L.P.H. van Belle
2018-Sep-21 06:52 UTC
[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
Hai, Now, i did not know you used the DC for the profiles here but yes it looks good. Small comment on point 3 and 4. 3) Its good, you might notice a few more rights there compaired to what i posted, thats because you have your profiles on the DC but the settings are good. 4) yes, the security is ok, i like the higher security setting and try to mimic the windows settings as much as possible. You can relax it a bit, but i dont recommend that. Your ready for the next step ;-) And a tip ahead. Settings like this apply to \\server\ ( users-home) | profiles | print$ for example. The why?, because this these shares might needs some extra windows love ;-) On these shares i apply the ignore systemacls to mimic the windows rights as close as possible. Reason for that is simple, less problems, but this doe depend on how you use the network. Test what applies best for you, but these shares where "normaly" only windows connect to. I set the ignore systemacl's. Try it and test it. Shares which need "\SYSTEM" for example are best to set the ignore. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Konstantin Boyandin via samba > Verzonden: vrijdag 21 september 2018 6:49 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] [SOLVED] Samba 4: 'Access denied' > error when accessing user profile during logon > > Thanks for the response. I followed your instructions: > > - set the "chmod 1750 /srv/samba/profiles" > > - set, after logging as AD-LAN\Administrator, the permissions for > \\DC\profiles : > > Creator Owner: all; applied to: Subfolders and files > Administrator: all; applied to: This folder, Subfolders and files > Domain Users: Traverse folder/Execute file,List folder/Read data,Read > attributes,Read extended attributes,Create files/Write data,Create > folders/Append data; applied to: This folder only > > Results: > > 1. Permissions mask: > # ls -al /srv/samba | grep profiles > drwxrwx--T+ 1 root AD-LAN\domain users 34 Sep 21 11:25 profiles > > 2. ACL list for [profiles] > # getfacl /srv/samba/profiles > getfacl: Removing leading '/' from absolute path names > # file: srv/samba/profiles > # owner: root > # group: AD-LAN\134domain\040users > # flags: --t > user::rwx > user:root:rwx > group::rwx > group:AD-LAN\134domain\040users:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:group::--- > default:group:AD-LAN\134domain\040users:--- > default:mask::rwx > default:other::--- > > 3. When logging in without local profile/roaming profile, > username gets > a roaming profile folder created: > # getfacl /srv/samba/profiles/username.V2 > getfacl: Removing leading '/' from absolute path names > # file: srv/samba/profiles/username.V2 > # owner: AD-LAN\134username > # group: AD-LAN\134domain\040users > user::rwx > user:AD-LAN\134username:rwx > user:3000000:rwx > group::--- > group:AD-LAN\134domain\040users:--- > group:NT\040AUTHORITY\134system:rwx > mask::rwx > other::--- > default:user::rwx > default:user:AD-LAN\134username:rwx > default:user:3000000:rwx > default:group::--- > default:group:AD-LAN\134domain\040users:--- > default:group:NT\040AUTHORITY\134system:rwx > default:mask::rwx > default:other::--- > > 4. The non-Administrator domain users cannot access profiles > permissions, nor they can access profiles of other users. > > Is the above fine from viewpoint of access rights? > > Sincerely, > Konstantin > > L.P.H. van Belle via samba ?????????? 2018-09-20 16:01: > > Hai, > > > > Sorry to say but.. > >> The solution (following the default how-to directories structure): > > > > No, the solution is to setup correctly. > > Just do a a small test here to see if its all correct. > > > > With a windows computer, browse to \\server > > > > Right klik the profiles share, check security. > > If this is set correct, the user should not be able to > see the rights. > > > > Repaet, now as Adminsitrator. > > You should see the needed rights. > > > > And in my thats on \\server\profiles > > Creator Owner ( 1700 ) Full with Special rights ( Appy to Only > > subfolders and files ) > > Administrator Full control ( Appy to This > Folder, subfolders and > > files ) > > Domain Users Special with