Konstantin Boyandin
2018-Sep-20 05:25 UTC
[Samba] Samba 4: 'Access denied' error when accessing user profile during logon
Hello, After joining Windows 7 to a Samba 4 (AD), when logging on I experience 'Access denied' error accessing user profile. As a result, Windows creates temporary profile for the domain user (the profile is deleted upon logoff). The roaming profiles directory has been created according to instructions in https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles Note: the home directory (also shared by the AD DC) is accessible without problem, user can create/delete/whatever objects in it without problems. For every domain user 'username' profilePath has been set to \\DC\profiles\username , using ldbmodify, i.e. via a string profilePath: \\DC\profiles\username in corresponding LDIF. Technical details: OS: Ubuntu 18.04.1, Samba version (package) 4.7.6+dfsg~ubuntu-0ubuntu2.2, latest in official repository. # samba-tool testparm [global] bind interfaces only = Yes interfaces = lo ens3 log file = /var/log/samba/log.%m log level = 3 map to guest = Bad User max log size = 1000 netbios name = DC obey pam restrictions = Yes pam password change = Yes panic action = /usr/share/samba/panic-action %d passdb backend = tdbsam passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd program = /usr/bin/passwd %u realm = AD-LAN.COM server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate server string = AD-LAN.COM domain controller template homedir = /home/%u template shell = /bin/bash tls cafile = tls/ca.pem tls certfile = tls/cert.pem tls enabled = Yes tls keyfile = tls/key.pem unix password sync = Yes usershare allow guests = Yes winbind enum groups = Yes winbind enum users = Yes winbind nss info = rfc2307 workgroup = AD-LAN acl:search = no idmap_ldb:use rfc2307 = yes [netlogon] comment = Network Logon Service path = /var/lib/samba/sysvol/ad-lan.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [profiles] browseable = No comment = Users profiles csc policy = disable force create mode = 0600 force directory mode = 0700 path = /srv/samba/profiles/ read only = No store dos attributes = Yes vfs objects = acl_xattr [users] force create mode = 0600 force directory mode = 0700 path = /srv/samba/users/ read only = No [printers] browseable = No comment = All Printers create mask = 0700 path = /var/spool/samba printable = Yes [print$] comment = Printer Drivers path = /var/lib/samba/printers ## In Samba log files matching the computer's IP: # cat /var/log/samba/log.10.11.12.153 [...] [2018/09/20 10:15:57.475422, 3] ../source3/smbd/msdfs.c:1008(get_referred_path) get_referred_path: |profiles| in dfs path \DC\profiles is not a dfs root. [2018/09/20 10:15:57.475451, 3] ../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:309 [2018/09/20 10:15:57.475858, 3] ../lib/util/access.c:365(allow_access) Allowed connection from 10.11.12.153 (10.11.12.153) [2018/09/20 10:15:57.475912, 3] ../source3/smbd/service.c:595(make_connection_snum) Connect path is '/srv/samba/profiles/' for service [profiles] [2018/09/20 10:15:57.475938, 3] ../source3/smbd/vfs.c:113(vfs_init_default) Initialising default vfs hooks [2018/09/20 10:15:57.475946, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [/[Default VFS]/] [2018/09/20 10:15:57.475954, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [acl_xattr] [2018/09/20 10:15:57.475966, 2] ../source3/modules/vfs_acl_xattr.c:236(connect_acl_xattr) connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service profiles [2018/09/20 10:15:57.476109, 2] ../source3/smbd/service.c:841(make_connection_snum) 10.11.12.153 (ipv4:10.11.12.153:61964) connect to service profiles initially as user AD-LAN\mbo (uid=1000, gid=513) (pid 7848) [...] I would appreciate pieces of advice on what causes the mentioned "Access denied" problem and how to handle it. Sincerely, Konstantin
Konstantin Boyandin
2018-Sep-20 07:26 UTC
[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
Hello, Looks like the solution was rather simple. If user profile matching OS doesn't yet exist, Windows attempts to create one under '[profiles]'. I.e., for user 'username' Windows 7 will attempt to create [profiledir]\username.V2 If it can't create that directory, 'Access denied' is written to system event log and a temporary profile is created. The solution (following the default how-to directories structure): # chmod g+w /srv/samba/profiles The hint posted in https://windowsserveressentials.com/2011/02/25/quick-fix-access-denied-to-romaing-profile-windows-7/ Note: taking the above into account, I believe that corresponding section (Using POSIX ACLs) should be updated in https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles namely, replace # chmod 1750 /srv/samba/profiles/ with # chmod 1770 /srv/samba/profiles/ Sincerely, Konstantin Konstantin Boyandin via samba писал 2018-09-20 12:25:> Hello, > > After joining Windows 7 to a Samba 4 (AD), when logging on I > experience 'Access denied' error accessing user profile. As a result, > Windows creates temporary profile for the domain user (the profile is > deleted upon logoff). > > [...]
