Looks pretty ok to me, few pointers.
> /etc/init.d/winbind stop ( debian stretch: systemctl stop winbind )
> /etc/init.d/samba stop ( debian stretch: systemctl stop samba )
Or .. systemctl stop samba winbind
Get use to systemctl is my advice. Handy things are.
systemctl edit ( add a custom part in the override.conf files )
systemctl edit --full ( copy full setttings )
Samba: Smb.conf
winbind enum users = yes
winbind enum groups = yes
Change these to no, use yes for testing in production no.
Missing... ( so add )
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/samba_usermapping
[profiles]
comment = Users profiles
path = /home/EXAMPLE/profiles
browseable = Yes
read only = No
force create mode = 0600
force directory mode = 0700
csc policy = disable
store dos attributes = yes
vfs objects = acl_xattr
But you missed : > chmod 1750 /home/EXAMPLE/profiles/
Who "owns" /home/EXAMPLE/profiles
Try again with
chmod 1777 /home/EXAMPLE/profiles/
Imo, now nobody of you domain may access profiles.
Why, i'll bet the 1750 is (1) (7-root) (5-root) (0-everybody) on the file
system.
I use normaly:
# Create these share folders
mkdir -p /home/samba/{profiles,users,data}
chmod 3771 /home/samba ( note the last 1. that allow to traveral through )
chmod 1777 /home/samba/profiles
# ! Note, kerberos needs access in a users home to check ( or set:
ignore_k5login = true in krb5.conf )
chmod 1770 /home/samba/users
# on the data folder we want creator owner and group. The group maps to
"domain users"
chmod 3770 /home/samba/data
https://github.com/thctlo/samba4/tree/master/howtos
Read the one with 3.2.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Michael Funke via samba
> Verzonden: woensdag 20 juni 2018 13:42
> Aan: Rowland Penny via samba
> Onderwerp: [Samba] Roaming profiles
>
> Hey,
>
> I want to use a debian stretch with samba 4 as a fileserver,
> but I have
> problems with the access.
>
> Here is what I did:
>
> apt-get install samba winbind libpam-heimdal libnss-winbind
> /etc/init.d/winbind stop
> /etc/init.d/samba stop
> nano /etc/krb5.conf https://pastebin.com/rkBPJ2Wz
> nano /etc/samba/smb.conf https://pastebin.com/h1cJZ6sM
> nano /etc/nsswitch.conf https://pastebin.com/gxK2rJLU
>
> getent hosts fs
>
> smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"
> rm -v /var/run/samba/*.tdb /var/run/samba/*.ldb /var/lib/samba/*.tdb
> /var/lib/samba/*.ldb /var/cache/samba/*.tdb /var/cache/samba/*.ldb
> /var/lib/samba/private/*.tdb /var/lib/samba/private/*.ldb
>
> reboot
>
> net ads join -U administrator
> /etc/init.d/winbind start
>
> wbinfo --ping-dc
> getent passwd
> getent group
>
> net rpc rights grant "EXAMPLE\Domänen-Admins"
> SeDiskOperatorPrivilege -U
> "EXAMPLE\administrator"
> net rpc rights list privileges SeDiskOperatorPrivilege -U
> "EXAMPLE\administrator"
>
> mkdir -p /home/EXAMPLE/profiles
> chgrp -R domänen-benutzer /home/EXAMPLE/profiles/
> chmod 1750 /home/EXAMPLE/profiles/
>
> smbcontrol all reload-config
>
> What did I wrong?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>