/en-us/sysinternals/downloads/pstools
    <https://docs.microsoft.com/en-us/sysinternals/downloads/pstools>
    [2] https://wapt.fr/en



        I read that in the user scope there are 2 installation options:

        - Deployed to User, Assigned Software - Not installed until the
        default is
        opened in the Programs Folder in the Start Menu.
        - Deploy to User, Published Software - Not installed until
        initiated to be
        installed from the "Programs and Features".

        I used both options and it was not installed either.

        I want to try to install via computer scope and into a
        fileserver folder
        because of disk space in AD.

        Is there any other way to set this up?


        On Thu, Jan 11, 2018 at 8:48 AM, Elias Pereira
        <empbilly@xxxxxxxxx <mailto:empbilly@xxxxxxxxx>> wrote:

            Hey Luke, thanks for the help!!! It's working now!!!

            God bless you and your family!! :D

            Remember that GPOs need to run as the context of either the
            computer or

                the user. Computers typically do not have access to many
                folders on a file
                server, even as "Everyone". That is why the NETLOGON
                folder works.

                If you're deploying as a USER configuration, then it
                should run as the
                context of the user, meaning the Everyone permission
                would work.


            On Wed, Jan 10, 2018 at 6:07 PM, Elias Pereira
            <empbilly@xxxxxxxxx <mailto:empbilly@xxxxxxxxx>> wrote:

                Luke,

                I'm running via computer scope and I believe that's the
                problem. Later I
                will test and give a return if that was the detail.


                Em 10 de jan de 2018 15:47, "Luke Barone"
                <lukebarone@xxxxxxxxx <mailto:lukebarone@xxxxxxxxx>>
                escreveu:

                Which GPO? Computer or User Configuration?

                Remember that GPOs need to run as the context of either
                the computer or
                the user. Computers typically do not have access to many
                folders on a file
                server, even as "Everyone". That is why the NETLOGON
                folder works.

                If you're deploying as a USER configuration, then it
                should run as the
                context of the user, meaning the Everyone permission
                would work.

                On Wed, Jan 10, 2018 at 9:45 AM, Elias Pereira
                <empbilly@xxxxxxxxx <mailto:empbilly@xxxxxxxxx>>
                wrote:

                    Sorry for a lack of information. I'm using GPOs for
                    deploy the software.

                    Em 10 de jan de 2018 3:00 PM, "Luke Barone"
                    <lukebarone@xxxxxxxxx <mailto:lukebarone@xxxxxxxxx>>
                    escreveu:

                    How are you deploying the software? You've given us
                    very little

                    On Jan 10, 2018 7:01 AM, "Elias Pereira via samba" <
                    samba@xxxxxxxxxxxxxxx
                    <mailto:samba@xxxxxxxxxxxxxxx>> wrote:

                        I tested putting "everyone" with full permission
                        on the folder, but
                        still
                        the software deploy does not work.

                        Any idea?

                        On Tue, Jan 9, 2018 at 11:37 AM, Elias Pereira
                        <empbilly@xxxxxxxxx <mailto:empbilly@xxxxxxxxx>>
                        wrote:

                            Hello list,

                            I tried to set up a folder on our fileserver
                            domain member, so I can
                            deploy software for users' machines, but is
                            not working.

                            If I put the software inside "netlogon" it
                            installs correctly.

                            \\172.16.1.7\storage\programs

                            Auth Users - read & execute, list folder
                            contents, read and write

                            Do I need other permissions?

                            --
                            Elias Pereira




                        --
                        Elias Pereira
                        --
                        To unsubscribe from this list go to the
                        following URL and read the
                        instructions:
                        https://lists.samba.org/mailman/options/samba
                        <https://lists.samba.org/mailman/options/samba>







            --
            Elias Pereira





    --
    Denis Cardon
    Tranquil IT Systems
    Les Espaces Jules Verne, bâtiment A
    12 avenue Jules Verne
    44230 Saint Sébastien sur Loire
    tel : +33 (0) 2.40.97.57.55 <tel:%2B33%20%280%29%202.40.97.57.55>
    http://www.tranquil-it-systems.fr <http://www.tranquil-it-systems.fr>




--
Elias Pereira

--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba