samba - Sep 2018 - Samba 4: 'Access denied' error when accessing user profile during logon

Hello,

After joining Windows 7 to a Samba 4 (AD), when logging on I experience 
'Access denied' error accessing user profile. As a result, Windows 
creates temporary profile for the domain user (the profile is deleted 
upon logoff).

The roaming profiles directory has been created according to 
instructions in

https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

Note: the home directory (also shared by the AD DC) is accessible 
without problem, user can create/delete/whatever objects in it without 
problems.

For every domain user 'username' profilePath has been set to 
\\DC\profiles\username , using ldbmodify, i.e. via a string

profilePath: \\DC\profiles\username

in corresponding LDIF.

Technical details:

OS: Ubuntu 18.04.1, Samba version (package) 
4.7.6+dfsg~ubuntu-0ubuntu2.2, latest in official repository.

# samba-tool testparm
[global]
	bind interfaces only = Yes
	interfaces = lo ens3
	log file = /var/log/samba/log.%m
	log level = 3
	map to guest = Bad User
	max log size = 1000
	netbios name = DC
	obey pam restrictions = Yes
	pam password change = Yes
	panic action = /usr/share/samba/panic-action %d
	passdb backend = tdbsam
	passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	passwd program = /usr/bin/passwd %u
	realm = AD-LAN.COM
	server role = active directory domain controller
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate
	server string = AD-LAN.COM domain controller
	template homedir = /home/%u
	template shell = /bin/bash
	tls cafile = tls/ca.pem
	tls certfile = tls/cert.pem
	tls enabled = Yes
	tls keyfile = tls/key.pem
	unix password sync = Yes
	usershare allow guests = Yes
	winbind enum groups = Yes
	winbind enum users = Yes
	winbind nss info = rfc2307
	workgroup = AD-LAN
	acl:search = no
	idmap_ldb:use rfc2307 = yes

[netlogon]
	comment = Network Logon Service
	path = /var/lib/samba/sysvol/ad-lan.com/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

[profiles]
	browseable = No
	comment = Users profiles
	csc policy = disable
	force create mode = 0600
	force directory mode = 0700
	path = /srv/samba/profiles/
	read only = No
	store dos attributes = Yes
	vfs objects = acl_xattr

[users]
	force create mode = 0600
	force directory mode = 0700
	path = /srv/samba/users/
	read only = No

[printers]
	browseable = No
	comment = All Printers
	create mask = 0700
	path = /var/spool/samba
	printable = Yes

[print$]
	comment = Printer Drivers
	path = /var/lib/samba/printers

## In Samba log files matching the computer's IP:
# cat /var/log/samba/log.10.11.12.153

[...]
[2018/09/20 10:15:57.475422,  3] 
../source3/smbd/msdfs.c:1008(get_referred_path)
   get_referred_path: |profiles| in dfs path \DC\profiles is not a dfs 
root.
[2018/09/20 10:15:57.475451,  3] 
../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex)
   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:309
[2018/09/20 10:15:57.475858,  3] ../lib/util/access.c:365(allow_access)
   Allowed connection from 10.11.12.153 (10.11.12.153)
[2018/09/20 10:15:57.475912,  3] 
../source3/smbd/service.c:595(make_connection_snum)
   Connect path is '/srv/samba/profiles/' for service [profiles]
[2018/09/20 10:15:57.475938,  3] 
../source3/smbd/vfs.c:113(vfs_init_default)
   Initialising default vfs hooks
[2018/09/20 10:15:57.475946,  3] 
../source3/smbd/vfs.c:139(vfs_init_custom)
   Initialising custom vfs hooks from [/[Default VFS]/]
[2018/09/20 10:15:57.475954,  3] 
../source3/smbd/vfs.c:139(vfs_init_custom)
   Initialising custom vfs hooks from [acl_xattr]
[2018/09/20 10:15:57.475966,  2] 
../source3/modules/vfs_acl_xattr.c:236(connect_acl_xattr)
   connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service profiles
[2018/09/20 10:15:57.476109,  2] 
../source3/smbd/service.c:841(make_connection_snum)
   10.11.12.153 (ipv4:10.11.12.153:61964) connect to service profiles 
initially as user AD-LAN\mbo (uid=1000, gid=513) (pid 7848)
[...]

I would appreciate pieces of advice on what causes the mentioned "Access 
denied" problem and how to handle it.

Sincerely,
Konstantin

Hello,

Looks like the solution was rather simple.

If user profile matching OS doesn't yet exist, Windows attempts to 
create one under '[profiles]'. I.e., for user 'username' Windows
7 will
attempt to create [profiledir]\username.V2

If it can't create that directory, 'Access denied' is written to
system
event log and a temporary profile is created.

The solution (following the default how-to directories structure):

# chmod g+w /srv/samba/profiles

The hint posted in

https://windowsserveressentials.com/2011/02/25/quick-fix-access-denied-to-romaing-profile-windows-7/

Note: taking the above into account, I believe that corresponding 
section (Using POSIX ACLs) should be updated in

https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

namely, replace

# chmod 1750 /srv/samba/profiles/

with

# chmod 1770 /srv/samba/profiles/

Sincerely,
Konstantin

Konstantin Boyandin via samba писал 2018-09-20 12:25:
> Hello,
> 
> After joining Windows 7 to a Samba 4 (AD), when logging on I
> experience 'Access denied' error accessing user profile. As a
result,
> Windows creates temporary profile for the domain user (the profile is
> deleted upon logoff).
> 
> [...]

Hai, 

Sorry to say but.. 
> The solution (following the default how-to directories structure):
No, the solution is to setup correctly. 
Just do a a small test here to see if its all correct. 

With a windows computer, browse to \\server 

Right klik the profiles share, check security. 
	If this is set correct, the user should not be able to see the rights. 

Repaet, now as Adminsitrator. 
	You should see the needed rights.

And in my thats on  \\server\profiles 
Creator Owner ( 1700 ) 	Full with Special rights ( Appy to Only subfolders and
files )
Administrator 		Full control ( Appy to This Folder, subfolders and files ) 
Domain Users 		Special with browse/exec, Read file/folder, create/add folder  (
Only this folder )

And in my thats on  \\server\profiles\user.v2 
The resulting user folders should show ( in Windows ) 
SYSTEM 	Full control
Username 	Full control


Which results in ( for me ) with getfacl 

# file: home/samba/profiles
# owner: root
# group: root
# flags: --t
user::rwx
user:root:rwx
group::---
group:root:---
group:domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:mask::rwx
default:other::---

#( Group 2005 is SYSTEM  ) 
# file: home/samba/profiles/username.V2
# owner: username
# group: domain\040users
user::rwx
user:username:rwx
group::---
group:2005:rwx
group:domain\040users:---
mask::rwx
other::---
default:user::rwx
default:user:username:rwx
default:group::---
default:group:2005:rwx
default:group:domain\040users:---
default:mask::rwx
default:other::---

Now, you will probely get diffent ( more relaxed ) results, which in the end
might give problems for the Win pc's.

Set : 
[profiles]
    browseable = yes
    path = /home/samba/profiles
    read only = no
    acl_xattr:ignore system acl = yes

And now apply the rights again from within windows. 
And dont touch it with chmod again.. 
If needed use setfacl/getfacl. 
If you think its complex, then read :
https://serversforhackers.com/c/beyond-permissions-linux-acls
Good explained. 

The acl_xattr:ignore system acl = yes in profiles is imo a must because,
you will have much less problems with your profile folders and the rights
windows expects.


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Konstantin Boyandin via samba
> Verzonden: donderdag 20 september 2018 9:26
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] [SOLVED] Samba 4: 'Access denied' error 
> when accessing user profile during logon
> 
> Hello,
> 
> Looks like the solution was rather simple.
> 
> If user profile matching OS doesn't yet exist, Windows attempts to 
> create one under '[profiles]'. I.e., for user 'username' 
> Windows 7 will 
> attempt to create [profiledir]\username.V2
> 
> If it can't create that directory, 'Access denied' is written 
> to system 
> event log and a temporary profile is created.
> 
> The solution (following the default how-to directories structure):
> 
> # chmod g+w /srv/samba/profiles
> 
> The hint posted in
> 
> https://windowsserveressentials.com/2011/02/25/quick-fix-acces
> s-denied-to-romaing-profile-windows-7/
> 
> Note: taking the above into account, I believe that corresponding 
> section (Using POSIX ACLs) should be updated in
> 
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
> 
> namely, replace
> 
> # chmod 1750 /srv/samba/profiles/
> 
> with
> 
> # chmod 1770 /srv/samba/profiles/
> 
> Sincerely,
> Konstantin
> 
> Konstantin Boyandin via samba ?????????? 2018-09-20 12:25:
> > Hello,
> > 
> > After joining Windows 7 to a Samba 4 (AD), when logging on I
> > experience 'Access denied' error accessing user profile. As 
> a result,
> > Windows creates temporary profile for the domain user (the 
> profile is
> > deleted upon logoff).
> > 
> > [...]
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Thu, 20 Sep 2018 12:25:00 +0700
Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> After joining Windows 7 to a Samba 4 (AD), when logging on I
> experience 'Access denied' error accessing user profile. As a
result,
> Windows creates temporary profile for the domain user (the profile is
> deleted upon logoff).
> 
> The roaming profiles directory has been created according to 
> instructions in
> 
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
No it hasn't 
> 
> Note: the home directory (also shared by the AD DC) is accessible 
> without problem, user can create/delete/whatever objects in it
> without problems.
> 
> For every domain user 'username' profilePath has been set to 
> \\DC\profiles\username , using ldbmodify, i.e. via a string
> 
> profilePath: \\DC\profiles\username
> 
> in corresponding LDIF.
> 
> Technical details:
> 
> OS: Ubuntu 18.04.1, Samba version (package) 
> 4.7.6+dfsg~ubuntu-0ubuntu2.2, latest in official repository.
> 
> # samba-tool testparm
[global]
	netbios name = DC
	realm = AD-LAN.COM
	server role = active directory domain controller
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = AD-LAN
	idmap_ldb:use rfc2307 = yes
	server string = AD-LAN.COM domain controller
	bind interfaces only = Yes
	interfaces = lo ens3
	log file = /var/log/samba/log.%m
	log level = 3
	max log size = 1000
	template homedir = /home/%u
	template shell = /bin/bash
	panic action = /usr/share/samba/panic-action %d

Nothing wrong with the above

	passdb backend = tdbsam
	tls cafile = tls/ca.pem
	tls certfile = tls/cert.pem
	tls enabled = Yes
	tls keyfile = tls/key.pem

The above lines are not required, they are the defaults

	map to guest = Bad User
	obey pam restrictions = Yes
	pam password change = Yes
	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n
*password\supdated\ssuccessfully* .
	passwd program = /usr/bin/passwd %u
	unix password sync = Yes
	usershare allow guests = Yes
	winbind enum groups = Yes
	winbind enum users = Yes
	winbind nss info = rfc2307
	acl:search = no

Why have you set these on a DC ?
Especially 'unix password sync = Yes' ???
You don't map Unix users in AD.
 
> [profiles]
> 	browseable = No
> 	comment = Users profiles
> 	csc policy = disable
> 	force create mode = 0600
> 	force directory mode = 0700
> 	path = /srv/samba/profiles/
> 	read only = No
> 	store dos attributes = Yes
> 	vfs objects = acl_xattr
> 
We now come to your main problem, yes, you have set up the profiles
share as per the wiki page, but you totally missed the big blue info
box that says:

When setting up the share on a Samba Active Directory (AD) domain
controller (DC), you cannot use POSIX ACLs. On an Samba DC, only shares
using extended ACLs are supported. For further details, see Enable
Extended ACL Support in the smb.conf File. To set up the share on a
Samba AD DC, see Setting up the Profiles Share on the Samba File Server
- Using Windows ACLs.

You are trying to do it with POSIX ACLs, it will not work.

You must set up the profiles share from Windows, as shown above the
heading 'Using POSIX ACLs'

Finally, the last line of the log fragment contains this:

connect to service profiles initially as user AD-LAN\mbo (uid=1000,
gid=513) (pid 7848)

Did you classic upgrade a PDC to AD, if not, why are you using IDs like
'100' and '513' ?

