Philippe LeCavalier
2017-Feb-16 18:16 UTC
[Samba] SAMBA AD DC Access Denied to Redirected Folders
Hi everyone, I'm re-posting this because my previous thread (see below) for whatever reason I cannot reply to. So I'm starting a new one in the hopes that I can respond to those who made suggestions and hopefully get to a solution. In a nutshell, I've got a SAMBA4 AD DC server running Debian 8 stable. It's setup for roaming profiles, home dirs and redirected folders. Randomly, when users login they get an error about the recycle bin folders on each of their redirected folders and are then denied access. The folders in question are: Desktop Documents Favorites Start Menu One response I got from Rowland is *exactly* what is happening. Furthermore the fix does work (and is what I had discovered as a workable fix as well). However, it only "sticks" for a few days and then it happens again. So I reapply the fix, have the user log out/in...wash, rinse and repeat. This is the MS fix Rowland suggested: http://www.ieple.com/blog/fixing-corrupted-recycle-bin-in-redirected-folders-server-2012-r2-essentials Another response suggested I disable the recycle bin on the desktop to see if that is the cause. In windows 10 however, I cannot find how to do that. If I right click on the recycle bin in the desktop it does list the various recycle bin and their properties but no function to disabled them is apparent. Also, I would be concerned with leaving that disabled if I figured out how to considering how much data the users leave on their desktops. HEnce the need for redirected folders. Perhaps it was jsut suggested for test purposes... Hopefully you guys can respond to this b/c I really need to address this. Worse case, please cc me directly. The original thread: https://lists.samba.org/archive/samba/2017-January/206138.html -- Regards, Phil
L.P.H. van Belle
2017-Feb-17 10:48 UTC
[Samba] SAMBA AD DC Access Denied to Redirected Folders
Hai,
Recap your using: Debian Jessie, samba 4.2.14 ( from debian stable )
I'll repeat my question to you.
Can you post at least your smb.conf ?
( optional but preffered if im debugging this for you. )
Can you mail me a screenshot off your share security settings and folder
security settings. Mail me this directly, the list wont show them.
This is my setting in my folder redirect. ! im using the users share. !
I use the "users" share so i dont have to mess up the
"special" rights on the profiles share.
Users put documents on there desktop, so i preffer to separate that from
profiles share.
For the following locations:
Desktop
Documents
Favorites
Start Menu
Downloads
And i dont have problems with the recycle bin.
And i have the share on my member like this in the GPO.
\\f.q.d.n\users\%USERNAME%\Desktop
Options use exclusive richts for the user is enabled.
Samba (member) share
[users]
browseable = yes
path = /home/samba/users
read only = no
acl_xattr:ignore system acl = yes
!! BEWARE !!
When adding : acl_xattr:ignore system acl = yes
You MUST set the share and security settings again !
Last, post the windows event id when this happens.
Thats a very usefull one.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Philippe
> LeCavalier via samba
> Verzonden: donderdag 16 februari 2017 19:17
> Aan: samba at lists.samba.org
> CC: Björn Jacke
> Onderwerp: [Samba] SAMBA AD DC Access Denied to Redirected Folders
>
> Hi everyone,
>
> I'm re-posting this because my previous thread (see below) for whatever
> reason I cannot reply to. So I'm starting a new one in the hopes that I
> can
> respond to those who made suggestions and hopefully get to a solution.
>
> In a nutshell, I've got a SAMBA4 AD DC server running Debian 8 stable.
> It's
> setup for roaming profiles, home dirs and redirected folders. Randomly,
> when users login they get an error about the recycle bin folders on each
> of
> their redirected folders and are then denied access. The folders in
> question are:
>
> Desktop
> Documents
> Favorites
> Start Menu
>
> One response I got from Rowland is *exactly* what is happening.
> Furthermore
> the fix does work (and is what I had discovered as a workable fix as
> well).
> However, it only "sticks" for a few days and then it happens
again. So I
> reapply the fix, have the user log out/in...wash, rinse and repeat.
>
> This is the MS fix Rowland suggested:
> http://www.ieple.com/blog/fixing-corrupted-recycle-bin-in-redirected-
> folders-server-2012-r2-essentials
>
> Another response suggested I disable the recycle bin on the desktop to see
> if that is the cause. In windows 10 however, I cannot find how to do that.
> If I right click on the recycle bin in the desktop it does list the
> various
> recycle bin and their properties but no function to disabled them is
> apparent. Also, I would be concerned with leaving that disabled if I
> figured out how to considering how much data the users leave on their
> desktops. HEnce the need for redirected folders. Perhaps it was jsut
> suggested for test purposes...
>
> Hopefully you guys can respond to this b/c I really need to address this.
> Worse case, please cc me directly.
>
> The original thread:
> https://lists.samba.org/archive/samba/2017-January/206138.html
> --
> Regards,
> Phil
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Philippe LeCavalier
2017-Mar-25 13:21 UTC
[Samba] SAMBA AD DC Access Denied to Redirected Folders
On Thu, Feb 16, 2017 at 1:16 PM Philippe LeCavalier <support at plecavalier.com> wrote:> Hi everyone, > > I'm re-posting this because my previous thread (see below) for whatever > reason I cannot reply to. So I'm starting a new one in the hopes that I can > respond to those who made suggestions and hopefully get to a solution. > > In a nutshell, I've got a SAMBA4 AD DC server running Debian 8 stable. > It's setup for roaming profiles, home dirs and redirected folders. > Randomly, when users login they get an error about the recycle bin folders > on each of their redirected folders and are then denied access. The folders > in question are: > > Desktop > Documents > Favorites > Start Menu > > One response I got from Rowland is *exactly* what is happening. > Furthermore the fix does work (and is what I had discovered as a workable > fix as well). However, it only "sticks" for a few days and then it happens > again. So I reapply the fix, have the user log out/in...wash, rinse and > repeat. > > This is the MS fix Rowland suggested: > > http://www.ieple.com/blog/fixing-corrupted-recycle-bin-in-redirected-folders-server-2012-r2-essentials > > Another response suggested I disable the recycle bin on the desktop to see > if that is the cause. In windows 10 however, I cannot find how to do that. > If I right click on the recycle bin in the desktop it does list the various > recycle bin and their properties but no function to disabled them is > apparent. Also, I would be concerned with leaving that disabled if I > figured out how to considering how much data the users leave on their > desktops. HEnce the need for redirected folders. Perhaps it was jsut > suggested for test purposes... > > Hopefully you guys can respond to this b/c I really need to address this. > Worse case, please cc me directly. > > The original thread: > https://lists.samba.org/archive/samba/2017-January/206138.html > -- > Regards, > Phil >I'm just reviving this because I was unable to reply due to access issues with the mailing list. Any suggestions are greatly appreciated. On a side note: thank you Bjorn and Rowland for your assistance in getting things sorted to get me back on the list. -- Regards, Phil
Philippe LeCavalier
2017-Mar-25 14:21 UTC
[Samba] SAMBA AD DC Access Denied to Redirected Folders
On Sat, Mar 25, 2017 at 9:21 AM Philippe LeCavalier <support at
plecavalier.com>
wrote:
On Thu, Feb 16, 2017 at 1:16 PM Philippe LeCavalier <support at
plecavalier.com>
wrote:
Hi everyone,
I'm re-posting this because my previous thread (see below) for whatever
reason I cannot reply to. So I'm starting a new one in the hopes that I can
respond to those who made suggestions and hopefully get to a solution.
In a nutshell, I've got a SAMBA4 AD DC server running Debian 8 stable.
It's
setup for roaming profiles, home dirs and redirected folders. Randomly,
when users login they get an error about the recycle bin folders on each of
their redirected folders and are then denied access. The folders in
question are:
Desktop
Documents
Favorites
Start Menu
One response I got from Rowland is *exactly* what is happening. Furthermore
the fix does work (and is what I had discovered as a workable fix as well).
However, it only "sticks" for a few days and then it happens again. So
I
reapply the fix, have the user log out/in...wash, rinse and repeat.
This is the MS fix Rowland suggested:
http://www.ieple.com/blog/fixing-corrupted-recycle-bin-in-redirected-folders-server-2012-r2-essentials
Another response suggested I disable the recycle bin on the desktop to see
if that is the cause. In windows 10 however, I cannot find how to do that.
If I right click on the recycle bin in the desktop it does list the various
recycle bin and their properties but no function to disabled them is
apparent. Also, I would be concerned with leaving that disabled if I
figured out how to considering how much data the users leave on their
desktops. HEnce the need for redirected folders. Perhaps it was jsut
suggested for test purposes...
Hopefully you guys can respond to this b/c I really need to address this.
Worse case, please cc me directly.
The original thread:
https://lists.samba.org/archive/samba/2017-January/206138.html
--
Regards,
Phil
I'm just reviving this because I was unable to reply due to access issues
with the mailing list. Any suggestions are greatly appreciated.
On a side note: thank you Bjorn and Rowland for your assistance in getting
things sorted to get me back on the list.
--
Regards,
Phil
As requested by an earlier reply to the original thread, here are my
configs:
smb.conf
# Global parameters
[global]
workgroup = INTRANET
realm = INTRANET.DOMAIN.COM
netbios name = DC11
server role = active directory domain controller
dns forwarder = 192.168.1.1
idmap_ldb:use rfc2307 = yes
map acl inherit = yes
client ldap sasl wrapping = sign
# Default idmap config for local BUILTIN accounts and groups
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# idmap config for the INTRANET domain
idmap config INTRANET:backend = ad
idmap config INTRANET:schema_mode = rfc2307
idmap config INTRANET:range = 10000-999999
# Template settings for login shell and home directory
winbind nss info = template
template shell = /bin/bash
template homedir = /data/home/%U
[netlogon]
path = /var/lib/samba/sysvol/intranet.domain.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[profiles]
path = /data/profiles
read only = no
[home]
path = /data/home
read only = no
As you can see I did create a [home] share and perhaps that is the source
of the problem. I wanted each users redirected folders to be as safe from
each other as possible.
nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
resolv.conf
cat /etc/resolv.conf
domain intranet.domain.com
search intranet.domain.com
nameserver 192.168.1.11
hosts.conf
cat /etc/hosts
127.0.0.1 localhost
192.168.1.11 dc11.intranet.domain.com dc11
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
I think that covers it for what was requested. If not please ask away.
--
Regards,
Phil