samba - Jun 2015 - you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012

Hello Samba

I have been trying to fix the problem below for several days with no 
success and I can't understand why.
Please help me if you can.

I've got a windows server 2012 running AD and I want to store the user 
profiles in a Samba filestore server called "Jimmy". Jimmy has the 
following smb.conf:

  [global]
   server string = Samba4 file server
   workgroup = TESTAD
   security = ADS
   realm = TESTAD.BIO.AC.UK
   domain master = no
   prefered master = no
   local master = no
   os level = 0
   browse list = yes
   encrypt passwords = yes
   template shell = /bin/bash
   name resolve order = bcast
#-------- Mapping RID--------
    idmap config *:backend = tdb
    idmap config *:range = 2000-3999
    idmap config TESTAD: backend = rid
    idmap config TESTAD: range = 10000-99999
#------- Winbind ----------
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind refresh tickets = Yes
    winbind expand groups = 4
    winbind normalize names = Yes

    vfs objects = acl_xattr
    map acl inherit = yes

#Logging Settings
    log level = 3
    log file = /var/log/samba/log.%m
    max log size = 50

#----Profile Store Settings---------
[profs]
    comment = WinProfsStorage
    path = /disk1/profs
    read only = no
    store dos attributes = yes
    create mask = 0600
    directory mask = 0755
    profile acls = yes
    csc policy = disable

My problem is that users get temp profile whenever they log into a win7 
client which is also a TESTAD member.
The error I get is: You have been logged on with a temp profile. In the 
event log it is indicated that this is due to "insufficient security 
rights". EventID: 1521 and 1511.

Below are my settings on Jimmy:
1. I can confirm that Selinux, iptables and firewalld are all disabled
2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo 
-u", "wbinfo -g", "getent passwd" and
     "getent group" return the right values.
3. I can confirm that clocks on Jimmy and AD server are in sync.
4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root 
domain_users 23 Jun 11 15:57 profs


Windows AD server facts/settings:
1. I can view,access and write to "/disk1/profs"
2. The security tab of "profs" shows the following user names and
their
permissions:
     Creator Owner: has only the "special permissions" ticked, which
is
greyed out
     Domain Users: Full Control
     Administrators (JIMMY\Administrators): Full Control
     Users: (JIMMY\Users): Full Control

3. Under the "Advanced" button in the "Security tab" I can
see these
permission entries:
     Root (unix user\root)
     Administrators (JIMMY\Administrators)
     CREATOR OWNER
     Domain Users
     Users (JIMMY\Users)

4. For all the above entries:
    "type" is set to "Allow"
    "Access" is set to "Full Control"
    "Inherit from" is set to "None"
    "Applies to" are set to "This folder, subfolder and
files", except
CREATOR OWNER which is set to "Sub-folders and files only".

Note: I can edit any of these permission entries except "Creator
owner".
If I attempt to change the "applies to" setting of this entry to 
something else, the change reverses back when I hit "Apply"

Windows 7 client, when logged in with temp profile as domain user
1. user can view,access and write to "/disk1/profs"
2. the "do not check profile ownership on roaming profiles" is enabled
on the client (desperate move)
3. the network security setting: "Restrict NTLM: outgoing  NTLM traffic 
to remote servers" is set to "ALLOW ALL"


Please provide any suggestions you may have and ofcourse have the time 
to do so.