browse/exec, Read > file/folder, create/add > > folder ( Only this folder ) > > > > And in my thats on \\server\profiles\user.v2 > > The resulting user folders should show ( in Windows ) > > SYSTEM Full control > > Username Full control > > > > > > Which results in ( for me ) with getfacl > > > > # file: home/samba/profiles > > # owner: root > > # group: root > > # flags: --t > > user::rwx > > user:root:rwx > > group::--- > > group:root:--- > > group:domain\040users:rwx > > mask::rwx > > other::--- > > default:user::rwx > > default:user:root:rwx > > default:group::--- > > default:group:root:--- > > default:mask::rwx > > default:other::--- > > > > #( Group 2005 is SYSTEM ) > > # file: home/samba/profiles/username.V2 > > # owner: username > > # group: domain\040users > > user::rwx > > user:username:rwx > > group::--- > > group:2005:rwx > > group:domain\040users:--- > > mask::rwx > > other::--- > > default:user::rwx > > default:user:username:rwx > > default:group::--- > > default:group:2005:rwx > > default:group:domain\040users:--- > > default:mask::rwx > > default:other::--- > > > > Now, you will probely get diffent ( more relaxed ) results, which in > > the end might give problems for the Win pc's. > > > > Set : > > [profiles] > > browseable = yes > > path = /home/samba/profiles > > read only = no > > acl_xattr:ignore system acl = yes > > > > And now apply the rights again from within windows. > > And dont touch it with chmod again.. > > If needed use setfacl/getfacl. > > If you think its complex, then read : > > https://serversforhackers.com/c/beyond-permissions-linux-acls > > Good explained. > > > > The acl_xattr:ignore system acl = yes in profiles is imo a must > > because, > > you will have much less problems with your profile folders and the > > rights windows expects. > > > > > > Greetz, > > > > Louis > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> Konstantin Boyandin via samba > >> Verzonden: donderdag 20 september 2018 9:26 > >> Aan: samba at lists.samba.org > >> Onderwerp: [Samba] [SOLVED] Samba 4: 'Access denied' error > >> when accessing user profile during logon > >> > >> Hello, > >> > >> Looks like the solution was rather simple. > >> > >> If user profile matching OS doesn't yet exist, Windows attempts to > >> create one under '[profiles]'. I.e., for user 'username' > >> Windows 7 will > >> attempt to create [profiledir]\username.V2 > >> > >> If it can't create that directory, 'Access denied' is written > >> to system > >> event log and a temporary profile is created. > >> > >> The solution (following the default how-to directories structure): > >> > >> # chmod g+w /srv/samba/profiles > >> > >> The hint posted in > >> > >> https://windowsserveressentials.com/2011/02/25/quick-fix-acces > >> s-denied-to-romaing-profile-windows-7/ > >> > >> Note: taking the above into account, I believe that corresponding > >> section (Using POSIX ACLs) should be updated in > >> > >> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles > >> > >> namely, replace > >> > >> # chmod 1750 /srv/samba/profiles/ > >> > >> with > >> > >> # chmod 1770 /srv/samba/profiles/ > >> > >> Sincerely, > >> Konstantin > >> > >> Konstantin Boyandin via samba ?????????? 2018-09-20 12:25: > >> > Hello, > >> > > >> > After joining Windows 7 to a Samba 4 (AD), when logging on I > >> > experience 'Access denied' error accessing user profile. As > >> a result, > >> > Windows creates temporary profile for the domain user (the > >> profile is > >> > deleted upon logoff). > >> > > >> > [...] > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Rowland Penny
2018-Sep-21 07:06 UTC
[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