L.P.H. van Belle
2018-Sep-20 09:01 UTC
[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
Hai, Sorry to say but..> The solution (following the default how-to directories structure):No, the solution is to setup correctly. Just do a a small test here to see if its all correct. With a windows computer, browse to \\server Right klik the profiles share, check security. If this is set correct, the user should not be able to see the rights. Repaet, now as Adminsitrator. You should see the needed rights. And in my thats on \\server\profiles Creator Owner ( 1700 ) Full with Special rights ( Appy to Only subfolders and files ) Administrator Full control ( Appy to This Folder, subfolders and files ) Domain Users Special with browse/exec, Read file/folder, create/add folder ( Only this folder ) And in my thats on \\server\profiles\user.v2 The resulting user folders should show ( in Windows ) SYSTEM Full control Username Full control Which results in ( for me ) with getfacl # file: home/samba/profiles # owner: root # group: root # flags: --t user::rwx user:root:rwx group::--- group:root:--- group:domain\040users:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:root:--- default:mask::rwx default:other::--- #( Group 2005 is SYSTEM ) # file: home/samba/profiles/username.V2 # owner: username # group: domain\040users user::rwx user:username:rwx group::--- group:2005:rwx group:domain\040users:--- mask::rwx other::--- default:user::rwx default:user:username:rwx default:group::--- default:group:2005:rwx default:group:domain\040users:--- default:mask::rwx default:other::--- Now, you will probely get diffent ( more relaxed ) results, which in the end might give problems for the Win pc's. Set : [profiles] browseable = yes path = /home/samba/profiles read only = no acl_xattr:ignore system acl = yes And now apply the rights again from within windows. And dont touch it with chmod again.. If needed use setfacl/getfacl. If you think its complex, then read : https://serversforhackers.com/c/beyond-permissions-linux-acls Good explained. The acl_xattr:ignore system acl = yes in profiles is imo a must because, you will have much less problems with your profile folders and the rights windows expects. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Konstantin Boyandin via samba > Verzonden: donderdag 20 september 2018 9:26 > Aan: samba at lists.samba.org > Onderwerp: [Samba] [SOLVED] Samba 4: 'Access denied' error > when accessing user profile during logon > > Hello, > > Looks like the solution was rather simple. > > If user profile matching OS doesn't yet exist, Windows attempts to > create one under '[profiles]'. I.e., for user 'username' > Windows 7 will > attempt to create [profiledir]\username.V2 > > If it can't create that directory, 'Access denied' is written > to system > event log and a temporary profile is created. > > The solution (following the default how-to directories structure): > > # chmod g+w /srv/samba/profiles > > The hint posted in > > https://windowsserveressentials.com/2011/02/25/quick-fix-acces > s-denied-to-romaing-profile-windows-7/ > > Note: taking the above into account, I believe that corresponding > section (Using POSIX ACLs) should be updated in > > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles > > namely, replace > > # chmod 1750 /srv/samba/profiles/ > > with > > # chmod 1770 /srv/samba/profiles/ > > Sincerely, > Konstantin > > Konstantin Boyandin via samba ?????????? 2018-09-20 12:25: > > Hello, > > > > After joining Windows 7 to a Samba 4 (AD), when logging on I > > experience 'Access denied' error accessing user profile. As > a result, > > Windows creates temporary profile for the domain user (the > profile is > > deleted upon logoff). > > > > [...] > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Rowland Penny
2018-Sep-20 09:58 UTC
[Samba] Samba 4: 'Access denied' error when accessing user profile during logon
On Thu, 20 Sep 2018 12:25:00 +0700 Konstantin Boyandin via samba <samba at lists.samba.org> wrote:> Hello, > > After joining Windows 7 to a Samba 4 (AD), when logging on I > experience 'Access denied' error accessing user profile. As a result, > Windows creates temporary profile for the domain user (the profile is > deleted upon logoff). > > The roaming profiles directory has been created according to > instructions in > > https://wiki.samba.org/index.php/Roaming_Windows_User_ProfilesNo it hasn't> > Note: the home directory (also shared by the AD DC) is accessible > without problem, user can create/delete/whatever objects in it > without problems. > > For every domain user 'username' profilePath has been set to > \\DC\profiles\username , using ldbmodify, i.e. via a string > > profilePath: \\DC\profiles\username > > in corresponding LDIF. > > Technical details: > > OS: Ubuntu 18.04.1, Samba version (package) > 4.7.6+dfsg~ubuntu-0ubuntu2.2, latest in official repository. > > # samba-tool testparm[global] netbios name = DC realm = AD-LAN.COM server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = AD-LAN idmap_ldb:use rfc2307 = yes server string = AD-LAN.COM domain controller bind interfaces only = Yes interfaces = lo ens3 log file = /var/log/samba/log.%m log level = 3 max log size = 1000 template homedir = /home/%u template shell = /bin/bash panic action = /usr/share/samba/panic-action %d Nothing wrong with the above passdb backend = tdbsam tls cafile = tls/ca.pem tls certfile = tls/cert.pem tls enabled = Yes tls keyfile = tls/key.pem The above lines are not required, they are the defaults map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd program = /usr/bin/passwd %u unix password sync = Yes usershare allow guests = Yes winbind enum groups = Yes winbind enum users = Yes winbind nss info = rfc2307 acl:search = no Why have you set these on a DC ? Especially 'unix password sync = Yes' ??? You don't map Unix users in AD.> [profiles] > browseable = No > comment = Users profiles > csc policy = disable > force create mode = 0600 > force directory mode = 0700 > path = /srv/samba/profiles/ > read only = No > store dos attributes = Yes > vfs objects = acl_xattr >We now come to your main problem, yes, you have set up the profiles share as per the wiki page, but you totally missed the big blue info box that says: When setting up the share on a Samba Active Directory (AD) domain controller (DC), you cannot use POSIX ACLs. On an Samba DC, only shares using extended ACLs are supported. For further details, see Enable Extended ACL Support in the smb.conf File. To set up the share on a Samba AD DC, see Setting up the Profiles Share on the Samba File Server - Using Windows ACLs. You are trying to do it with POSIX ACLs, it will not work. You must set up the profiles share from Windows, as shown above the heading 'Using POSIX ACLs' Finally, the last line of the log fragment contains this: connect to service profiles initially as user AD-LAN\mbo (uid=1000, gid=513) (pid 7848) Did you classic upgrade a PDC to AD, if not, why are you using IDs like '100' and '513' ? Rowland
Konstantin Boyandin
2018-Sep-21 04:49 UTC
[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
Thanks for the response. I followed your instructions: - set the "chmod 1750 /srv/samba/profiles" - set, after logging as AD-LAN\Administrator, the permissions for \\DC\profiles : Creator Owner: all; applied to: Subfolders and files Administrator: all; applied to: This folder, Subfolders and files Domain Users: Traverse folder/Execute file,List folder/Read data,Read attributes,Read extended attributes,Create files/Write data,Create folders/Append data; applied to: This folder only Results: 1. Permissions mask: # ls -al /srv/samba | grep profiles drwxrwx--T+ 1 root AD-LAN\domain users 34 Sep 21 11:25 profiles 2. ACL list for [profiles] # getfacl /srv/samba/profiles getfacl: Removing leading '/' from absolute path names # file: srv/samba/profiles # owner: root # group: AD-LAN\134domain\040users # flags: --t user::rwx user:root:rwx group::rwx group:AD-LAN\134domain\040users:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:AD-LAN\134domain\040users:--- default:mask::rwx default:other::--- 3. When logging in without local profile/roaming profile, username gets a roaming profile folder created: # getfacl /srv/samba/profiles/username.V2 getfacl: Removing leading '/' from absolute path names # file: srv/samba/profiles/username.V2 # owner: AD-LAN\134username # group: AD-LAN\134domain\040users user::rwx