Yanni
2015-Jun-11 15:29 UTC
[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
Hello Samba I have been trying to fix the problem below for several days with no success and I can't understand why. Please help me if you can. I've got a windows server 2012 running AD and I want to store the user profiles in a Samba filestore server called "Jimmy". Jimmy has the following smb.conf: [global] server string = Samba4 file server workgroup = TESTAD security = ADS realm = TESTAD.BIO.AC.UK domain master = no prefered master = no local master = no os level = 0 browse list = yes encrypt passwords = yes template shell = /bin/bash name resolve order = bcast #-------- Mapping RID-------- idmap config *:backend = tdb idmap config *:range = 2000-3999 idmap config TESTAD: backend = rid idmap config TESTAD: range = 10000-99999 #------- Winbind ---------- winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes winbind expand groups = 4 winbind normalize names = Yes vfs objects = acl_xattr map acl inherit = yes #Logging Settings log level = 3 log file = /var/log/samba/log.%m max log size = 50 #----Profile Store Settings--------- [profs] comment = WinProfsStorage path = /disk1/profs read only = no store dos attributes = yes create mask = 0600 directory mask = 0755 profile acls = yes csc policy = disable My problem is that users get temp profile whenever they log into a win7 client which is also a TESTAD member. The error I get is: You have been logged on with a temp profile. In the event log it is indicated that this is due to "insufficient security rights". EventID: 1521 and 1511. Below are my settings on Jimmy: 1. I can confirm that Selinux, iptables and firewalld are all disabled 2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo -u", "wbinfo -g", "getent passwd" and "getent group" return the right values. 3. I can confirm that clocks on Jimmy and AD server are in sync. 4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root domain_users 23 Jun 11 15:57 profs Windows AD server facts/settings: 1. I can view,access and write to "/disk1/profs" 2. The security tab of "profs" shows the following user names and their permissions: Creator Owner: has only the "special permissions" ticked, which is greyed out Domain Users: Full Control Administrators (JIMMY\Administrators): Full Control Users: (JIMMY\Users): Full Control 3. Under the "Advanced" button in the "Security tab" I can see these permission entries: Root (unix user\root) Administrators (JIMMY\Administrators) CREATOR OWNER Domain Users Users (JIMMY\Users) 4. For all the above entries: "type" is set to "Allow" "Access" is set to "Full Control" "Inherit from" is set to "None" "Applies to" are set to "This folder, subfolder and files", except CREATOR OWNER which is set to "Sub-folders and files only". Note: I can edit any of these permission entries except "Creator owner". If I attempt to change the "applies to" setting of this entry to something else, the change reverses back when I hit "Apply" Windows 7 client, when logged in with temp profile as domain user 1. user can view,access and write to "/disk1/profs" 2. the "do not check profile ownership on roaming profiles" is enabled on the client (desperate move) 3. the network security setting: "Restrict NTLM: outgoing NTLM traffic to remote servers" is set to "ALLOW ALL" Please provide any suggestions you may have and ofcourse have the time to do so. Many thanks for your help Yanni
Rowland Penny
2015-Jun-12 08:40 UTC
[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
On 11/06/15 16:29, Yanni wrote:> Hello Samba > > I have been trying to fix the problem below for several days with no > success and I can't understand why. > Please help me if you can. > > I've got a windows server 2012 running AD and I want to store the user > profiles in a Samba filestore server called "Jimmy". Jimmy has the > following smb.conf: > > [global] > server string = Samba4 file server > workgroup = TESTAD > security = ADS > realm = TESTAD.BIO.AC.UK > domain master = no > prefered master = no > local master = no > os level = 0 > browse list = yes > encrypt passwords = yes > template shell = /bin/bash > name resolve order = bcast > #-------- Mapping RID-------- > idmap config *:backend = tdb > idmap config *:range = 2000-3999 > idmap config TESTAD: backend = rid > idmap config TESTAD: range = 10000-99999 > #------- Winbind ---------- > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > winbind expand groups = 4 > winbind normalize names = Yes > > vfs objects = acl_xattr > map acl inherit = yes > > #Logging Settings > log level = 3 > log file = /var/log/samba/log.