Rowland

Thanks for the response. I followed your instructions:

- set the "chmod 1750 /srv/samba/profiles"

- set, after logging as AD-LAN\Administrator, the permissions for 
\\DC\profiles :

Creator Owner: all; applied to: Subfolders and files
Administrator: all; applied to: This folder, Subfolders and files
Domain Users: Traverse folder/Execute file,List folder/Read data,Read 
attributes,Read extended attributes,Create files/Write data,Create 
folders/Append data; applied to: This folder only

Results:

1. Permissions mask:
# ls -al /srv/samba | grep profiles
drwxrwx--T+ 1 root AD-LAN\domain users   34 Sep 21 11:25 profiles

2. ACL list for [profiles]
# getfacl /srv/samba/profiles
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/profiles
# owner: root
# group: AD-LAN\134domain\040users
# flags: --t
user::rwx
user:root:rwx
group::rwx
group:AD-LAN\134domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:AD-LAN\134domain\040users:---
default:mask::rwx
default:other::---

3. When logging in without local profile/roaming profile, username gets 
a roaming profile folder created:
# getfacl /srv/samba/profiles/username.V2
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/profiles/username.V2
# owner: AD-LAN\134username
# group: AD-LAN\134domain\040users
user::rwx
user:AD-LAN\134username:rwx
user:3000000:rwx
group::---
group:AD-LAN\134domain\040users:---
group:NT\040AUTHORITY\134system:rwx
mask::rwx
other::---
default:user::rwx
default:user:AD-LAN\134username:rwx
default:user:3000000:rwx
default:group::---
default:group:AD-LAN\134domain\040users:---
default:group:NT\040AUTHORITY\134system:rwx
default:mask::rwx
default:other::---

4. The non-Administrator domain users cannot access profiles 
permissions, nor they can access profiles of other users.

Is the above fine from viewpoint of access rights?

Sincerely,
Konstantin

L.P.H. van Belle via samba писал 2018-09-20 16:01:
> Hai,
> 
> Sorry to say but..
>> The solution (following the default how-to directories structure):
> 
> No, the solution is to setup correctly.
> Just do a a small test here to see if its all correct.
> 
> With a windows computer, browse to \\server
> 
> Right klik the profiles share, check security.
> 	If this is set correct, the user should not be able to see the rights.
> 
> Repaet, now as Adminsitrator.
> 	You should see the needed rights.
> 
> And in my thats on  \\server\profiles
> Creator Owner ( 1700 ) 	Full with Special rights ( Appy to Only
> subfolders and files )
> Administrator 		Full control ( Appy to This Folder, subfolders and 
> files )
> Domain Users 		Special with browse/exec, Read file/folder, create/add
> folder  ( Only this folder )
> 
> And in my thats on  \\server\profiles\user.v2
> The resulting user folders should show ( in Windows )
> SYSTEM 	Full control
> Username 	Full control
> 
> 
> Which results in ( for me ) with getfacl
> 
> # file: home/samba/profiles
> # owner: root
> # group: root
> # flags: --t
> user::rwx
> user:root:rwx
> group::---
> group:root:---
> group:domain\040users:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:root:---
> default:mask::rwx
> default:other::---
> 
> #( Group 2005 is SYSTEM  )
> # file: home/samba/profiles/username.V2
> # owner: username
> # group: domain\040users
> user::rwx
> user:username:rwx
> group::---
> group:2005:rwx
> group:domain\040users:---
> mask::rwx
> other::---
> default:user::rwx
> default:user:username:rwx
> default:group::---
> default:group:2005:rwx
> default:group:domain\040users:---
> default:mask::rwx
> default:other::---
> 
> Now, you will probely get diffent ( more relaxed ) results, which in
> the end might give problems for the Win pc's.
> 
> Set :
> [profiles]
>     browseable = yes
>     path = /home/samba/profiles
>     read only = no
>     acl_xattr:ignore system acl = yes
> 
> And now apply the rights again from within windows.
> And dont touch it with chmod again..
> If needed use setfacl/getfacl.
> If you think its complex, then read :
> https://serversforhackers.com/c/beyond-permissions-linux-acls
> Good explained.
> 
> The acl_xattr:ignore system acl = yes in profiles is imo a must 
> because,
> you will have much less problems with your profile folders and the
> rights windows expects.
> 
> 
> Greetz,
> 
> Louis
> 
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Konstantin Boyandin via samba
>> Verzonden: donderdag 20 september 2018 9:26
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] [SOLVED] Samba 4: 'Access denied' error
>> when accessing user profile during logon
>> 
>> Hello,
>> 
>> Looks like the solution was rather simple.
>> 
>> If user profile matching OS doesn't yet exist, Windows attempts to
>> create one under '[profiles]'. I.e., for user
'username'
>> Windows 7 will
>> attempt to create [profiledir]\username.V2
>> 
>> If it can't create that directory, 'Access denied' is
written
>> to system
>> event log and a temporary profile is created.
>> 
>> The solution (following the default how-to directories structure):
>> 
>> # chmod g+w /srv/samba/profiles
>> 
>> The hint posted in
>> 
>> https://windowsserveressentials.com/2011/02/25/quick-fix-acces
>> s-denied-to-romaing-profile-windows-7/
>> 
>> Note: taking the above into account, I believe that corresponding
>> section (Using POSIX ACLs) should be updated in
>> 
>> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
>> 
>> namely, replace
>> 
>> # chmod 1750 /srv/samba/profiles/
>> 
>> with
>> 
>> # chmod 1770 /srv/samba/profiles/
>> 
>> Sincerely,
>> Konstantin
>> 
>> Konstantin Boyandin via samba ?????????? 2018-09-20 12:25:
>> > Hello,
>> >
>> > After joining Windows 7 to a Samba 4 (AD), when logging on I
>> > experience 'Access denied' error accessing user profile.
As
>> a result,
>> > Windows creates temporary profile for the domain user (the
>> profile is
>> > deleted upon logoff).
>> >
>> > [...]
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
>>

Hai, 

Now, i did not know you used the DC for the profiles here but yes it looks good.

Small comment on point 3 and 4. 
3) Its good, you might notice a few more rights there compaired to what i
posted,
thats because you have your profiles on the DC but the settings are good. 

4) yes, the security is ok, i like the higher security setting and try to mimic
the windows settings as much as possible.
You can relax it a bit, but i dont recommend that. 

Your ready for the next step ;-) 

And a tip ahead. 
Settings like this apply to \\server\ ( users-home)  | profiles | print$  for
example.

The why?, because this these shares might needs some extra windows love ;-) 
On these shares i apply the ignore systemacls to mimic the windows rights as
close as possible.
Reason for that is simple, less problems, but this doe depend on how you use the
network.

Test what applies best for you, but these shares where "normaly" only
windows connect to.
I set the ignore systemacl's.  Try it and test it. 
Shares which need "\SYSTEM" for example are best to set the ignore. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Konstantin Boyandin via samba
> Verzonden: vrijdag 21 september 2018 6:49
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] [SOLVED] Samba 4: 'Access denied' 
> error when accessing user profile during logon
> 
> Thanks for the response. I followed your instructions:
> 
> - set the "chmod 1750 /srv/samba/profiles"
> 
> - set, after logging as AD-LAN\Administrator, the permissions for 
> \\DC\profiles :
> 
> Creator Owner: all; applied to: Subfolders and files
> Administrator: all; applied to: This folder, Subfolders and files
> Domain Users: Traverse folder/Execute file,List folder/Read data,Read 
> attributes,Read extended attributes,Create files/Write data,Create 
> folders/Append data; applied to: This folder only
> 
> Results:
> 
> 1. Permissions mask:
> # ls -al /srv/samba | grep profiles
> drwxrwx--T+ 1 root AD-LAN\domain users   34 Sep 21 11:25 profiles
> 
> 2. ACL list for [profiles]
> # getfacl /srv/samba/profiles
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/profiles
> # owner: root
> # group: AD-LAN\134domain\040users
> # flags: --t
> user::rwx
> user:root:rwx
> group::rwx
> group:AD-LAN\134domain\040users:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:AD-LAN\134domain\040users:---
> default:mask::rwx
> default:other::---
> 
> 3. When logging in without local profile/roaming profile, 
> username gets 
> a roaming profile folder created:
> # getfacl /srv/samba/profiles/username.V2
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/profiles/username.V2
> # owner: AD-LAN\134username
> # group: AD-LAN\134domain\040users
> user::rwx
> user:AD-LAN\134username:rwx
> user:3000000:rwx
> group::---
> group:AD-LAN\134domain\040users:---
> group:NT\040AUTHORITY\134system:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:AD-LAN\134username:rwx
> default:user:3000000:rwx
> default:group::---
> default:group:AD-LAN\134domain\040users:---
> default:group:NT\040AUTHORITY\134system:rwx
> default:mask::rwx
> default:other::---
> 
> 4. The non-Administrator domain users cannot access profiles 
> permissions, nor they can access profiles of other users.
> 
> Is the above fine from viewpoint of access rights?
> 
> Sincerely,
> Konstantin
> 
> L.P.H. van Belle via samba ?????????? 2018-09-20 16:01:
> > Hai,
> > 
> > Sorry to say but..
> >> The solution (following the default how-to directories structure):
> > 
> > No, the solution is to setup correctly.
> > Just do a a small test here to see if its all correct.
> > 
> > With a windows computer, browse to \\server
> > 
> > Right klik the profiles share, check security.
> > 	If this is set correct, the user should not be able to 
> see the rights.
> > 
> > Repaet, now as Adminsitrator.
> > 	You should see the needed rights.
> > 
> > And in my thats on  \\server\profiles
> > Creator Owner ( 1700 ) 	Full with Special rights ( Appy to Only
> > subfolders and files )
> > Administrator 		Full control ( Appy to This 
> Folder, subfolders and 
> > files )
> > Domain Users 		Special with browse/exec, Read 
> file/folder, create/add
> > folder  ( Only this folder )
> > 
> > And in my thats on  \\server\profiles\user.v2
> > The resulting user folders should show ( in Windows )
> > SYSTEM 	Full control
> > Username 	Full control
> > 
> > 
> > Which results in ( for me ) with getfacl
> > 
> > # file: home/samba/profiles
> > # owner: root
> > # group: root
> > # flags: --t
> > user::rwx
> > user:root:rwx
> > group::---
> > group:root:---
> > group:domain\040users:rwx
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:group::---
> > default:group:root:---
> > default:mask::rwx
> > default:other::---
> > 
> > #( Group 2005 is SYSTEM  )
> > # file: home/samba/profiles/username.V2
> > # owner: username
> > # group: domain\040users
> > user::rwx
> > user:username:rwx
> > group::---
> > group:2005:rwx
> > group:domain\040users:---
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:username:rwx
> > default:group::---
> > default:group:2005:rwx
> > default:group:domain\040users:---
> > default:mask::rwx
> > default:other::---
> > 
> > Now, you will probely get diffent ( more relaxed ) results, which in
> > the end might give problems for the Win pc's.
> > 
> > Set :
> > [profiles]
> >     browseable = yes
> >     path = /home/samba/profiles
> >     read only = no
> >     acl_xattr:ignore system acl = yes
> > 
> > And now apply the rights again from within windows.
> > And dont touch it with chmod again..
> > If needed use setfacl/getfacl.
> > If you think its complex, then read :
> > https://serversforhackers.com/c/beyond-permissions-linux-acls
> > Good explained.
> > 
> > The acl_xattr:ignore system acl = yes in profiles is imo a must 
> > because,
> > you will have much less problems with your profile folders and the
> > rights windows expects.
> > 
> > 
> > Greetz,
> > 
> > Louis
> > 
> > 
> > 
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Konstantin Boyandin via samba
> >> Verzonden: donderdag 20 september 2018 9:26
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] [SOLVED] Samba 4: 'Access denied' error
> >> when accessing user profile during logon
> >> 
> >> Hello,
> >> 
> >> Looks like the solution was rather simple.
> >> 
> >> If user profile matching OS doesn't yet exist, Windows
attempts to
> >> create one under '[profiles]'. I.e., for user
'username'
> >> Windows 7 will
> >> attempt to create [profiledir]\username.V2
> >> 
> >> If it can't create that directory, 'Access denied' is
written
> >> to system
> >> event log and a temporary profile is created.
> >> 
> >> The solution (following the default how-to directories structure):
> >> 
> >> # chmod g+w /srv/samba/profiles
> >> 
> >> The hint posted in
> >> 
> >> https://windowsserveressentials.com/2011/02/25/quick-fix-acces
> >> s-denied-to-romaing-profile-windows-7/
> >> 
> >> Note: taking the above into account, I believe that corresponding
> >> section (Using POSIX ACLs) should be updated in
> >> 
> >> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
> >> 
> >> namely, replace
> >> 
> >> # chmod 1750 /srv/samba/profiles/
> >> 
> >> with
> >> 
> >> # chmod 1770 /srv/samba/profiles/
> >> 
> >> Sincerely,
> >> Konstantin
> >> 
> >> Konstantin Boyandin via samba ?????????? 2018-09-20 12:25:
> >> > Hello,
> >> >
> >> > After joining Windows 7 to a Samba 4 (AD), when logging on I
> >> > experience 'Access denied' error accessing user
profile. As
> >> a result,
> >> > Windows creates temporary profile for the domain user (the
> >> profile is
> >> > deleted upon logoff).
> >> >
> >> > [...]
> >> 
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >> 
> >> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>