user:AD-LAN\134username:rwx user:3000000:rwx group::--- group:AD-LAN\134domain\040users:--- group:NT\040AUTHORITY\134system:rwx mask::rwx other::--- default:user::rwx default:user:AD-LAN\134username:rwx default:user:3000000:rwx default:group::--- default:group:AD-LAN\134domain\040users:--- default:group:NT\040AUTHORITY\134system:rwx default:mask::rwx default:other::--- 4. The non-Administrator domain users cannot access profiles permissions, nor they can access profiles of other users. Is the above fine from viewpoint of access rights? Sincerely, Konstantin L.P.H. van Belle via samba писал 2018-09-20 16:01:> Hai, > > Sorry to say but.. >> The solution (following the default how-to directories structure): > > No, the solution is to setup correctly. > Just do a a small test here to see if its all correct. > > With a windows computer, browse to \\server > > Right klik the profiles share, check security. > If this is set correct, the user should not be able to see the rights. > > Repaet, now as Adminsitrator. > You should see the needed rights. > > And in my thats on \\server\profiles > Creator Owner ( 1700 ) Full with Special rights ( Appy to Only > subfolders and files ) > Administrator Full control ( Appy to This Folder, subfolders and > files ) > Domain Users Special with browse/exec, Read file/folder, create/add > folder ( Only this folder ) > > And in my thats on \\server\profiles\user.v2 > The resulting user folders should show ( in Windows ) > SYSTEM Full control > Username Full control > > > Which results in ( for me ) with getfacl > > # file: home/samba/profiles > # owner: root > # group: root > # flags: --t > user::rwx > user:root:rwx > group::--- > group:root:--- > group:domain\040users:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:group::--- > default:group:root:--- > default:mask::rwx > default:other::--- > > #( Group 2005 is SYSTEM ) > # file: home/samba/profiles/username.V2 > # owner: username > # group: domain\040users > user::rwx > user:username:rwx > group::--- > group:2005:rwx > group:domain\040users:--- > mask::rwx > other::--- > default:user::rwx > default:user:username:rwx > default:group::--- > default:group:2005:rwx > default:group:domain\040users:--- > default:mask::rwx > default:other::--- > > Now, you will probely get diffent ( more relaxed ) results, which in > the end might give problems for the Win pc's. > > Set : > [profiles] > browseable = yes > path = /home/samba/profiles > read only = no > acl_xattr:ignore system acl = yes > > And now apply the rights again from within windows. > And dont touch it with chmod again.. > If needed use setfacl/getfacl. > If you think its complex, then read : > https://serversforhackers.com/c/beyond-permissions-linux-acls > Good explained. > > The acl_xattr:ignore system acl = yes in profiles is imo a must > because, > you will have much less problems with your profile folders and the > rights windows expects. > > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Konstantin Boyandin via samba >> Verzonden: donderdag 20 september 2018 9:26 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] [SOLVED] Samba 4: 'Access denied' error >> when accessing user profile during logon >> >> Hello, >> >> Looks like the solution was rather simple. >> >> If user profile matching OS doesn't yet exist, Windows attempts to >> create one under '[profiles]'. I.e., for user 'username' >> Windows 7 will >> attempt to create [profiledir]\username.V2 >> >> If it can't create that directory, 'Access denied' is written >> to system >> event log and a temporary profile is created. >> >> The solution (following the default how-to directories structure): >> >> # chmod g+w /srv/samba/profiles >> >> The hint posted in >> >> https://windowsserveressentials.com/2011/02/25/quick-fix-acces >> s-denied-to-romaing-profile-windows-7/ >> >> Note: taking the above into account, I believe that corresponding >> section (Using POSIX ACLs) should be updated in >> >> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles >> >> namely, replace >> >> # chmod 1750 /srv/samba/profiles/ >> >> with >> >> # chmod 1770 /srv/samba/profiles/ >> >> Sincerely, >> Konstantin >> >> Konstantin Boyandin via samba ?????????? 2018-09-20 12:25: >> > Hello, >> > >> > After joining Windows 7 to a Samba 4 (AD), when logging on I >> > experience 'Access denied' error accessing user profile. As >> a result, >> > Windows creates temporary profile for the domain user (the >> profile is >> > deleted upon logoff). >> > >> > [...] >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >>
L.P.H. van Belle
2018-Sep-21 06:52 UTC
[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
Hai, Now, i did not know you used the DC for the profiles here but yes it looks good. Small comment on point 3 and 4. 3) Its good, you might notice a few more rights there compaired to what i posted, thats because you have your profiles on the DC but the settings are good. 4) yes, the security is ok, i like the higher security setting and try to mimic the windows settings as much as possible. You can relax it a bit, but i dont recommend that. Your ready for the next step ;-) And a tip ahead. Settings like this apply to \\server\ ( users-home) | profiles | print$ for example. The why?, because this these shares might needs some extra windows love ;-) On these shares i apply the ignore systemacls to mimic the windows rights as close as possible. Reason for that is simple, less problems, but this doe depend on how you use the network. Test what applies best for you, but these shares where "normaly" only windows connect to. I set the ignore systemacl's. Try it and test it. Shares which need "\SYSTEM" for example are best to set the ignore. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Konstantin Boyandin via samba > Verzonden: vrijdag 21 september 2018 6:49 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] [SOLVED] Samba 4: 'Access denied' > error when accessing user profile during logon > > Thanks for the response. I followed your instructions: > > - set the "chmod 1750 /srv/samba/profiles" > > - set, after logging as AD-LAN\Administrator, the permissions for > \\DC\profiles : > > Creator Owner: all; applied to: Subfolders and files > Administrator: all; applied to: This folder, Subfolders and files > Domain Users: Traverse folder/Execute file,List folder/Read data,Read > attributes,Read extended attributes,Create files/Write data,Create > folders/Append data; applied to: This folder only > > Results: > > 1. Permissions mask: > # ls -al /srv/samba | grep profiles > drwxrwx--T+ 1 root AD-LAN\domain users 34 Sep 21 11:25 profiles > > 2. ACL list for [profiles] > # getfacl /srv/samba/profiles > getfacl: Removing leading '/' from absolute path names > # file: srv/samba/profiles > # owner: root > # group: AD-LAN\134domain\040users > # flags: --t > user::rwx > user:root:rwx > group::rwx > group:AD-LAN\134domain\040users:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:group::--- > default:group:AD-LAN\134domain\040users:--- > default:mask::rwx > default:other::--- > > 3. When logging in without local profile/roaming profile, > username gets > a roaming profile folder created: > # getfacl /srv/samba/profiles/username.V2 > getfacl: Removing leading '/' from absolute path names > # file: srv/samba/profiles/username.V2 > # owner: AD-LAN\134username > # group: AD-LAN\134domain\040users > user::rwx > user:AD-LAN\134username:rwx > user:3000000:rwx > group::--- > group:AD-LAN\134domain\040users:--- > group:NT\040AUTHORITY\134system:rwx > mask::rwx > other::--- > default:user::rwx > default:user:AD-LAN\134username:rwx > default:user:3000000:rwx > default:group::--- > default:group:AD-LAN\134domain\040users:--- > default:group:NT\040AUTHORITY\134system:rwx > default:mask::rwx > default:other::--- > > 4. The non-Administrator domain users cannot access profiles > permissions, nor they can access profiles of other users. > > Is the above fine from viewpoint of access rights? > > Sincerely, > Konstantin > > L.P.H. van Belle via samba ?????????? 