L.P.H. van Belle
2015-Jun-12 09:47 UTC
[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
Ok, my bad.. The if you use policies.. check you gpo settings for : Computer Configuration \ Administrative Templates \ System \ User Profiles - Delete cached copies of roaming profiles - Delete user profiles older than a specified number of days on system restart and/or read : https://support.microsoft.com/en-us/kb/983544 which may apply. and you dont have any script running for cleanup local profiles? Greetz, louis>-----Oorspronkelijk bericht----- >Van: jaguaragna at rdmo.com >[mailto:samba-bounces at lists.samba.org] Namens joseph-andre Guaragna >Verzonden: vrijdag 12 juni 2015 11:21 >CC: samba at lists.samba.org >Onderwerp: Re: [Samba] you have been logged on with a >temporary profile_win7 client+samba 4+WinServ2012 > >I am a bit confused by your answer L.P.H. > >I have no problem at all with my shares ACl are correctly applied to >them, and i can easily managed them directly what I do in order to >avoid mixing POSIX and Windows ACL. > >My problem is not on shares but on data blanking on local profile on >the workstation which as I understand are unlink from a share >settings. > > >Cheers > > >Meilleures salutations / Best regards, > >Joseph-Andr? GUARAGNA >ing?nieur Syst?me et R?seau / Network and System engineer > > > >RD MACHINES-OUTILS > >77, all?e de l'Industrie F-74130 CONTAMINE SUR ARVE >Tel : +33 (0) 4 50 03 90 77 - Fax :+33 (0) 4 50 03 66 79 >www.rdmo.com / www.rdmo-spare-parts.com > > >2015-06-12 10:52 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>: >> 3 obligated settings !! your missing one... >> >> # For ACL support on member file server >> vfs objects = acl_xattr >> map acl inherit = yes >> store dos attributes = yes <===== is missing in your config. >> >> Greetz, >> >> Louis >> >> >>>-----Oorspronkelijk bericht----- >>>Van: y.goudetsidis at mail.cryst.bbk.ac.uk >>>[mailto:samba-bounces at lists.samba.org] Namens Yanni >>>Verzonden: donderdag 11 juni 2015 17:30 >>>Aan: samba at lists.samba.org >>>Onderwerp: [Samba] you have been logged on with a temporary >>>profile_win7 client+samba 4+WinServ2012 >>> >>>Hello Samba >>> >>>I have been trying to fix the problem below for several days with no >>>success and I can't understand why. >>>Please help me if you can. >>> >>>I've got a windows server 2012 running AD and I want to >store the user >>>profiles in a Samba filestore server called "Jimmy". Jimmy has the >>>following smb.conf: >>> >>> [global] >>> server string = Samba4 file server >>> workgroup = TESTAD >>> security = ADS >>> realm = TESTAD.BIO.AC.UK >>> domain master = no >>> prefered master = no >>> local master = no >>> os level = 0 >>> browse list = yes >>> encrypt passwords = yes >>> template shell = /bin/bash >>> name resolve order = bcast >>>#-------- Mapping RID-------- >>> idmap config *:backend = tdb >>> idmap config *:range = 2000-3999 >>> idmap config TESTAD: backend = rid >>> idmap config TESTAD: range = 10000-99999 >>>#------- Winbind ---------- >>> winbind trusted domains only = no >>> winbind use default domain = yes >>> winbind enum users = yes >>> winbind enum groups = yes >>> winbind refresh tickets = Yes >>> winbind expand groups = 4 >>> winbind normalize names = Yes >>> >>> vfs objects = acl_xattr >>> map acl inherit = yes >>> >>>#Logging Settings >>> log level = 3 >>> log file = /var/log/samba/log.%m >>> max log size = 50 >>> >>>#----Profile Store Settings--------- >>>[profs] >>> comment = WinProfsStorage >>> path = /disk1/profs >>> read only = no >>> store dos attributes = yes >>> create mask = 0600 >>> directory mask = 0755 >>> profile acls = yes >>> csc policy = disable >>> >>>My problem is that users get temp profile whenever they log >>>into a win7 >>>client which is also a TESTAD member. >>>The error I get is: You have been logged on with a temp >>>profile. In the >>>event log it is indicated that this is due to "insufficient security >>>rights". EventID: 1521 and 1511. >>> >>>Below are my settings on Jimmy: >>>1. I can confirm that Selinux, iptables and firewalld are >all disabled >>>2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo >>>-u", "wbinfo -g", "getent passwd" and >>> "getent group" return the right values. >>>3. I can confirm that clocks on Jimmy and AD server are in sync. >>>4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root >>>domain_users 23 Jun 11 15:57 profs >>> >>> >>>Windows AD server facts/settings: >>>1. I can view,access and write to "/disk1/profs" >>>2. The security tab of "profs" shows the following user names >>>and their >>>permissions: >>> Creator Owner: has only the "special permissions" ticked, >>>which