%m > max log size = 50 > > #----Profile Store Settings--------- > [profs] > comment = WinProfsStorage > path = /disk1/profs > read only = no > store dos attributes = yes > create mask = 0600 > directory mask = 0755 > profile acls = yes > csc policy = disable > > My problem is that users get temp profile whenever they log into a > win7 client which is also a TESTAD member. > The error I get is: You have been logged on with a temp profile. In > the event log it is indicated that this is due to "insufficient > security rights". EventID: 1521 and 1511. > > Below are my settings on Jimmy: > 1. I can confirm that Selinux, iptables and firewalld are all disabled > 2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo > -u", "wbinfo -g", "getent passwd" and > "getent group" return the right values. > 3. I can confirm that clocks on Jimmy and AD server are in sync. > 4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root > domain_users 23 Jun 11 15:57 profs > > > Windows AD server facts/settings: > 1. I can view,access and write to "/disk1/profs" > 2. The security tab of "profs" shows the following user names and > their permissions: > Creator Owner: has only the "special permissions" ticked, which is > greyed out > Domain Users: Full Control > Administrators (JIMMY\Administrators): Full Control > Users: (JIMMY\Users): Full Control > > 3. Under the "Advanced" button in the "Security tab" I can see these > permission entries: > Root (unix user\root) > Administrators (JIMMY\Administrators) > CREATOR OWNER > Domain Users > Users (JIMMY\Users) > > 4. For all the above entries: > "type" is set to "Allow" > "Access" is set to "Full Control" > "Inherit from" is set to "None" > "Applies to" are set to "This folder, subfolder and files", except > CREATOR OWNER which is set to "Sub-folders and files only". > > Note: I can edit any of these permission entries except "Creator > owner". If I attempt to change the "applies to" setting of this entry > to something else, the change reverses back when I hit "Apply" > > Windows 7 client, when logged in with temp profile as domain user > 1. user can view,access and write to "/disk1/profs" > 2. the "do not check profile ownership on roaming profiles" is enabled > on the client (desperate move) > 3. the network security setting: "Restrict NTLM: outgoing NTLM > traffic to remote servers" is set to "ALLOW ALL" > > > Please provide any suggestions you may have and ofcourse have the time > to do so. > > Many thanks for your help > Yanni > > > > > > > > > > > > > > > > > > > > > > > > >Hi, have a look here: https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles You do not need everything you have put into [profs] Also do your users know where [profs] is ? do they have the 'profilePath' attribute set on their AD objects ? Rowland
L.P.H. van Belle
2015-Jun-12 08:50 UTC
[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
and.. make it yourself more easy.. use : ignore system acl The profiles share is only ( or should be ) only use by windows computers. Therefore you can use this as profiles setup which does not care about the linux posix rights. like this : [profiles] browseable = yes path = /home/samba/profiles read only = no acl_xattr:ignore system acl = yes If you setup is done, and very well tested, you can set "browseable = yes" to "browseable = no" and now your profiles share is correct configured, and a hidden share. This is my profiles folder : drwxrwx--T+ 2 root root 4096 Jun 3 16:45 profiles !!! Make user you first set the share options, reload the samba config and then change the rights on the share from within windows. !!! set it conform the wiki !! and choose !! OR : Profile share using Windows ACLs OR : Profile share with using POSIX ACLs and dont mix these to settings. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: rowlandpenny at googlemail.com >[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >Verzonden: vrijdag 12 juni 2015 10:41 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] you have been logged on with a >temporary profile_win7 client+samba 4+WinServ2012 > >On 11/06/15 16:29, Yanni wrote: >> Hello Samba >> >> I have been trying to fix the problem below for several days with no >> success and I can't understand why. >> Please help me if you can. >> >> I've got a windows server 2012 running AD and I want to >store the user >> profiles in a Samba filestore server called "Jimmy". Jimmy has the >> following smb.conf: >> >> [global] >> server string = Samba4 file server >> workgroup = TESTAD >> security = ADS >> realm = TESTAD.BIO.AC.UK >> domain master = no >> prefered master = no >> local master = no >> os level = 0 >> browse list = yes >> encrypt passwords = yes >> template shell = /bin/bash >> name resolve order = bcast >> #-------- Mapping RID-------- >> idmap config *:backend = tdb >> idmap config *:range = 2000-3999 >> idmap config TESTAD: backend = rid >> idmap config TESTAD: range = 10000-99999 >> #------- Winbind ---------- >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind refresh tickets = Yes >> winbind expand groups = 4 >> winbind normalize names = Yes >> >> vfs objects = acl_xattr >> map acl inherit = yes >> >> #Logging Settings >> log level = 3 >> log file = /var/log/samba/log.%m >> max log size = 50 >> >> #----Profile Store Settings--------- >> [profs] >> comment = WinProfsStorage >> path = /disk1/profs >> read only = no >> store dos attributes = yes >> create mask = 0600 >> directory mask = 0755 >> profile acls = yes >> csc policy = disable >> >> My problem is that users get temp profile whenever they log into a >> win7 client which is also a TESTAD member. >> The error I get is: You have been logged on with a temp profile. In >> the event log it is indicated that this is due to "insufficient >> security rights". EventID: 1521 and 1511. >> >> Below are my settings on Jimmy: >> 1. I can confirm that Selinux, iptables and firewalld are >all disabled >> 2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo >> -u", "wbinfo -g", "getent passwd" and >> "getent group" return the right values. >> 3. I can confirm that clocks on Jimmy and AD server are in sync. >> 4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root >> domain_users 23 Jun 11 15:57 profs >> >> >> Windows AD server facts/settings: >> 1. I can view,access and write to "/disk1/profs" >> 2. The security tab of "profs" shows the following user names and >> their permissions: >> Creator Owner: has only the "special permissions" >ticked, which is >> greyed out >> Domain Users: Full Control >> Administrators (JIMMY\Administrators): Full Control >> Users: (JIMMY\Users): Full Control >> >> 3. Under the "Advanced" button in the "Security tab" I can see these >> permission entries: >> Root (unix user\root) >> Administrators (JIMMY\Administrators) >> CREATOR OWNER >> Domain Users >> Users (JIMMY\Users) >> >> 4. For all the above entries: >> "type" is set to "Allow" >> "Access" is set to "Full Control" >> "Inherit from" is set to "None" >> "Applies to" are set to "This folder, subfolder and >files", except >> CREATOR OWNER which is set to "Sub-folders and files only". >> >> Note: I can edit any of these permission entries except "Creator >> owner". If I attempt to change the "applies to" setting of >this entry >> to something else, the change reverses back when I hit "Apply" >> >> Windows 7 client, when logged in with temp profile as domain user >> 1. user can view,access and write to "/disk1/profs" >> 2. the "do not check profile ownership on roaming profiles" >is enabled >> on the client (desperate move) >> 3. the network security setting: "Restrict NTLM: outgoing NTLM >> traffic to remote servers" is set to "ALLOW ALL" >> >> >> Please provide any suggestions you may have and ofcourse >have the time >> to do so. >> >> Many thanks for your help >> Yanni >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > >Hi, have a look here: >https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles > >You do not need everything you have put into [profs] > >Also do your users know where [profs] is ? do they have the >'profilePath' attribute set on their AD objects ? > >Rowland >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
L.P.H. van Belle
2015-Jun-12 08:52 UTC
[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
3 obligated settings !! your missing one... # For ACL support on member file server vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes <===== is missing in your config. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: y.goudetsidis at mail.cryst.bbk.ac.uk >[mailto:samba-bounces at lists.samba.org] Namens Yanni >Verzonden: donderdag 11 juni 2015 17:30 >Aan: samba at lists.samba.org >Onderwerp: [Samba] you have been logged on with a temporary >profile_win7 client+samba 4+WinServ2012 > >Hello Samba > >I have been trying to fix the problem below for several days with no >success and I can't understand why. >Please help me if you can. > >I've got a windows server 2012 running AD and I want to store the user >profiles in a Samba filestore server called "Jimmy". Jimmy has the >following smb.conf: > > [global] > server string = Samba4 file server > workgroup = TESTAD > security = ADS > realm = TESTAD.BIO.AC.UK > domain master = no > prefered master = no > local master = no > os level = 0 > browse list = yes > encrypt passwords = yes > template shell = /bin/bash > name resolve order = bcast >#-------- Mapping RID-------- > idmap config *:backend = tdb > idmap config *:range = 2000-3999 > idmap config TESTAD: backend = rid > idmap config TESTAD: range = 10000-99999 >#------- Winbind ---------- > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > winbind expand groups = 4 > winbind normalize names = Yes > > vfs objects = acl_xattr > map acl inherit = yes > >#Logging Settings > log level = 3 > log file = /var/log/samba/log.%m > max log size = 50 > >#----Profile Store Settings--------- >[profs] > comment = WinProfsStorage > path = /disk1/profs > read only = no > store dos attributes = yes > create mask = 0600 > directory mask = 0755 > profile acls = yes > csc policy = disable > >My problem is that users get temp profile whenever they log >into a win7 >client which is also a TESTAD member. >The error I get is: You have been logged on with a temp >profile. In the >event log it is indicated that this is due to "insufficient security >rights". EventID: 1521 and 1511. > >Below are my settings on Jimmy: >1. I can confirm that Selinux, iptables and firewalld are all disabled >2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo >-u", "wbinfo -g", "getent passwd" and > "getent group" return the right values. >3. I can confirm that clocks on Jimmy and AD server are in sync. >4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root >domain_users 23 Jun 11 15:57 profs > > >Windows AD server facts/settings: >1. I can view,access and write to "/disk1/profs" >2. The security tab of "profs" shows the following user names >and their >permissions: > Creator Owner: has only the "special permissions" ticked, >which is >greyed out > Domain Users: Full Control > Administrators (JIMMY\Administrators): Full Control > Users: (JIMMY\Users): Full Control > >3. Under the "Advanced" button in the "Security tab" I can see these >permission entries: > Root (unix user\root) > Administrators (JIMMY\Administrators) > CREATOR OWNER > Domain Users > Users (JIMMY\Users) > >4. For all the above entries: > "type" is set to "Allow" > "Access" is set to "Full Control" > "Inherit from" is set to "None" > "Applies to" are set to "This folder, subfolder and files", except >CREATOR OWNER which is set to "Sub-folders and files only". > >Note: I can edit any of these permission entries except >"Creator owner". >If I attempt to change the "applies to" setting of this entry to >something else, the change reverses back when I hit "Apply" > >Windows 7 client, when logged in with temp profile as domain user >1. user can view,access and write to "/disk1/profs" >2. the "do not check profile ownership on roaming profiles" is enabled >on the client (desperate move) >3. the network security setting: "Restrict NTLM: outgoing >NTLM traffic >to remote servers" is set to "ALLOW ALL" > > >Please provide any suggestions you may have and ofcourse have the time >to do so. > >Many thanks for your help >Yanni > > > > > > > > > > > > > > > > > > > > > > > > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
joseph-andre Guaragna
2015-Jun-12 09:15 UTC
[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
No they have no profilePath attribute sets up, they have however a base directory set up by default as you can see on the link below. https://app.box.com/s/32jbi0dwac23uypqvm6i0v8suqtbfijd Meilleures salutations / Best regards, Joseph-Andr? GUARAGNA 2015-06-12 10:40 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:> On 11/06/15 16:29, Yanni wrote: >> >> Hello Samba >> >> I have been trying to fix the problem below for several days with no >> success and I can't understand why. >> Please help me if you can. >> >> I've got a windows server 2012 running AD and I want to store the user >> profiles in a Samba filestore server called "Jimmy". Jimmy has the following >> smb.conf: >> >> [global] >> server string = Samba4 file server >> workgroup = TESTAD >> security = ADS >> realm = TESTAD.BIO.AC.UK >> domain master = no >> prefered master = no >> local master = no >> os level = 0 >> browse list = yes >> encrypt passwords = yes >> template shell = /bin/bash >> name resolve order = bcast >> #-------- Mapping RID-------- >> idmap config *:backend = tdb >> idmap config *:range = 2000-3999 >> idmap config TESTAD: backend = rid >> idmap config TESTAD: range = 10000-99999 >> #------- Winbind ---------- >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind refresh tickets = Yes >> winbind expand groups = 4 >> winbind normalize names = Yes >> >> vfs objects = acl_xattr >> map acl inherit = yes >> >> #Logging Settings >> log level = 3 >> log file = /var/log/samba/log.%m >> max log size = 50 >> >> #----Profile Store Settings--------- >> [profs] >> comment = WinProfsStorage >> path = /disk1/profs >> read only = no >> store dos attributes = yes >> create mask = 0600 >> directory mask = 0755 >> profile acls = yes >> csc policy = disable >> >> My problem is that users get temp profile whenever they log into a win7 >> client which is also a TESTAD member. >> The error I get is: You have been logged on with a temp profile. In the >> event log it is indicated that this is due to "insufficient security >> rights". EventID: 1521 and 1511. >> >> Below are my settings on Jimmy: >> 1. I can confirm that Selinux, iptables and firewalld are all disabled >> 2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo -u", >> "wbinfo -g", "getent passwd" and >> "getent group" return the right values. >> 3. I can confirm that clocks on Jimmy and AD server are in sync. >> 4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root >> domain_users 23 Jun 11 15:57 profs >> >> >> Windows AD server facts/settings: >> 1. I can view,access and write to "/disk1/profs" >> 2. The security tab of "profs" shows the following user names and their >> permissions: >> Creator Owner: has only the "special permissions" ticked, which is >> greyed out >> Domain Users: Full Control >> Administrators (JIMMY\Administrators): Full Control >> Users: (JIMMY\Users): Full Control >> >> 3. Under the "Advanced" button in the "Security tab" I can see these >> permission entries: >> Root (unix user\root) >> Administrators (JIMMY\Administrators) >> CREATOR OWNER >> Domain Users >> Users (JIMMY\Users) >> >> 4. For all the above entries: >> "type" is set to "Allow" >> "Access" is set to "Full Control" >> "Inherit from" is set to "None" >> "Applies to" are set to "This folder, subfolder and files", except >> CREATOR OWNER which is set to "Sub-folders and files only". >> >> Note: I can edit any of these permission entries except "Creator owner". >> If I attempt to change the "applies to" setting of this entry to something >> else, the change reverses back when I hit "Apply" >> >> Windows 7 client, when logged in with temp profile as domain user >> 1. user can view,access and write to "/disk1/profs" >> 