2018-09-20 16:01: > > Hai, > > > > Sorry to say but.. > >> The solution (following the default how-to directories structure): > > > > No, the solution is to setup correctly. > > Just do a a small test here to see if its all correct. > > > > With a windows computer, browse to \\server > > > > Right klik the profiles share, check security. > > If this is set correct, the user should not be able to > see the rights. > > > > Repaet, now as Adminsitrator. > > You should see the needed rights. > > > > And in my thats on \\server\profiles > > Creator Owner ( 1700 ) Full with Special rights ( Appy to Only > > subfolders and files ) > > Administrator Full control ( Appy to This > Folder, subfolders and > > files ) > > Domain Users Special with browse/exec, Read > file/folder, create/add > > folder ( Only this folder ) > > > > And in my thats on \\server\profiles\user.v2 > > The resulting user folders should show ( in Windows ) > > SYSTEM Full control > > Username Full control > > > > > > Which results in ( for me ) with getfacl > > > > # file: home/samba/profiles > > # owner: root > > # group: root > > # flags: --t > > user::rwx > > user:root:rwx > > group::--- > > group:root:--- > > group:domain\040users:rwx > > mask::rwx > > other::--- > > default:user::rwx > > default:user:root:rwx > > default:group::--- > > default:group:root:--- > > default:mask::rwx > > default:other::--- > > > > #( Group 2005 is SYSTEM ) > > # file: home/samba/profiles/username.V2 > > # owner: username > > # group: domain\040users > > user::rwx > > user:username:rwx > > group::--- > > group:2005:rwx > > group:domain\040users:--- > > mask::rwx > > other::--- > > default:user::rwx > > default:user:username:rwx > > default:group::--- > > default:group:2005:rwx > > default:group:domain\040users:--- > > default:mask::rwx > > default:other::--- > > > > Now, you will probely get diffent ( more relaxed ) results, which in > > the end might give problems for the Win pc's. > > > > Set : > > [profiles] > > browseable = yes > > path = /home/samba/profiles > > read only = no > > acl_xattr:ignore system acl = yes > > > > And now apply the rights again from within windows. > > And dont touch it with chmod again.. > > If needed use setfacl/getfacl. > > If you think its complex, then read : > > https://serversforhackers.com/c/beyond-permissions-linux-acls > > Good explained. > > > > The acl_xattr:ignore system acl = yes in profiles is imo a must > > because, > > you will have much less problems with your profile folders and the > > rights windows expects. > > > > > > Greetz, > > > > Louis > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> Konstantin Boyandin via samba > >> Verzonden: donderdag 20 september 2018 9:26 > >> Aan: samba at lists.samba.org > >> Onderwerp: [Samba] [SOLVED] Samba 4: 'Access denied' error > >> when accessing user profile during logon > >> > >> Hello, > >> > >> Looks like the solution was rather simple. > >> > >> If user profile matching OS doesn't yet exist, Windows attempts to > >> create one under '[profiles]'. I.e., for user 'username' > >> Windows 7 will > >> attempt to create [profiledir]\username.V2 > >> > >> If it can't create that directory, 'Access denied' is written > >> to system > >> event log and a temporary profile is created. > >> > >> The solution (following the default how-to directories structure): > >> > >> # chmod g+w /srv/samba/profiles > >> > >> The hint posted in > >> > >> https://windowsserveressentials.com/2011/02/25/quick-fix-acces > >> s-denied-to-romaing-profile-windows-7/ > >> > >> Note: taking the above into account, I believe that corresponding > >> section (Using POSIX ACLs) should be updated in > >> > >> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles > >> > >> namely, replace > >> > >> # chmod 1750 /srv/samba/profiles/ > >> > >> with > >> > >> # chmod 1770 /srv/samba/profiles/ > >> > >> Sincerely, > >> Konstantin > >> > >> Konstantin Boyandin via samba ?????????? 2018-09-20 12:25: > >> > Hello, > >> > > >> > After joining Windows 7 to a Samba 4 (AD), when logging on I > >> > experience 'Access denied' error accessing user profile. As > >> a result, > >> > Windows creates temporary profile for the domain user (the > >> profile is > >> > deleted upon logoff). > >> > > >> > [...] > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Maybe Matching Threads
- Samba 4: 'Access denied' error when accessing user profile during logon
- [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
- Users, home directories and profiles
- GPO Permissions _AGAIN_
- NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue