Mandi! Rowland Penny via samba In chel di` si favelave...> Is this on a DC ?No, is a DM.> If it isn't, Try setting it up exactly like it is shown on the > wikipage, note that you only need the 'vfs objects' line if it isn't > set in [global]Wikipage say only: Create a new share. For details, see Setting up a Share Using Windows ACLs. and https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs say exactly i'm added to my configuration; for a sake of completeness, i've removed the 'csc policy = disable' and 'browseable = no' opts, but nothing changed. Now my share is: [profiles] comment = Network Profiles Share path = /srv/samba/profiles store dos attributes = Yes map acl inherit = Yes read only = No vfs objects = acl_xattr I've just double-checked again the ACL, and seems exactly as specification (share and filesystem root spec). I say 'seems' because there's also other ACL (CREATOR GROUP, Everyone, ...) that seems i cannot remove (i've only sed 'Eeveryone' to 'no access'). I've manually created 'gaio.V2' folder, setting it gaio:"Domain Users" 700, but profiles still get not saved. (supposing was a 'folder creation' trouble...) If i set 'profile path' in user data, eg: root at vdmsv1:/srv/samba/profiles# ldbsearch -H ldap://vdcsv1 -P -b DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)" profilePath | grep ^profilePath: profilePath: \\vdmsv1\profiles\gaio roaming profile works as expected. Boh... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
I don't know if is relevant and maybe is the same as GPO that you've created, but Ive a profiles folder with this configuration: [profiles] path = /server/share/profiles read only = no browsable = no Other options are on my smb.conf global section so is the same as your configuration. Next I've changed the profile path on the user configuration instead use a GPO and is working as expected. Maybe is a way to test with an user if is a problem of the GPO instead a share problem. Greetings!! 2017-11-30 13:01 GMT+01:00 Marco Gaiarin via samba <samba at lists.samba.org>:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > Is this on a DC ? > > No, is a DM. > > > > If it isn't, Try setting it up exactly like it is shown on the > > wikipage, note that you only need the 'vfs objects' line if it isn't > > set in [global] > > Wikipage say only: > > Create a new share. For details, see Setting up a Share Using Windows > ACLs. > > and https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > say exactly i'm added to my configuration; for a sake of completeness, > i've removed the 'csc policy = disable' and 'browseable = no' opts, but > nothing changed. Now my share is: > > [profiles] > comment = Network Profiles Share > path = /srv/samba/profiles > store dos attributes = Yes > map acl inherit = Yes > read only = No > vfs objects = acl_xattr > > I've just double-checked again the ACL, and seems exactly as > specification (share and filesystem root spec). I say 'seems' because > there's also other ACL (CREATOR GROUP, Everyone, ...) that seems i > cannot remove (i've only sed 'Eeveryone' to 'no access'). > > > I've manually created 'gaio.V2' folder, setting it gaio:"Domain Users" > 700, but profiles still get not saved. > (supposing was a 'folder creation' trouble...) > > > If i set 'profile path' in user data, eg: > > root at vdmsv1:/srv/samba/profiles# ldbsearch -H ldap://vdcsv1 -P -b > DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)" profilePath | grep ^profilePath: > profilePath: \\vdmsv1\profiles\gaio > > roaming profile works as expected. > > > Boh... > > -- > dott. Marco Gaiarin GNUPG Key ID: > 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento > (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f > +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- _________________________________________ Daniel Carrasco Marín Ingeniería para la Innovación i2TIC, S.L. Tlf: +34 911 12 32 84 Ext: 223 www.i2tic.com _________________________________________
i've seen that is similar to your latest test. What about a gpresult -h result.html. The GPo is appplied to the user? Greetings!! 2017-11-30 13:29 GMT+01:00 Daniel Carrasco <d.carrasco at i2tic.com>:> I don't know if is relevant and maybe is the same as GPO that you've > created, but Ive a profiles folder with this configuration: > > [profiles] > path = /server/share/profiles > read only = no > browsable = no > > Other options are on my smb.conf global section so is the same as your > configuration. > > Next I've changed the profile path on the user configuration instead use a > GPO and is working as expected. Maybe is a way to test with an user if is a > problem of the GPO instead a share problem. > > Greetings!! > > 2017-11-30 13:01 GMT+01:00 Marco Gaiarin via samba <samba at lists.samba.org> > : > >> Mandi! Rowland Penny via samba >> In chel di` si favelave... >> >> > Is this on a DC ? >> >> No, is a DM. >> >> >> > If it isn't, Try setting it up exactly like it is shown on the >> > wikipage, note that you only need the 'vfs objects' line if it isn't >> > set in [global] >> >> Wikipage say only: >> >> Create a new share. For details, see Setting up a Share Using Windows >> ACLs. >> >> and https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Wi >> ndows_ACLs >> say exactly i'm added to my configuration; for a sake of completeness, >> i've removed the 'csc policy = disable' and 'browseable = no' opts, but >> nothing changed. Now my share is: >> >> [profiles] >> comment = Network Profiles Share >> path = /srv/samba/profiles >> store dos attributes = Yes >> map acl inherit = Yes >> read only = No >> vfs objects = acl_xattr >> >> I've just double-checked again the ACL, and seems exactly as >> specification (share and filesystem root spec). I say 'seems' because >> there's also other ACL (CREATOR GROUP, Everyone, ...) that seems i >> cannot remove (i've only sed 'Eeveryone' to 'no access'). >> >> >> I've manually created 'gaio.V2' folder, setting it gaio:"Domain Users" >> 700, but profiles still get not saved. >> (supposing was a 'folder creation' trouble...) >> >> >> If i set 'profile path' in user data, eg: >> >> root at vdmsv1:/srv/samba/profiles# ldbsearch -H ldap://vdcsv1 -P -b >> DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)" profilePath | grep ^profilePath: >> profilePath: \\vdmsv1\profiles\gaio >> >> roaming profile works as expected. >> >> >> Boh... >> >> -- >> dott. Marco Gaiarin GNUPG Key ID: >> 240A3D66 >> Associazione ``La Nostra Famiglia'' >> http://www.lanostrafamiglia.it/ >> Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento >> (PN) >> marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f >> +39-0434-842797 >> >> Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! >> http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 >> (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > > > -- > _________________________________________ > > Daniel Carrasco Marín > Ingeniería para la Innovación i2TIC, S.L. > Tlf: +34 911 12 32 84 Ext: 223 > www.i2tic.com > _________________________________________ >-- _________________________________________ Daniel Carrasco Marín Ingeniería para la Innovación i2TIC, S.L. Tlf: +34 911 12 32 84 Ext: 223 www.i2tic.com _________________________________________
On Thu, 30 Nov 2017 13:01:09 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > Is this on a DC ? > > No, is a DM. > > > > If it isn't, Try setting it up exactly like it is shown on the > > wikipage, note that you only need the 'vfs objects' line if it isn't > > set in [global] > > Wikipage say only: > > Create a new share. For details, see Setting up a Share Using > Windows ACLs. > > and > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > say exactly i'm added to my configuration;No it doesn't, it says: [Demo] path = /srv/samba/Demo/ read only = no So, your profile share should be: [profiles] comment = Network Profiles Share path = /srv/samba/profiles read only = No Now set the ACLs from windows. Your profile share is nearer the one to use if you are using POSIX ACLs Rowland
Mandi! Rowland Penny via samba In chel di` si favelave...> > Wikipage say only: > > Create a new share. For details, see Setting up a Share Using > > Windows ACLs. > > and > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > say exactly i'm added to my configuration;> No it doesn't, it says:Ahem, the above link say also (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Enable_Extended_ACL_Support_in_the_smb.conf_File): To configure shares using extended access control lists (ACL), you must enable the support in the smb.conf file. To enable extended ACL support globally, add the following settings to the [global] section of your smb.conf file: vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes [...] Alternatively, to enable extended ACL support only for a specific share, add the parameters to the share's section. Because i don't want to use on every share Windows ACL, i've simply added that parameters to that share. I've anyway tried to remove is, but clearly does not work: remeins only POSIX ACL available, and so complex permission cannot be set (and, groups like 'domain admins' that have no GID cannot be set at all). -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)