On Fri, 21 Sep 2018 08:52:43 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai, > > Now, i did not know you used the DC for the profiles here but yes it > looks good. > > Small comment on point 3 and 4. > 3) Its good, you might notice a few more rights there compaired to > what i posted, thats because you have your profiles on the DC but the > settings are good. > > 4) yes, the security is ok, i like the higher security setting and > try to mimic the windows settings as much as possible. You can relax > it a bit, but i dont recommend that. > > Your ready for the next step ;-) > > And a tip ahead. > Settings like this apply to \\server\ ( users-home) | profiles | > print$ for example. > > The why?, because this these shares might needs some extra windows > love ;-) On these shares i apply the ignore systemacls to mimic the > windows rights as close as possible. Reason for that is simple, less > problems, but this doe depend on how you use the network. >If you use 'ignore systemacls', then you must also ignore the output of getfacl. This is because you are telling Samba to only use the ACLs found in the EA 'security.NTACL' for the share and these can be, and probably are, different from what getfacl shows. Rowland
L.P.H. van Belle
2018-Sep-21 07:35 UTC
[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
Hai Rowland,> > If you use 'ignore systemacls', then you must also ignore the > output of getfacl. This is because you are telling Samba to only use the ACLs > found in the EA 'security.NTACL' for the share and these can be, and > probably are, different from what getfacl shows. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >So far i've seen, the output of getfacl is exact of what is set in secrutiy.NTACL. If that isnt the case then we have a problem in my opinion. And you could compair it with : getfattr -n security.NTACL yourFile/folder And I would not ignore the getfacl even with the known limitation of the "SYSTEM" and some other BUILTIN\xxx.. Users/groups. As long we see these (missing) names/groups in numbers im fine with it. Linux is not windows. Imo, setting like this has only one problem, changing to much with CHMOD/CHOWN, that might kill the acls and you need to set it again FROM WINDOWS! This is why you set it, export the settings with getfacl ( if needed recusive ) handy to have that if you need to recover. You set the acls in linux first en from windows again and the both match again. Just dont touch it after you've set it. Om totaly open for a better setup ;-) and if im wrong here please tell me, only with comments, we learn. Greetz, Louis
Rowland Penny
2018-Sep-21 08:11 UTC
[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
On Fri, 21 Sep 2018 09:35:13 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai Rowland, > > So far i've seen, the output of getfacl is exact of what is set in > secrutiy.NTACL. If that isnt the case then we have a problem in my > opinion. And you could compair it with : getfattr -n security.NTACL > yourFile/folder > > And I would not ignore the getfacl even with the known limitation of > the "SYSTEM" and some other BUILTIN\xxx.. Users/groups. As long we > see these (missing) names/groups in numbers im fine with it. Linux is > not windows. > > Imo, setting like this has only one problem, changing to much with > CHMOD/CHOWN, that might kill the acls and you need to set it again > FROM WINDOWS! > > This is why you set it, export the settings with getfacl ( if needed > recusive ) handy to have that if you need to recover. You set the > acls in linux first en from windows again and the both match again. > Just dont touch it after you've set it. > > Om totaly open for a better setup ;-) and if im wrong here please > tell me, only with comments, we learn. > >Try reading 'man vfs_acl_xattr' This plainly says that ACLs are stored in the EA 'security.NTACL' It also says that when 'acl_xattr:ignore system acls' is set to 'yes', it will not map to or from the POSIX Layer i.e. the Unix OS. It also says the following settings will be enforced: create mask = 0666 directory mask = 0777 map archive = no map hidden = no map readonly = no map system = no store dos attributes = yes Rowland
L.P.H. van Belle
2018-Sep-21 08:52 UTC
[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: vrijdag 21 september 2018 10:11 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] [SOLVED] Samba 4: 'Access denied' > error when accessing user profile during logon > > On Fri, 21 Sep 2018 09:35:13 +0200 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > Hai Rowland, > > > > So far i've seen, the output of getfacl is exact of what is set in > > secrutiy.NTACL. If that isnt the case then we have a problem in my > > opinion. And you could compair it with : getfattr -n security.NTACL > > yourFile/folder > > > > And I would not ignore the getfacl even with the known limitation of > > the "SYSTEM" and some other BUILTIN\xxx.. Users/groups. As long we > > see these (missing) names/groups in numbers im fine with > it. Linux is > > not windows. > > > > Imo, setting like this has only one problem, changing to much with > > CHMOD/CHOWN, that might kill the acls and you need to set it again > > FROM WINDOWS! > > > > This is why you set it, export the settings with getfacl ( if needed > > recusive ) handy to have that if you need to recover. You set the > > acls in linux first en from windows again and the both match again. > > Just dont touch it after you've set it. > > > > Om totaly open for a better setup ;-) and if im wrong here please > > tell me, only with comments, we learn. > > > > > > Try reading 'man vfs_acl_xattr' > > This plainly says that ACLs are stored in the EA 'security.NTACL' > > It also says that when 'acl_xattr:ignore system acls' is set to > 'yes', it will not map to or from the POSIX Layer i.e. the Unix OS. > > It also says the following settings will be enforced: > > create mask = 0666 > directory mask = 0777 > map archive = no > map hidden = no > map readonly = no > map system = no > store dos attributes = yes > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >> Try reading 'man vfs_acl_xattr' > > This plainly says that ACLs are stored in the EA 'security.NTACL'Ok, i did read that. (again) ;-) Yes, thats correct, but only when you access it from a \\server\share The setting : acl_xattr:default acl style = posix helps also. Maybe a misunderstanding but i dont think so, you correct me.. Yes, your right about the vfs_acl_xattr. Why i set both. User1 is working on windows, saves a file on a share \\server\share\file. ( uses vfs_acl_xattr ) User2 is working on linux, login with ssh, no shares used, and uses the same file. /home/path/folder/file ( and does not use vfs_acl_xattr ) Here default acl style = posix is doing its work for the 2 users. ( mainly the windows users ) At least thats how i did understand the implementation of these settings. This is why i did setup like this, so windows/linux users see (almost) the same rights. At least thats how i see it, in the network here. And it works great. Think in the GPO rights. Only used by windows. If you use the syvol and netlogon share realy only for windows then the setting : acl_xattr:default acl style = windows is te best. But touching the linux acls in from within linux, is a no go. That kills you sysvol. That did happen in 4.5.x and before, i havent tested that in 4.6+ since i dont have any GPO or sysvol problems. I think in ( so people understand better why i set some things ) 1) windows only users ( note, a computer is a user dont forget that. ) 2) linux only users 3) windows and linux users 4) server services. 5) mixed the above. Based on the use of one of these 5 above i setup a share. Thats key, setup a share, for the way how you use it and avoid problem. Greetz, Louis
Konstantin Boyandin
2018-Sep-21 14:10 UTC
[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
Hello Louis, In fact, the shares mentioned in my original messages are used in Windows-only. The accounts, however, are used in both Windows and Unix-type environments (we have quite a zoo of OSes in active use); so we actually use the Posix part of accounts for attributes and Kerberos component to authenticate in all non-Windows use. So my primary intent is to make the homes/profiles shares most convenient and secure from Windows viewpoint. Thanks. Sincerely, Konstantin On 21.09.2018 13:52, L.P.H. van Belle via samba wrote:> Hai, > > Now, i did not know you used the DC for the profiles here but yes it looksgood.> > Small comment on point 3 and 4. > 3) Its good, you might notice a few more rights there compaired to what iposted,> thats because you have your profiles on the DC but the settings are good. > > 4) yes, the security is ok, i like the higher security setting and try tomimic the windows settings as much as possible.> You can relax it a bit, but i dont recommend that. > > Your ready for the next step ;-) > > And a tip ahead. > Settings like this apply to \\server\ ( users-home) | profiles | print$for example.> > The why?, because this these shares might needs some extra windows love;-)> On these shares i apply the ignore systemacls to mimic the windows rightsas close as possible.> Reason for that is simple, less problems, but this doe depend on how youuse the network.> > Test what applies best for you, but these shares where "normaly" onlywindows connect to.> I set the ignore systemacl's. Try it and test it. > Shares which need "\SYSTEM" for example are best to set the ignore. > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Konstantin Boyandin via samba >> Verzonden: vrijdag 21 september 2018 6:49 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] [SOLVED] Samba 4: 'Access denied' >> error when accessing user profile during logon >> >> Thanks for the response. I followed your instructions: >> >> - set the "chmod 1750 /srv/samba/profiles" >> >> - set, after logging as AD-LAN\Administrator, the permissions for >> \\DC\profiles : >> >> Creator Owner: all; applied to: Subfolders and files >> Administrator: all; applied to: This folder, Subfolders and files >> Domain Users: Traverse folder/Execute file,List folder/Read data,Read >> attributes,Read extended attributes,Create files/Write data,Create >> folders/Append data; applied to: This folder only >> >> Results: >> >> 1. Permissions mask: >> # ls -al /srv/samba | grep profiles >> drwxrwx--T+ 1 root AD-LAN\domain users 34 Sep 21 11:25 profiles >> >> 2. ACL list for [profiles] >> # getfacl /srv/samba/profiles >> getfacl: Removing leading '/' from absolute path names >> # file: srv/samba/profiles >> # owner: root >> # group: AD-LAN\134domain\040users >> # flags: --t >> user::rwx >> user:root:rwx >> group::rwx >> group:AD-LAN\134domain\040users:rwx >> mask::rwx >> other::--- >> default:user::rwx >> default:user:root:rwx >> default:group::--- >> default:group:AD-LAN\134domain\040users:--- >> default:mask::rwx >> default:other::--- >> >> 3. When logging in without local profile/roaming profile, >> username gets >> a roaming profile folder created: >> # getfacl /srv/samba/profiles/username.V2 >> getfacl: Removing leading '/' from absolute path names >> # file: srv/samba/profiles/username.V2 >> # owner: AD-LAN\134username >> # group: AD-LAN\134domain\040users >> user::rwx >> user:AD-LAN\134username:rwx >> user:3000000:rwx >> group::--- >> group:AD-LAN\134domain\040users:--- >> group:NT\040AUTHORITY\134system:rwx >> mask::rwx >> other::--- >> default:user::rwx >> default:user:AD-LAN\134username:rwx >> default:user:3000000:rwx >> default:group::--- >> default:group:AD-LAN\134domain\040users:--- >> default:group:NT\040AUTHORITY\134system:rwx >> default:mask::rwx >> default:other::--- >> >> 4. The non-Administrator domain users cannot access profiles >> permissions, nor they can access profiles of other users. >> >> Is the above fine from viewpoint of access rights? >> >> Sincerely, >> Konstantin >> >> L.P.H. van Belle via samba ?????????? 2018-09-20 16:01: >>> Hai, >>> >>> Sorry to say but.. >>>> The solution (following the default how-to directories structure): >>> >>> No, the solution is to setup correctly. >>> Just do a a small test here to see if its all correct. >>> >>> With a windows computer, browse to \\server >>> >>> Right klik the profiles share, check security. >>> If this is set correct, the user should not be able to >> see the rights. >>> >>> Repaet, now as Adminsitrator. >>> You should see the needed rights. >>> >>> And in my thats on \\server\profiles >>> Creator Owner ( 1700 ) Full with Special rights ( Appy to Only >>> subfolders and files ) >>> Administrator Full control ( Appy to This >> Folder, subfolders and >>> files ) >>> Domain Users Special with browse/exec, Read >> file/folder, create/add >>> folder ( Only this folder ) >>> >>> And in my thats on \\server\profiles\user.v2 >>> The resulting user folders should show ( in Windows ) >>> SYSTEM Full control >>> Username Full control >>> >>> >>> Which results in ( for me ) with getfacl >>> >>> # file: home/samba/profiles >>> # owner: root >>> # group: root >>> # flags: --t >>> user::rwx >>> user:root:rwx >>> group::--- >>> group:root:--- >>> group:domain\040users:rwx >>> mask::rwx >>> other::--- >>> default:user::rwx >>> default:user:root:rwx >>> default:group::--- >>> default:group:root:--- >>> default:mask::rwx >>> default:other::--- >>> >>> #( Group 2005 is SYSTEM ) >>> # file: home/samba/profiles/username.V2 >>> # owner: username >>> # group: domain\040users >>> user::rwx >>> user:username:rwx >>> group::--- >>> group:2005:rwx >>> group:domain\040users:--- >>> mask::rwx >>> other::--- >>> default:user::rwx >>> default:user:username:rwx >>> default:group::--- >>> default:group:2005:rwx >>> default:group:domain\040users:--- >>> default:mask::rwx >>> default:other::--- >>> >>> Now, you will probely get diffent ( more relaxed ) results, which in >>> the end might give problems for the Win pc's. >>> >>> Set : >>> [profiles] >>> browseable = yes >>> path = /home/samba/profiles >>> read only = no >>> acl_xattr:ignore system acl = yes >>> >>> And now apply the rights again from within windows. >>> And dont touch it with chmod again.. >>> If needed use setfacl/getfacl. >>> If you think its complex, then read : >>> https://serversforhackers.com/c/beyond-permissions-linux-acls >>> Good explained. >>> >>> The acl_xattr:ignore system acl = yes in profiles is imo a must >>> because, >>> you will have much less problems with your profile folders and the >>> rights windows expects. >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>> Konstantin Boyandin via samba >>>> Verzonden: donderdag 20 september 2018 9:26 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: [Samba] [SOLVED] Samba 4: 'Access denied' error >>>> when accessing user profile during logon >>>> >>>> Hello, >>>> >>>> Looks like the solution was rather simple. >>>> >>>> If user profile matching OS doesn't yet exist, Windows attempts to >>>> create one under '[profiles]'. I.e., for user 'username' >>>> Windows 7 will >>>> attempt to create [profiledir]\username.V2 >>>> >>>> If it can't create that directory, 'Access denied' is written >>>> to system >>>> event log and a temporary profile is created. >>>> >>>> The solution (following the default how-to directories structure): >>>> >>>> # chmod g+w /srv/samba/profiles >>>> >>>> The hint posted in >>>> >>>> https://windowsserveressentials.com/2011/02/25/quick-fix-acces >>>> s-denied-to-romaing-profile-windows-7/ >>>> >>>> Note: taking the above into account, I believe that corresponding >>>> section (Using POSIX ACLs) should be updated in >>>> >>>> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles >>>> >>>> namely, replace >>>> >>>> # chmod 1750 /srv/samba/profiles/ >>>> >>>> with >>>> >>>> # chmod 1770 /srv/samba/profiles/ >>>> >>>> Sincerely, >>>> Konstantin >>>> >>>> Konstantin Boyandin via samba ?????????? 2018-09-20 12:25: >>>>> Hello, >>>>> >>>>> After joining Windows 7 to a Samba 4 (AD), when logging on I >>>>> experience 'Access denied' error accessing user profile. As >>>> a result, >>>>> Windows creates temporary profile for the domain user (the >>>> profile is >>>>> deleted upon logoff). >>>>> >>>>> [...] >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2018-Sep-21 14:38 UTC
[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
On 21 Sep 2018 10:10:22 -0400 Konstantin Boyandin via samba <samba at lists.samba.org> wrote:> Hello Louis, > > In fact, the shares mentioned in my original messages are used in > Windows-only. > > The accounts, however, are used in both Windows and Unix-type > environments (we have quite a zoo of OSes in active use); so we > actually use the Posix part of accounts for attributes and Kerberos > component to authenticate in all non-Windows use. > > So my primary intent is to make the homes/profiles shares most > convenient and secure from Windows viewpoint. >Lets be honest about this, the sysvol, netlogon and profiles shares are only used by Windows clients (unless somebody knows differently). This means that no Unix client needs to be able to connect to them, so the best way to set the required permissions is to set them from Windows and add 'acl_xattr:ignore system acls = yes' to each share. Rowland
Maybe Matching Threads
- [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
- [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
- [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
- GPO fail and sysvol perm errors
- [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon