Rainer Traut
2005-May-13 13:38 UTC
[Samba] losing access to profile when user becomes domain user instead domain admin
Hi,
I am in the process of migrating our windows workstations to a samba domain.
Here is the problem:
When creating the domain user I put every user additionalyy in the
domain admin group so that he/she can copy his old files on the local
profile to his new domain account.
Then after this is done I put them to the domain users group but some
(!) of the user the lose then access to the profile.
When I look at permissions on their workstation everything looks ok, but
he/she has no write access, though he is listed as owner.
samba is samba-3.0.13-1.4E.2 on Redhat EL4.
Here are parts of smb.conf
[Profiles]
comment = Roaming profiles share
path = /shares/profiles
writeable = yes
create mask = 0700
directory mask = 0770
browsable = no
valid users = @domusers root
force user = %U
profile acls = yes
[root@jupiter Eigene Dateien]# net groupmap list
Domain Admins (S-1-5-21-2187243289-1530508873-3638611354-512) -> domadmins
System Operators (S-1-5-32-549) -> -1
Domain Guests (S-1-5-21-2187243289-1530508873-3638611354-514) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Domain Users (S-1-5-21-2187243289-1530508873-3638611354-513) -> domusers
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
This works:
[root@jupiter Eigene Dateien]# id koe
uid=24446(koe) gid=1000(domusers) Gruppen=1000(domusers),1003(domadmins)
[root@jupiter Eigene Dateien]#
This does not:
[root@jupiter Eigene Dateien]# id koe
uid=24446(koe) gid=1000(domusers) Gruppen=1000(domusers)
[root@jupiter Eigene Dateien]#
Thanks for help
Rainer
Rainer Traut
2005-May-13 13:39 UTC
[Samba] losing access to profile when user becomes domain user instead domain admin
Hi,
I am in the process of migrating our windows workstations to a samba domain.
Here is the problem:
When creating the domain user I put every user additionalyy in the
domain admin group so that he/she can copy his old files on the local
profile to his new domain account.
Then after this is done I put them to the domain users group but some
(!) of the user the lose then access to the profile.
When I look at permissions on their workstation everything looks ok, but
he/she has no write access, though he is listed as owner.
samba is samba-3.0.13-1.4E.2 on Redhat EL4.
Here are parts of smb.conf
[Profiles]
comment = Roaming profiles share
path = /shares/profiles
writeable = yes
create mask = 0700
directory mask = 0770
browsable = no
valid users = @domusers root
force user = %U
profile acls = yes
[root@jupiter Eigene Dateien]# net groupmap list
Domain Admins (S-1-5-21-2187243289-1530508873-3638611354-512) -> domadmins
System Operators (S-1-5-32-549) -> -1
Domain Guests (S-1-5-21-2187243289-1530508873-3638611354-514) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Domain Users (S-1-5-21-2187243289-1530508873-3638611354-513) -> domusers
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
This works:
[root@jupiter Eigene Dateien]# id koe
uid=24446(koe) gid=1000(domusers) Gruppen=1000(domusers),1003(domadmins)
[root@jupiter Eigene Dateien]#
This does not:
[root@jupiter Eigene Dateien]# id koe
uid=24446(koe) gid=1000(domusers) Gruppen=1000(domusers)
[root@jupiter Eigene Dateien]#
Thanks for help
Rainer
Thomas M. Skeren III
2005-May-13 14:26 UTC
[Samba] losing access to profile when user becomes domain user instead domain admin
Rainer Traut wrote:> Hi, > > I am in the process of migrating our windows workstations to a samba > domain. > > Here is the problem: > > When creating the domain user I put every user additionalyy in the > domain admin group so that he/she can copy his old files on the local > profile to his new domain account. > > Then after this is done I put them to the domain users group but some > (!) of the user the lose then access to the profile.Yeah, that's what happens. It's mostly a Windows problem...well not problem, rather it's security related. If you're using WinXP, the best way to do this is to using the file and setting transfer wizard in the non domain account and export the settings. Then login to the domain account and import those settings. This way the user needs no special permissions and the profile is fully restored for the user. I've done this numerous times, and this is by far the best way to do it. TMS III> > When I look at permissions on their workstation everything looks ok, > but he/she has no write access, though he is listed as owner. > > samba is samba-3.0.13-1.4E.2 on Redhat EL4. > > Here are parts of smb.conf > > [Profiles] > comment = Roaming profiles share > path = /shares/profiles > writeable = yes > create mask = 0700 > directory mask = 0770 > browsable = no > valid users = @domusers root > force user = %U > profile acls = yes > > > [root@jupiter Eigene Dateien]# net groupmap list > Domain Admins (S-1-5-21-2187243289-1530508873-3638611354-512) -> > domadmins > System Operators (S-1-5-32-549) -> -1 > Domain Guests (S-1-5-21-2187243289-1530508873-3638611354-514) -> -1 > Replicators (S-1-5-32-552) -> -1 > Guests (S-1-5-32-546) -> -1 > Power Users (S-1-5-32-547) -> -1 > Print Operators (S-1-5-32-550) -> -1 > Administrators (S-1-5-32-544) -> -1 > Domain Users (S-1-5-21-2187243289-1530508873-3638611354-513) -> domusers > Account Operators (S-1-5-32-548) -> -1 > Backup Operators (S-1-5-32-551) -> -1 > Users (S-1-5-32-545) -> -1 > > This works: > [root@jupiter Eigene Dateien]# id koe > uid=24446(koe) gid=1000(domusers) Gruppen=1000(domusers),1003(domadmins) > [root@jupiter Eigene Dateien]# > > This does not: > [root@jupiter Eigene Dateien]# id koe > uid=24446(koe) gid=1000(domusers) Gruppen=1000(domusers) > [root@jupiter Eigene Dateien]# > > > Thanks for help > Rainer