Many thanks for your help
Yanni

On 11/06/15 16:29, Yanni wrote:
> Hello Samba
>
> I have been trying to fix the problem below for several days with no 
> success and I can't understand why.
> Please help me if you can.
>
> I've got a windows server 2012 running AD and I want to store the user 
> profiles in a Samba filestore server called "Jimmy". Jimmy has
the
> following smb.conf:
>
>  [global]
>   server string = Samba4 file server
>   workgroup = TESTAD
>   security = ADS
>   realm = TESTAD.BIO.AC.UK
>   domain master = no
>   prefered master = no
>   local master = no
>   os level = 0
>   browse list = yes
>   encrypt passwords = yes
>   template shell = /bin/bash
>   name resolve order = bcast
> #-------- Mapping RID--------
>    idmap config *:backend = tdb
>    idmap config *:range = 2000-3999
>    idmap config TESTAD: backend = rid
>    idmap config TESTAD: range = 10000-99999
> #------- Winbind ----------
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users = yes
>    winbind enum groups = yes
>    winbind refresh tickets = Yes
>    winbind expand groups = 4
>    winbind normalize names = Yes
>
>    vfs objects = acl_xattr
>    map acl inherit = yes
>
> #Logging Settings
>    log level = 3
>    log file = /var/log/samba/log.%m
>    max log size = 50
>
> #----Profile Store Settings---------
> [profs]
>    comment = WinProfsStorage
>    path = /disk1/profs
>    read only = no
>    store dos attributes = yes
>    create mask = 0600
>    directory mask = 0755
>    profile acls = yes
>    csc policy = disable
>
> My problem is that users get temp profile whenever they log into a 
> win7 client which is also a TESTAD member.
> The error I get is: You have been logged on with a temp profile. In 
> the event log it is indicated that this is due to "insufficient 
> security rights". EventID: 1521 and 1511.
>
> Below are my settings on Jimmy:
> 1. I can confirm that Selinux, iptables and firewalld are all disabled
> 2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo 
> -u", "wbinfo -g", "getent passwd" and
>     "getent group" return the right values.
> 3. I can confirm that clocks on Jimmy and AD server are in sync.
> 4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root
> domain_users 23 Jun 11 15:57 profs
>
>
> Windows AD server facts/settings:
> 1. I can view,access and write to "/disk1/profs"
> 2. The security tab of "profs" shows the following user names and
> their permissions:
>     Creator Owner: has only the "special permissions" ticked,
which is
> greyed out
>     Domain Users: Full Control
>     Administrators (JIMMY\Administrators): Full Control
>     Users: (JIMMY\Users): Full Control
>
> 3. Under the "Advanced" button in the "Security tab" I
can see these
> permission entries:
>     Root (unix user\root)
>     Administrators (JIMMY\Administrators)
>     CREATOR OWNER
>     Domain Users
>     Users (JIMMY\Users)
>
> 4. For all the above entries:
>    "type" is set to "Allow"
>    "Access" is set to "Full Control"
>    "Inherit from" is set to "None"
>    "Applies to" are set to "This folder, subfolder and
files", except
> CREATOR OWNER which is set to "Sub-folders and files only".
>
> Note: I can edit any of these permission entries except "Creator 
> owner". If I attempt to change the "applies to" setting of
this entry
> to something else, the change reverses back when I hit "Apply"
>
> Windows 7 client, when logged in with temp profile as domain user
> 1. user can view,access and write to "/disk1/profs"
> 2. the "do not check profile ownership on roaming profiles" is
enabled
> on the client (desperate move)
> 3. the network security setting: "Restrict NTLM: outgoing  NTLM 
> traffic to remote servers" is set to "ALLOW ALL"
>
>
> Please provide any suggestions you may have and ofcourse have the time 
> to do so.
>
> Many thanks for your help
> Yanni
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
Hi, have a look here: 
https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles

You do not need everything you have put into [profs]

Also do your users know where [profs] is ? do they have the 
'profilePath' attribute set on their AD objects ?

Rowland

and.. make it yourself more easy.. use : ignore system acl 

The profiles share is only ( or should be ) only use by windows computers. 
Therefore you can use this as profiles setup which does not care about the linux
posix rights.

like this :  
[profiles]
    browseable = yes
    path = /home/samba/profiles
    read only = no
    acl_xattr:ignore system acl = yes

If you setup is done, and very well tested, you can set
 "browseable = yes" to "browseable = no" 
and now your profiles share is correct configured, and a hidden share. 

This is my profiles folder : 
drwxrwx--T+  2 root root  4096 Jun  3 16:45 profiles 

!!! Make user you first set the share options, reload the samba config and then
change the rights on the share from within windows.
!!!  set it conform the wiki !! 


and choose !! 

OR : Profile share using Windows ACLs  
OR : Profile share with using POSIX ACLs  
and dont mix these to settings. 


Greetz, 

Louis
 
>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: vrijdag 12 juni 2015 10:41
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] you have been logged on with a 
>temporary profile_win7 client+samba 4+WinServ2012
>
>On 11/06/15 16:29, Yanni wrote:
>> Hello Samba
>>
>> I have been trying to fix the problem below for several days with no 
>> success and I can't understand why.
>> Please help me if you can.
>>
>> I've got a windows server 2012 running AD and I want to 
>store the user 
>> profiles in a Samba filestore server called "Jimmy". Jimmy
has the
>> following smb.conf:
>>
>>  [global]
>>   server string = Samba4 file server
>>   workgroup = TESTAD
>>   security = ADS
>>   realm = TESTAD.BIO.AC.UK
>>   domain master = no
>>   prefered master = no
>>   local master = no
>>   os level = 0
>>   browse list = yes
>>   encrypt passwords = yes
>>   template shell = /bin/bash
>>   name resolve order = bcast
>> #-------- Mapping RID--------
>>    idmap config *:backend = tdb
>>    idmap config *:range = 2000-3999
>>    idmap config TESTAD: backend = rid
>>    idmap config TESTAD: range = 10000-99999
>> #------- Winbind ----------
>>    winbind trusted domains only = no
>>    winbind use default domain = yes
>>    winbind enum users = yes
>>    winbind enum groups = yes
>>    winbind refresh tickets = Yes
>>    winbind expand groups = 4
>>    winbind normalize names = Yes
>>
>>    vfs objects = acl_xattr
>>    map acl inherit = yes
>>
>> #Logging Settings
>>    log level = 3
>>    log file = /var/log/samba/log.%m
>>    max log size = 50
>>
>> #----Profile Store Settings---------
>> [profs]
>>    comment = WinProfsStorage
>>    path = /disk1/profs
>>    read only = no
>>    store dos attributes = yes
>>    create mask = 0600
>>    directory mask = 0755
>>    profile acls = yes
>>    csc policy = disable
>>
>> My problem is that users get temp profile whenever they log into a 
>> win7 client which is also a TESTAD member.
>> The error I get is: You have been logged on with a temp profile. In 
>> the event log it is indicated that this is due to "insufficient 
>> security rights". EventID: 1521 and 1511.
>>
>> Below are my settings on Jimmy:
>> 1. I can confirm that Selinux, iptables and firewalld are 
>all disabled
>> 2. Jimmy is a domain member of TESTAD and I can confirm that
"wbinfo
>> -u", "wbinfo -g", "getent passwd" and
>>     "getent group" return the right values.
>> 3. I can confirm that clocks on Jimmy and AD server are in sync.
>> 4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3
root
>> domain_users 23 Jun 11 15:57 profs
>>
>>
>> Windows AD server facts/settings:
>> 1. I can view,access and write to "/disk1/profs"
>> 2. The security tab of "profs" shows the following user names
and
>> their permissions:
>>     Creator Owner: has only the "special permissions" 
>ticked, which is 
>> greyed out
>>     Domain Users: Full Control
>>     Administrators (JIMMY\Administrators): Full Control
>>     Users: (JIMMY\Users): Full Control
>>
>> 3. Under the "Advanced" button in the "Security
tab" I can see these
>> permission entries:
>>     Root (unix user\root)
>>     Administrators (JIMMY\Administrators)
>>     CREATOR OWNER
>>     Domain Users
>>     Users (JIMMY\Users)
>>
>> 4. For all the above entries:
>>    "type" is set to "Allow"
>>    "Access" is set to "Full Control"
>>    "Inherit from" is set to "None"
>>    "Applies to" are set to "This folder, subfolder and 
>files", except 
>> CREATOR OWNER which is set to "Sub-folders and files only".
>>
>> Note: I can edit any of these permission entries except "Creator 
>> owner". If I attempt to change the "applies to" setting
of
>this entry 
>> to something else, the change reverses back when I hit
"Apply"
>>
>> Windows 7 client, when logged in with temp profile as domain user
>> 1. user can view,access and write to "/disk1/profs"
>> 2. the "do not check profile ownership on roaming profiles" 
>is enabled 
>> on the client (desperate move)
>> 3. the network security setting: "Restrict NTLM: outgoing  NTLM 
>> traffic to remote servers" is set to "ALLOW ALL"
>>
>>
>> Please provide any suggestions you may have and ofcourse 
>have the time 
>> to do so.
>>
>> Many thanks for your help
>> Yanni
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>Hi, have a look here: 
>https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>
>You do not need everything you have put into [profs]
>
>Also do your users know where [profs] is ? do they have the 
>'profilePath' attribute set on their AD objects ?
>
>Rowland
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

3 obligated settings !!  your missing one...  

   # For ACL support on member file server
   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes	<===== is missing in your config. 