2. the "do not check profile ownership on roaming profiles" is enabled on >> the client (desperate move) >> 3. the network security setting: "Restrict NTLM: outgoing NTLM traffic to >> remote servers" is set to "ALLOW ALL" >> >> >> Please provide any suggestions you may have and ofcourse have the time to >> do so. >> >> Many thanks for your help >> Yanni >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > > Hi, have a look here: > https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles > > You do not need everything you have put into [profs] > > Also do your users know where [profs] is ? do they have the 'profilePath' > attribute set on their AD objects ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
joseph-andre Guaragna
2015-Jun-12 09:21 UTC
[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
I am a bit confused by your answer L.P.H. I have no problem at all with my shares ACl are correctly applied to them, and i can easily managed them directly what I do in order to avoid mixing POSIX and Windows ACL. My problem is not on shares but on data blanking on local profile on the workstation which as I understand are unlink from a share settings. Cheers Meilleures salutations / Best regards, Joseph-Andr? GUARAGNA ing?nieur Syst?me et R?seau / Network and System engineer RD MACHINES-OUTILS 77, all?e de l'Industrie F-74130 CONTAMINE SUR ARVE Tel : +33 (0) 4 50 03 90 77 - Fax :+33 (0) 4 50 03 66 79 www.rdmo.com / www.rdmo-spare-parts.com 2015-06-12 10:52 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:> 3 obligated settings !! your missing one... > > # For ACL support on member file server > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes <===== is missing in your config. > > Greetz, > > Louis > > >>-----Oorspronkelijk bericht----- >>Van: y.goudetsidis at mail.cryst.bbk.ac.uk >>[mailto:samba-bounces at lists.samba.org] Namens Yanni >>Verzonden: donderdag 11 juni 2015 17:30 >>Aan: samba at lists.samba.org >>Onderwerp: [Samba] you have been logged on with a temporary >>profile_win7 client+samba 4+WinServ2012 >> >>Hello Samba >> >>I have been trying to fix the problem below for several days with no >>success and I can't understand why. >>Please help me if you can. >> >>I've got a windows server 2012 running AD and I want to store the user >>profiles in a Samba filestore server called "Jimmy". Jimmy has the >>following smb.conf: >> >> [global] >> server string = Samba4 file server >> workgroup = TESTAD >> security = ADS >> realm = TESTAD.BIO.AC.UK >> domain master = no >> prefered master = no >> local master = no >> os level = 0 >> browse list = yes >> encrypt passwords = yes >> template shell = /bin/bash >> name resolve order = bcast >>#-------- Mapping RID-------- >> idmap config *:backend = tdb >> idmap config *:range = 2000-3999 >> idmap config TESTAD: backend = rid >> idmap config TESTAD: range = 10000-99999 >>#------- Winbind ---------- >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind refresh tickets = Yes >> winbind expand groups = 4 >> winbind normalize names = Yes >> >> vfs objects = acl_xattr >> map acl inherit = yes >> >>#Logging Settings >> log level = 3 >> log file = /var/log/samba/log.%m >> max log size = 50 >> >>#----Profile Store Settings--------- >>[profs] >> comment = WinProfsStorage >> path = /disk1/profs >> read only = no >> store dos attributes = yes >> create mask = 0600 >> directory mask = 0755 >> profile acls = yes >> csc policy = disable >> >>My problem is that users get temp profile whenever they log >>into a win7 >>client which is also a TESTAD member. >>The error I get is: You have been logged on with a temp >>profile. In the >>event log it is indicated that this is due to "insufficient security >>rights". EventID: 1521 and 1511. >> >>Below are my settings on Jimmy: >>1. I can confirm that Selinux, iptables and firewalld are all disabled >>2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo >>-u", "wbinfo -g", "getent passwd" and >> "getent group" return the right values. >>3. I can confirm that clocks on Jimmy and AD server are in sync. >>4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root >>domain_users 23 Jun 11 15:57 profs >> >> >>Windows AD server facts/settings: >>1. I can view,access and write to "/disk1/profs" >>2. The security tab of "profs" shows the following user names >>and their >>permissions: >> Creator Owner: has only the "special permissions" ticked, >>which is >>greyed out >> Domain Users: Full Control >> Administrators (JIMMY\Administrators): Full Control >> Users: (JIMMY\Users): Full Control >> >>3. Under the "Advanced" button in the "Security tab" I can see these >>permission entries: >> Root (unix user\root) >> Administrators (JIMMY\Administrators) >> CREATOR OWNER >> Domain Users >> Users (JIMMY\Users) >> >>4. For all the above entries: >> "type" is set to "Allow" >> "Access" is set to "Full Control" >> "Inherit from" is set to "None" >> "Applies to" are set to "This folder, subfolder and files", except >>CREATOR OWNER which is set to "Sub-folders and files only". >> >>Note: I can edit any of these permission entries except >>"Creator owner". >>If I attempt to change the "applies to" setting of this entry to >>something else, the change reverses back when I hit "Apply" >> >>Windows 7 client, when logged in with temp profile as domain user >>1. user can view,access and write to "/disk1/profs" >>2. the "do not check profile ownership on roaming profiles" is enabled >>on the client (desperate move) >>3. the network security setting: "Restrict NTLM: outgoing >>NTLM traffic >>to remote servers" is set to "ALLOW ALL" >> >> >>Please provide any suggestions you may have and ofcourse have the time >>to do so. >> >>Many thanks for your help >>Yanni >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >>-- >>To unsubscribe from this list go to the following URL and read the >>instructions: https://lists.samba.org/mailman/options/samba >> >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2015-Jun-12 09:47 UTC
[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
Ok, my bad.. The if you use policies.. check you gpo settings for : Computer Configuration \ Administrative Templates \ System \ User Profiles - Delete cached copies of roaming profiles - Delete user profiles older than a specified number of days on system restart and/or read : https://support.microsoft.com/en-us/kb/983544 which may apply. and you dont have any script running for cleanup local profiles? Greetz, louis>-----Oorspronkelijk bericht----- >Van: jaguaragna at rdmo.com >[mailto:samba-bounces at lists.samba.org] Namens joseph-andre Guaragna >Verzonden: vrijdag 12 juni 2015 11:21 >CC: samba at lists.samba.org >Onderwerp: Re: [Samba] you have been logged on with a >temporary profile_win7 client+samba 4+WinServ2012 > >I am a bit confused by your answer L.P.H. > >I have no problem at all with my shares ACl are correctly applied to >them, and i can easily managed them directly what I do in order to >avoid mixing POSIX and Windows ACL. > >My problem is not on shares but on data blanking on local profile on >the workstation which as I understand are unlink from a share >settings. > > >Cheers > > >Meilleures salutations / Best regards, > >Joseph-Andr? GUARAGNA >ing?nieur Syst?me et R?seau / Network and System engineer > > > >RD MACHINES-OUTILS > >77, all?e de l'Industrie F-74130 CONTAMINE SUR ARVE >Tel : +33 (0) 4 50 03 90 77 - Fax :+33 (0) 4 50 03 66 79 >www.rdmo.com / www.rdmo-spare-parts.com > > >2015-06-12 10:52 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>: >> 3 obligated settings !! your missing one... >> >> # For ACL support on member file server >> vfs objects = acl_xattr >> map acl inherit = yes >> store dos attributes = yes <===== is missing in your config. >> >> Greetz, >> >> Louis >> >> >>>-----Oorspronkelijk bericht----- >>>Van: y.goudetsidis at mail.cryst.bbk.ac.uk >>>[mailto:samba-bounces at lists.samba.org] Namens Yanni >>>Verzonden: donderdag 11 juni 2015 17:30 >>>Aan: samba at lists.samba.org >>>Onderwerp: [Samba] you have been logged on with a temporary >>>profile_win7 client+samba 4+WinServ2012 >>> >>>Hello Samba >>> >>>I have been trying to fix the problem below for several days with no >>>success and I can't understand why. >>>Please help me if you can. >>> >>>I've got a windows server 2012 running AD and I want