is >>>greyed out >>> Domain Users: Full Control >>> Administrators (JIMMY\Administrators): Full Control >>> Users: (JIMMY\Users): Full Control >>> >>>3. Under the "Advanced" button in the "Security tab" I can see these >>>permission entries: >>> Root (unix user\root) >>> Administrators (JIMMY\Administrators) >>> CREATOR OWNER >>> Domain Users >>> Users (JIMMY\Users) >>> >>>4. For all the above entries: >>> "type" is set to "Allow" >>> "Access" is set to "Full Control" >>> "Inherit from" is set to "None" >>> "Applies to" are set to "This folder, subfolder and >files", except >>>CREATOR OWNER which is set to "Sub-folders and files only". >>> >>>Note: I can edit any of these permission entries except >>>"Creator owner". >>>If I attempt to change the "applies to" setting of this entry to >>>something else, the change reverses back when I hit "Apply" >>> >>>Windows 7 client, when logged in with temp profile as domain user >>>1. user can view,access and write to "/disk1/profs" >>>2. the "do not check profile ownership on roaming profiles" >is enabled >>>on the client (desperate move) >>>3. the network security setting: "Restrict NTLM: outgoing >>>NTLM traffic >>>to remote servers" is set to "ALLOW ALL" >>> >>> >>>Please provide any suggestions you may have and ofcourse >have the time >>>to do so. >>> >>>Many thanks for your help >>>Yanni >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>>-- >>>To unsubscribe from this list go to the following URL and read the >>>instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba >
joseph-andre Guaragna
2015-Jun-12 09:53 UTC
[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
Nope no scripts at all Meilleures salutations / Best regards, Joseph-Andr? GUARAGNA ing?nieur Syst?me et R?seau / Network and System engineer RD MACHINES-OUTILS 77, all?e de l'Industrie F-74130 CONTAMINE SUR ARVE Tel : +33 (0) 4 50 03 90 77 - Fax :+33 (0) 4 50 03 66 79 www.rdmo.com / www.rdmo-spare-parts.com 2015-06-12 11:47 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:> Ok, my bad.. > > The if you use policies.. check you gpo settings for : > Computer Configuration \ Administrative Templates \ System \ User Profiles > - Delete cached copies of roaming profiles > - Delete user profiles older than a specified number of days on system restart > > and/or read : > https://support.microsoft.com/en-us/kb/983544 > which may apply. > > and you dont have any script running for cleanup local profiles? > > Greetz, > > louis > > >>-----Oorspronkelijk bericht----- >>Van: jaguaragna at rdmo.com >>[mailto:samba-bounces at lists.samba.org] Namens joseph-andre Guaragna >>Verzonden: vrijdag 12 juni 2015 11:21 >>CC: samba at lists.samba.org >>Onderwerp: Re: [Samba] you have been logged on with a >>temporary profile_win7 client+samba 4+WinServ2012 >> >>I am a bit confused by your answer L.P.H. >> >>I have no problem at all with my shares ACl are correctly applied to >>them, and i can easily managed them directly what I do in order to >>avoid mixing POSIX and Windows ACL. >> >>My problem is not on shares but on data blanking on local profile on >>the workstation which as I understand are unlink from a share >>settings. >> >> >>Cheers >> >> >>Meilleures salutations / Best regards, >> >>Joseph-Andr? GUARAGNA >>ing?nieur Syst?me et R?seau / Network and System engineer >> >> >> >>RD MACHINES-OUTILS >> >>77, all?e de l'Industrie F-74130 CONTAMINE SUR ARVE >>Tel : +33 (0) 4 50 03 90 77 - Fax :+33 (0) 4 50 03 66 79 >>www.rdmo.com / www.rdmo-spare-parts.com >> >> >>2015-06-12 10:52 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>: >>> 3 obligated settings !! your missing one... >>> >>> # For ACL support on member file server >>> vfs objects = acl_xattr >>> map acl inherit = yes >>> store dos attributes = yes <===== is missing in your config. >>> >>> Greetz, >>> >>> Louis >>> >>> >>>>-----Oorspronkelijk bericht----- >>>>Van: y.goudetsidis at mail.cryst.bbk.ac.uk >>>>[mailto:samba-bounces at lists.samba.org] Namens Yanni >>>>Verzonden: donderdag 11 juni 2015 17:30 >>>>Aan: samba at lists.samba.org >>>>Onderwerp: [Samba] you have been logged on with a temporary >>>>profile_win7 client+samba 4+WinServ2012 >>>> >>>>Hello Samba >>>> >>>>I have been trying to fix the problem below for several days with no >>>>success and I can't understand why. >>>>Please help me if you can. >>>> >>>>I've got a windows server 2012 running AD and I want to >>store the user >>>>profiles in a Samba filestore server called "Jimmy". Jimmy has the >>>>following smb.conf: >>>> >>>> [global] >>>> server string = Samba4 file server >>>> workgroup = TESTAD >>>> security = ADS >>>> realm = TESTAD.BIO.AC.UK >>>> domain