Greetz, 

Louis
 
>-----Oorspronkelijk bericht-----
>Van: y.goudetsidis at mail.cryst.bbk.ac.uk 
>[mailto:samba-bounces at lists.samba.org] Namens Yanni
>Verzonden: donderdag 11 juni 2015 17:30
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] you have been logged on with a temporary 
>profile_win7 client+samba 4+WinServ2012
>
>Hello Samba
>
>I have been trying to fix the problem below for several days with no 
>success and I can't understand why.
>Please help me if you can.
>
>I've got a windows server 2012 running AD and I want to store the user 
>profiles in a Samba filestore server called "Jimmy". Jimmy has the
>following smb.conf:
>
>  [global]
>   server string = Samba4 file server
>   workgroup = TESTAD
>   security = ADS
>   realm = TESTAD.BIO.AC.UK
>   domain master = no
>   prefered master = no
>   local master = no
>   os level = 0
>   browse list = yes
>   encrypt passwords = yes
>   template shell = /bin/bash
>   name resolve order = bcast
>#-------- Mapping RID--------
>    idmap config *:backend = tdb
>    idmap config *:range = 2000-3999
>    idmap config TESTAD: backend = rid
>    idmap config TESTAD: range = 10000-99999
>#------- Winbind ----------
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users = yes
>    winbind enum groups = yes
>    winbind refresh tickets = Yes
>    winbind expand groups = 4
>    winbind normalize names = Yes
>
>    vfs objects = acl_xattr
>    map acl inherit = yes
>
>#Logging Settings
>    log level = 3
>    log file = /var/log/samba/log.%m
>    max log size = 50
>
>#----Profile Store Settings---------
>[profs]
>    comment = WinProfsStorage
>    path = /disk1/profs
>    read only = no
>    store dos attributes = yes
>    create mask = 0600
>    directory mask = 0755
>    profile acls = yes
>    csc policy = disable
>
>My problem is that users get temp profile whenever they log 
>into a win7 
>client which is also a TESTAD member.
>The error I get is: You have been logged on with a temp 
>profile. In the 
>event log it is indicated that this is due to "insufficient security 
>rights". EventID: 1521 and 1511.
>
>Below are my settings on Jimmy:
>1. I can confirm that Selinux, iptables and firewalld are all disabled
>2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo 
>-u", "wbinfo -g", "getent passwd" and
>     "getent group" return the right values.
>3. I can confirm that clocks on Jimmy and AD server are in sync.
>4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root 
>domain_users 23 Jun 11 15:57 profs
>
>
>Windows AD server facts/settings:
>1. I can view,access and write to "/disk1/profs"
>2. The security tab of "profs" shows the following user names 
>and their 
>permissions:
>     Creator Owner: has only the "special permissions" ticked, 
>which is 
>greyed out
>     Domain Users: Full Control
>     Administrators (JIMMY\Administrators): Full Control
>     Users: (JIMMY\Users): Full Control
>
>3. Under the "Advanced" button in the "Security tab" I
can see these
>permission entries:
>     Root (unix user\root)
>     Administrators (JIMMY\Administrators)
>     CREATOR OWNER
>     Domain Users
>     Users (JIMMY\Users)
>
>4. For all the above entries:
>    "type" is set to "Allow"
>    "Access" is set to "Full Control"
>    "Inherit from" is set to "None"
>    "Applies to" are set to "This folder, subfolder and
files", except
>CREATOR OWNER which is set to "Sub-folders and files only".
>
>Note: I can edit any of these permission entries except 
>"Creator owner". 
>If I attempt to change the "applies to" setting of this entry to 
>something else, the change reverses back when I hit "Apply"
>
>Windows 7 client, when logged in with temp profile as domain user
>1. user can view,access and write to "/disk1/profs"
>2. the "do not check profile ownership on roaming profiles" is
enabled
>on the client (desperate move)
>3. the network security setting: "Restrict NTLM: outgoing  
>NTLM traffic 
>to remote servers" is set to "ALLOW ALL"
>
>
>Please provide any suggestions you may have and ofcourse have the time 
>to do so.
>
>Many thanks for your help
>Yanni
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

No they have no profilePath attribute sets up, they have however a
base directory set up by default as you can see on the link below.