to >store the user >>>profiles in a Samba filestore server called "Jimmy". Jimmy has the >>>following smb.conf: >>> >>> [global] >>> server string = Samba4 file server >>> workgroup = TESTAD >>> security = ADS >>> realm = TESTAD.BIO.AC.UK >>> domain master = no >>> prefered master = no >>> local master = no >>> os level = 0 >>> browse list = yes >>> encrypt passwords = yes >>> template shell = /bin/bash >>> name resolve order = bcast >>>#-------- Mapping RID-------- >>> idmap config *:backend = tdb >>> idmap config *:range = 2000-3999 >>> idmap config TESTAD: backend = rid >>> idmap config TESTAD: range = 10000-99999 >>>#------- Winbind ---------- >>> winbind trusted domains only = no >>> winbind use default domain = yes >>> winbind enum users = yes >>> winbind enum groups = yes >>> winbind refresh tickets = Yes >>> winbind expand groups = 4 >>> winbind normalize names = Yes >>> >>> vfs objects = acl_xattr >>> map acl inherit = yes >>> >>>#Logging Settings >>> log level = 3 >>> log file = /var/log/samba/log.%m >>> max log size = 50 >>> >>>#----Profile Store Settings--------- >>>[profs] >>> comment = WinProfsStorage >>> path = /disk1/profs >>> read only = no >>> store dos attributes = yes >>> create mask = 0600 >>> directory mask = 0755 >>> profile acls = yes >>> csc policy = disable >>> >>>My problem is that users get temp profile whenever they log >>>into a win7 >>>client which is also a TESTAD member. >>>The error I get is: You have been logged on with a temp >>>profile. In the >>>event log it is indicated that this is due to "insufficient security >>>rights". EventID: 1521 and 1511. >>> >>>Below are my settings on Jimmy: >>>1. I can confirm that Selinux, iptables and firewalld are >all disabled >>>2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo >>>-u", "wbinfo -g", "getent passwd" and >>> "getent group" return the right values. >>>3. I can confirm that clocks on Jimmy and AD server are in sync. >>>4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root >>>domain_users 23 Jun 11 15:57 profs >>> >>> >>>Windows AD server facts/settings: >>>1. I can view,access and write to "/disk1/profs" >>>2. The security tab of "profs" shows the following user names >>>and their >>>permissions: >>> Creator Owner: has only the "special permissions" ticked, >>>which is >>>greyed out >>> Domain Users: Full Control >>> Administrators (JIMMY\Administrators): Full Control >>> Users: (JIMMY\Users): Full Control >>> >>>3. Under the "Advanced" button in the "Security tab" I can see these >>>permission entries: >>> Root (unix user\root) >>> Administrators (JIMMY\Administrators) >>> CREATOR OWNER >>> Domain Users >>> Users (JIMMY\Users) >>> >>>4. For all the above entries: >>> "type" is set to "Allow" >>> "Access" is set to "Full Control" >>> "Inherit from" is set to "None" >>> "Applies to" are set to "This folder, subfolder and >files", except >>>CREATOR OWNER which is set to "Sub-folders and files only". >>> >>>Note: I can edit any of these permission entries except >>>"Creator owner". >>>If I attempt to change the "applies to" setting of this entry to >>>something else, the change reverses back when I hit "Apply" >>> >>>Windows 7 client, when logged in with temp profile as domain user >>>1. user can view,access and write to "/disk1/profs" >>>2. the "do not check profile ownership on roaming profiles" >is enabled >>>on the client (desperate move) >>>3. the network security setting: "Restrict NTLM: outgoing >>>NTLM traffic >>>to remote servers" is set to "ALLOW ALL" >>> >>> >>>Please provide any suggestions you may have and ofcourse >have the time >>>to do so. >>> >>>Many thanks for your help >>>Yanni >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>>-- >>>To unsubscribe from this list go to the following URL and read the >>>instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba >
Reasonably Related Threads
- you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
- you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
- you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
- you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
- you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012