master = no >>>> prefered master = no >>>> local master = no >>>> os level = 0 >>>> browse list = yes >>>> encrypt passwords = yes >>>> template shell = /bin/bash >>>> name resolve order = bcast >>>>#-------- Mapping RID-------- >>>> idmap config *:backend = tdb >>>> idmap config *:range = 2000-3999 >>>> idmap config TESTAD: backend = rid >>>> idmap config TESTAD: range = 10000-99999 >>>>#------- Winbind ---------- >>>> winbind trusted domains only = no >>>> winbind use default domain = yes >>>> winbind enum users = yes >>>> winbind enum groups = yes >>>> winbind refresh tickets = Yes >>>> winbind expand groups = 4 >>>> winbind normalize names = Yes >>>> >>>> vfs objects = acl_xattr >>>> map acl inherit = yes >>>> >>>>#Logging Settings >>>> log level = 3 >>>> log file = /var/log/samba/log.%m >>>> max log size = 50 >>>> >>>>#----Profile Store Settings--------- >>>>[profs] >>>> comment = WinProfsStorage >>>> path = /disk1/profs >>>> read only = no >>>> store dos attributes = yes >>>> create mask = 0600 >>>> directory mask = 0755 >>>> profile acls = yes >>>> csc policy = disable >>>> >>>>My problem is that users get temp profile whenever they log >>>>into a win7 >>>>client which is also a TESTAD member. >>>>The error I get is: You have been logged on with a temp >>>>profile. In the >>>>event log it is indicated that this is due to "insufficient security >>>>rights". EventID: 1521 and 1511. >>>> >>>>Below are my settings on Jimmy: >>>>1. I can confirm that Selinux, iptables and firewalld are >>all disabled >>>>2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo >>>>-u", "wbinfo -g", "getent passwd" and >>>> "getent group" return the right values. >>>>3. I can confirm that clocks on Jimmy and AD server are in sync. >>>>4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root >>>>domain_users 23 Jun 11 15:57 profs >>>> >>>> >>>>Windows AD server facts/settings: >>>>1. I can view,access and write to "/disk1/profs" >>>>2. The security tab of "profs" shows the following user names >>>>and their >>>>permissions: >>>> Creator Owner: has only the "special permissions" ticked, >>>>which is >>>>greyed out >>>> Domain Users: Full Control >>>> Administrators (JIMMY\Administrators): Full Control >>>> Users: (JIMMY\Users): Full Control >>>> >>>>3. Under the "Advanced" button in the "Security tab" I can see these >>>>permission entries: >>>> Root (unix user\root) >>>> Administrators (JIMMY\Administrators) >>>> CREATOR OWNER >>>> Domain Users >>>> Users (JIMMY\Users) >>>> >>>>4. For all the above entries: >>>> "type" is set to "Allow" >>>> "Access" is set to "Full Control" >>>> "Inherit from" is set to "None" >>>> "Applies to" are set to "This folder, subfolder and >>files", except >>>>CREATOR OWNER which is set to "Sub-folders and files only". >>>> >>>>Note: I can edit any of these permission entries except >>>>"Creator owner". >>>>If I attempt to change the "applies to" setting of this entry to >>>>something else, the change reverses back when I hit "Apply" >>>> >>>>Windows 7 client, when logged in with temp profile as domain user >>>>1. user can view,access and write to "/disk1/profs" >>>>2. the "do not check profile ownership on roaming profiles" >>is enabled >>>>on the client (desperate move) >>>>3. the network security setting: "Restrict NTLM: outgoing >>>>NTLM traffic >>>>to remote servers" is set to "ALLOW ALL" >>>> >>>> >>>>Please provide any suggestions you may have and ofcourse >>have the time >>>>to do so. >>>> >>>>Many thanks for your help >>>>Yanni >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>-- >>>>To unsubscribe from this list go to the following URL and read the >>>>instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>-- >>To unsubscribe from this list go to the following URL and read the >>instructions: https://lists.samba.org/mailman/options/samba >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
buhorojo
2015-Jun-12 12:13 UTC
[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
On 12/06/15 11:53, joseph-andre Guaragna wrote:> >> >> #----Profile Store Settings--------- >> [profs] >> comment = WinProfsStorage >> path = /disk1/profs >> read only = no >> store dos attributes = yes<Take these out>>> create mask = 0600 >> directory mask = 0755 >> profile acls = yes</Take these out>>> csc policy = disablebu Now go 1777 recursive on /disk1/profs ?Anything?
Possibly Parallel Threads
- you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
- you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
- you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
- you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
- you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012