 https://app.box.com/s/32jbi0dwac23uypqvm6i0v8suqtbfijd


Meilleures salutations / Best regards,

Joseph-Andr? GUARAGNA






2015-06-12 10:40 GMT+02:00 Rowland Penny <rowlandpenny at
googlemail.com>:
> On 11/06/15 16:29, Yanni wrote:
>>
>> Hello Samba
>>
>> I have been trying to fix the problem below for several days with no
>> success and I can't understand why.
>> Please help me if you can.
>>
>> I've got a windows server 2012 running AD and I want to store the
user
>> profiles in a Samba filestore server called "Jimmy". Jimmy
has the following
>> smb.conf:
>>
>>  [global]
>>   server string = Samba4 file server
>>   workgroup = TESTAD
>>   security = ADS
>>   realm = TESTAD.BIO.AC.UK
>>   domain master = no
>>   prefered master = no
>>   local master = no
>>   os level = 0
>>   browse list = yes
>>   encrypt passwords = yes
>>   template shell = /bin/bash
>>   name resolve order = bcast
>> #-------- Mapping RID--------
>>    idmap config *:backend = tdb
>>    idmap config *:range = 2000-3999
>>    idmap config TESTAD: backend = rid
>>    idmap config TESTAD: range = 10000-99999
>> #------- Winbind ----------
>>    winbind trusted domains only = no
>>    winbind use default domain = yes
>>    winbind enum users = yes
>>    winbind enum groups = yes
>>    winbind refresh tickets = Yes
>>    winbind expand groups = 4
>>    winbind normalize names = Yes
>>
>>    vfs objects = acl_xattr
>>    map acl inherit = yes
>>
>> #Logging Settings
>>    log level = 3
>>    log file = /var/log/samba/log.%m
>>    max log size = 50
>>
>> #----Profile Store Settings---------
>> [profs]
>>    comment = WinProfsStorage
>>    path = /disk1/profs
>>    read only = no
>>    store dos attributes = yes
>>    create mask = 0600
>>    directory mask = 0755
>>    profile acls = yes
>>    csc policy = disable
>>
>> My problem is that users get temp profile whenever they log into a win7
>> client which is also a TESTAD member.
>> The error I get is: You have been logged on with a temp profile. In the
>> event log it is indicated that this is due to "insufficient
security
>> rights". EventID: 1521 and 1511.
>>
>> Below are my settings on Jimmy:
>> 1. I can confirm that Selinux, iptables and firewalld are all disabled
>> 2. Jimmy is a domain member of TESTAD and I can confirm that
"wbinfo -u",
>> "wbinfo -g", "getent passwd" and
>>     "getent group" return the right values.
>> 3. I can confirm that clocks on Jimmy and AD server are in sync.
>> 4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3
root
>> domain_users 23 Jun 11 15:57 profs
>>
>>
>> Windows AD server facts/settings:
>> 1. I can view,access and write to "/disk1/profs"
>> 2. The security tab of "profs" shows the following user names
and their
>> permissions:
>>     Creator Owner: has only the "special permissions" ticked,
which is
>> greyed out
>>     Domain Users: Full Control
>>     Administrators (JIMMY\Administrators): Full Control
>>     Users: (JIMMY\Users): Full Control
>>
>> 3. Under the "Advanced" button in the "Security
tab" I can see these
>> permission entries:
>>     Root (unix user\root)
>>     Administrators (JIMMY\Administrators)
>>     CREATOR OWNER
>>     Domain Users
>>     Users (JIMMY\Users)
>>
>> 4. For all the above entries:
>>    "type" is set to "Allow"
>>    "Access" is set to "Full Control"
>>    "Inherit from" is set to "None"
>>    "Applies to" are set to "This folder, subfolder and
files", except
>> CREATOR OWNER which is set to "Sub-folders and files only".
>>
>> Note: I can edit any of these permission entries except "Creator
owner".
>> If I attempt to change the "applies to" setting of this entry
to something
>> else, the change reverses back when I hit "Apply"
>>
>> Windows 7 client, when logged in with temp profile as domain user
>> 1. user can view,access and write to "/disk1/profs"
>> 2. the "do not check profile ownership on roaming profiles"
is enabled on
>> the client (desperate move)
>> 3. the network security setting: "Restrict NTLM: outgoing  NTLM
traffic to
>> remote servers" is set to "ALLOW ALL"
>>
>>
>> Please provide any suggestions you may have and ofcourse have the time
to
>> do so.
>>
>> Many thanks for your help
>> Yanni
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
> Hi, have a look here:
> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>
> You do not need everything you have put into [profs]
>
> Also do your users know where [profs] is ? do they have the
'profilePath'
> attribute set on their AD objects ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

I am a bit confused by your answer L.P.H.

I have no problem at all with my shares ACl are correctly applied to
them, and i can easily managed them directly what I do in order to
avoid mixing POSIX and Windows ACL.

My problem is not on shares but on data blanking on local profile on
the workstation which as I understand are unlink from a share
settings.


Cheers


Meilleures salutations / Best regards,

Joseph-Andr? GUARAGNA
ing?nieur Syst?me et R?seau / Network and System engineer



RD MACHINES-OUTILS

77, all?e de l'Industrie  F-74130 CONTAMINE SUR ARVE
Tel : +33 (0) 4 50 03 90 77    -   Fax :+33 (0) 4 50 03 66 79
www.rdmo.com / www.rdmo-spare-parts.com


2015-06-12 10:52 GMT+02:00 L.P.H. van Belle <belle at
bazuin.nl>:
> 3 obligated settings !!  your missing one...
>
>    # For ACL support on member file server
>    vfs objects = acl_xattr
>    map acl inherit = yes
>    store dos attributes = yes   <===== is missing in your config.
>
> Greetz,
>
> Louis
>
>
>>-----Oorspronkelijk bericht-----
>>Van: y.goudetsidis at mail.cryst.bbk.ac.uk
>>[mailto:samba-bounces at lists.samba.org] Namens Yanni
>>Verzonden: donderdag 11 juni 2015 17:30
>>Aan: samba at lists.samba.org
>>Onderwerp: [Samba] you have been logged on with a temporary
>>profile_win7 client+samba 4+WinServ2012
>>
>>Hello Samba
>>
>>I have been trying to fix the problem below for several days with no
>>success and I can't understand why.
>>Please help me if you can.
>>
>>I've got a windows server 2012 running AD and I want to store the
user
>>profiles in a Samba filestore server called "Jimmy". Jimmy has
the
>>following smb.conf:
>>
>>  [global]
>>   server string = Samba4 file server
>>   workgroup = TESTAD
>>   security = ADS
>>   realm = TESTAD.BIO.AC.UK
>>   domain master = no
>>   prefered master = no
>>   local master = no
>>   os level = 0
>>   browse list = yes
>>   encrypt passwords = yes
>>   template shell = /bin/bash
>>   name resolve order = bcast
>>#-------- Mapping RID--------
>>    idmap config *:backend = tdb
>>    idmap config *:range = 2000-3999
>>    idmap config TESTAD: backend = rid
>>    idmap config TESTAD: range = 10000-99999
>>#------- Winbind ----------
>>    winbind trusted domains only = no
>>    winbind use default domain = yes
>>    winbind enum users = yes
>>    winbind enum groups = yes
>>    winbind refresh tickets = Yes
>>    winbind expand groups = 4
>>    winbind normalize names = Yes
>>
>>    vfs objects = acl_xattr
>>    map acl inherit = yes
>>
>>#Logging Settings
>>    log level = 3
>>    log file = /var/log/samba/log.%m
>>    max log size = 50
>>
>>#----Profile Store Settings---------
>>[profs]
>>    comment = WinProfsStorage
>>    path = /disk1/profs
>>    read only = no
>>    store dos attributes = yes
>>    create mask = 0600
>>    directory mask = 0755
>>    profile acls = yes
>>    csc policy = disable
>>
>>My problem is that users get temp profile whenever they log
>>into a win7
>>client which is also a TESTAD member.
>>The error I get is: You have been logged on with a temp
>>profile. In the
>>event log it is indicated that this is due to "insufficient
security
>>rights". EventID: 1521 and 1511.
>>
>>Below are my settings on Jimmy:
>>1. I can confirm that Selinux, iptables and firewalld are all disabled
>>2. Jimmy is a domain member of TESTAD and I can confirm that
"wbinfo
>>-u", "wbinfo -g", "getent passwd" and
>>     "getent group" return the right values.
>>3. I can confirm that clocks on Jimmy and AD server are in sync.
>>4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3
root
>>domain_users 23 Jun 11 15:57 profs
>>
>>
>>Windows AD server facts/settings:
>>1. I can view,access and write to "/disk1/profs"
>>2. The security tab of "profs" shows the following user names
>>and their
>>permissions:
>>     Creator Owner: has only the "special permissions" ticked,
>>which is
>>greyed out
>>     Domain Users: Full Control
>>     Administrators (JIMMY\Administrators): Full Control
>>     Users: (JIMMY\Users): Full Control
>>
>>3. Under the "Advanced" button in the "Security tab"
I can see these
>>permission entries:
>>     Root (unix user\root)
>>     Administrators (JIMMY\Administrators)
>>     CREATOR OWNER
>>     Domain Users
>>     Users (JIMMY\Users)
>>
>>4. For all the above entries:
>>    "type" is set to "Allow"
>>    "Access" is set to "Full Control"
>>    "Inherit from" is set to "None"
>>    "Applies to" are set to "This folder, subfolder and
files", except
>>CREATOR OWNER which is set to "Sub-folders and files only".
>>
>>Note: I can edit any of these permission entries except
>>"Creator owner".
>>If I attempt to change the "applies to" setting of this entry
to
>>something else, the change reverses back when I hit "Apply"
>>
>>Windows 7 client, when logged in with temp profile as domain user
>>1. user can view,access and write to "/disk1/profs"
>>2. the "do not check profile ownership on roaming profiles" is
enabled
>>on the client (desperate move)
>>3. the network security setting: "Restrict NTLM: outgoing
>>NTLM traffic
>>to remote servers" is set to "ALLOW ALL"
>>
>>
>>Please provide any suggestions you may have and ofcourse have the time
>>to do so.
>>
>>Many thanks for your help
>>Yanni
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Ok, my bad.. 

The if you use policies.. check you gpo settings for : 
Computer Configuration \ Administrative Templates \ System \ User Profiles 
- Delete cached copies of roaming profiles 
- Delete user profiles older than a specified number of days on system restart

and/or read : 
https://support.microsoft.com/en-us/kb/983544 
which may apply. 

and you dont have any script running for cleanup local profiles? 

Greetz, 

louis

>-----Oorspronkelijk bericht-----
>Van: jaguaragna at rdmo.com 
>[mailto:samba-bounces at lists.samba.org] Namens joseph-andre Guaragna
>Verzonden: vrijdag 12 juni 2015 11:21
>CC: samba at lists.samba.org
>Onderwerp: Re: [Samba] you have been logged on with a 
>temporary profile_win7 client+samba 4+WinServ2012
>
>I am a bit confused by your answer L.P.H.
>
>I have no problem at all with my shares ACl are correctly applied to
>them, and i can easily managed them directly what I do in order to
>avoid mixing POSIX and Windows ACL.
>
>My problem is not on shares but on data blanking on local profile on
>the workstation which as I understand are unlink from a share
>settings.
>
>
>Cheers
>
>
>Meilleures salutations / Best regards,
>
>Joseph-Andr? GUARAGNA
>ing?nieur Syst?me et R?seau / Network and System engineer
>
>
>
>RD MACHINES-OUTILS
>
>77, all?e de l'Industrie  F-74130 CONTAMINE SUR ARVE
>Tel : +33 (0) 4 50 03 90 77    -   Fax :+33 (0) 4 50 03 66 79
>www.rdmo.com / www.rdmo-spare-parts.com
>
>
>2015-06-12 10:52 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
>> 3 obligated settings !!  your missing one...
>>
>>    # For ACL support on member file server
>>    vfs objects = acl_xattr
>>    map acl inherit = yes
>>    store dos attributes = yes   <===== is missing in your config.
>>
>> Greetz,
>>
>> Louis
>>
>>
>>>-----Oorspronkelijk bericht-----
>>>Van: y.goudetsidis at mail.cryst.bbk.ac.uk
>>>[mailto:samba-bounces at lists.samba.org] Namens Yanni
>>>Verzonden: donderdag 11 juni 2015 17:30
>>>Aan: samba at lists.samba.org
>>>Onderwerp: [Samba] you have been logged on with a temporary
>>>profile_win7 client+samba 4+WinServ2012
>>>
>>>Hello Samba
>>>
>>>I have been trying to fix the problem below for several days with no
>>>success and I can't understand why.
>>>Please help me if you can.
>>>
>>>I've got a windows server 2012 running AD and I want to 
>store the user
>>>profiles in a Samba filestore server called "Jimmy". Jimmy
has the
>>>following smb.conf:
>>>
>>>  [global]
>>>   server string = Samba4 file server
>>>   workgroup = TESTAD
>>>   security = ADS
>>>   realm = TESTAD.BIO.AC.UK
>>>   domain master = no
>>>   prefered master = no
>>>   local master = no
>>>   os level = 0
>>>   browse list = yes
>>>   encrypt passwords = yes
>>>   template shell = /bin/bash
>>>   name resolve order = bcast
>>>#-------- Mapping RID--------
>>>    idmap config *:backend = tdb
>>>    idmap config *:range = 2000-3999
>>>    idmap config TESTAD: backend = rid
>>>    idmap config TESTAD: range = 10000-99999
>>>#------- Winbind ----------
>>>    winbind trusted domains only = no
>>>    winbind use default domain = yes
>>>    winbind enum users = yes
>>>    winbind enum groups = yes
>>>    winbind refresh tickets = Yes
>>>    winbind expand groups = 4
>>>    winbind normalize names = Yes
>>>
>>>    vfs objects = acl_xattr
>>>    map acl inherit = yes
>>>
>>>#Logging Settings
>>>    log level = 3
>>>    log file = /var/log/samba/log.%m
>>>    max log size = 50
>>>
>>>#----Profile Store Settings---------
>>>[profs]
>>>    comment = WinProfsStorage
>>>    path = /disk1/profs
>>>    read only = no
>>>    store dos attributes = yes
>>>    create mask = 0600
>>>    directory mask = 0755
>>>    profile acls = yes
>>>    csc policy = disable
>>>
>>>My problem is that users get temp profile whenever they log
>>>into a win7
>>>client which is also a TESTAD member.
>>>The error I get is: You have been logged on with a temp
>>>profile. In the
>>>event log it is indicated that this is due to "insufficient
security
>>>rights". EventID: 1521 and 1511.
>>>
>>>Below are my settings on Jimmy:
>>>1. I can confirm that Selinux, iptables and firewalld are 
>all disabled
>>>2. Jimmy is a domain member of TESTAD and I can confirm that
"wbinfo
>>>-u", "wbinfo -g", "getent passwd" and
>>>     "getent group" return the right values.
>>>3. I can confirm that clocks on Jimmy and AD server are in sync.
>>>4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+
3 root
>>>domain_users 23 Jun 11 15:57 profs
>>>
>>>
>>>Windows AD server facts/settings:
>>>1. I can view,access and write to "/disk1/profs"
>>>2. The security tab of "profs" shows the following user
names
>>>and their
>>>permissions:
>>>     Creator Owner: has only the "special permissions"
ticked,
>>>which is
>>>greyed out
>>>     Domain Users: Full Control
>>>     Administrators (JIMMY\Administrators): Full Control
>>>     Users: (JIMMY\Users): Full Control
>>>
>>>3. Under the "Advanced" button in the "Security
tab" I can see these
>>>permission entries:
>>>     Root (unix user\root)
>>>     Administrators (JIMMY\Administrators)
>>>     CREATOR OWNER
>>>     Domain Users
>>>     Users (JIMMY\Users)
>>>
>>>4. For all the above entries:
>>>    "type" is set to "Allow"
>>>    "Access" is set to "Full Control"
>>>    "Inherit from" is set to "None"
>>>    "Applies to" are set to "This folder, subfolder
and
>files", except
>>>CREATOR OWNER which is set to "Sub-folders and files
only".
>>>
>>>Note: I can edit any of these permission entries except
>>>"Creator owner".
>>>If I attempt to change the "applies to" setting of this
entry to
>>>something else, the change reverses back when I hit
"Apply"
>>>
>>>Windows 7 client, when logged in with temp profile as domain user
>>>1. user can view,access and write to "/disk1/profs"
>>>2. the "do not check profile ownership on roaming
profiles"
>is enabled
>>>on the client (desperate move)
>>>3. the network security setting: "Restrict NTLM: outgoing
>>>NTLM traffic
>>>to remote servers" is set to "ALLOW ALL"
>>>
>>>
>>>Please provide any suggestions you may have and ofcourse 
>have the time
>>>to do so.
>>>
>>>Many thanks for your help
>>>Yanni
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>--
>>>To unsubscribe from this list go to the following URL and read the
>>>instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>