samba - Sep 2018 - [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon

Hai, 

Now, i did not know you used the DC for the profiles here but yes it looks good.

Small comment on point 3 and 4. 
3) Its good, you might notice a few more rights there compaired to what i
posted,
thats because you have your profiles on the DC but the settings are good. 

4) yes, the security is ok, i like the higher security setting and try to mimic
the windows settings as much as possible.
You can relax it a bit, but i dont recommend that. 

Your ready for the next step ;-) 

And a tip ahead. 
Settings like this apply to \\server\ ( users-home)  | profiles | print$  for
example.

The why?, because this these shares might needs some extra windows love ;-) 
On these shares i apply the ignore systemacls to mimic the windows rights as
close as possible.
Reason for that is simple, less problems, but this doe depend on how you use the
network.

Test what applies best for you, but these shares where "normaly" only
windows connect to.
I set the ignore systemacl's.  Try it and test it. 
Shares which need "\SYSTEM" for example are best to set the ignore. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Konstantin Boyandin via samba
> Verzonden: vrijdag 21 september 2018 6:49
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] [SOLVED] Samba 4: 'Access denied' 
> error when accessing user profile during logon
> 
> Thanks for the response. I followed your instructions:
> 
> - set the "chmod 1750 /srv/samba/profiles"
> 
> - set, after logging as AD-LAN\Administrator, the permissions for 
> \\DC\profiles :
> 
> Creator Owner: all; applied to: Subfolders and files
> Administrator: all; applied to: This folder, Subfolders and files
> Domain Users: Traverse folder/Execute file,List folder/Read data,Read 
> attributes,Read extended attributes,Create files/Write data,Create 
> folders/Append data; applied to: This folder only
> 
> Results:
> 
> 1. Permissions mask:
> # ls -al /srv/samba | grep profiles
> drwxrwx--T+ 1 root AD-LAN\domain users   34 Sep 21 11:25 profiles
> 
> 2. ACL list for [profiles]
> # getfacl /srv/samba/profiles
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/profiles
> # owner: root
> # group: AD-LAN\134domain\040users
> # flags: --t
> user::rwx
> user:root:rwx
> group::rwx
> group:AD-LAN\134domain\040users:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:AD-LAN\134domain\040users:---
> default:mask::rwx
> default:other::---
> 
> 3. When logging in without local profile/roaming profile, 
> username gets 
> a roaming profile folder created:
> # getfacl /srv/samba/profiles/username.V2
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/profiles/username.V2
> # owner: AD-LAN\134username
> # group: AD-LAN\134domain\040users
> user::rwx
> user:AD-LAN\134username:rwx
> user:3000000:rwx
> group::---
> group:AD-LAN\134domain\040users:---
> group:NT\040AUTHORITY\134system:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:AD-LAN\134username:rwx
> default:user:3000000:rwx
> default:group::---
> default:group:AD-LAN\134domain\040users:---
> default:group:NT\040AUTHORITY\134system:rwx
> default:mask::rwx
> default:other::---
> 
> 4. The non-Administrator domain users cannot access profiles 
> permissions, nor they can access profiles of other users.
> 
> Is the above fine from viewpoint of access rights?
> 
> Sincerely,
> Konstantin
> 
> L.P.H. van Belle via samba ?????????? 2018-09-20 16:01:
> > Hai,
> > 
> > Sorry to say but..
> >> The solution (following the default how-to directories structure):
> > 
> > No, the solution is to setup correctly.
> > Just do a a small test here to see if its all correct.
> > 
> > With a windows computer, browse to \\server
> > 
> > Right klik the profiles share, check security.
> > 	If this is set correct, the user should not be able to 
> see the rights.
> > 
> > Repaet, now as Adminsitrator.
> > 	You should see the needed rights.
> > 
> > And in my thats on  \\server\profiles
> > Creator Owner ( 1700 ) 	Full with Special rights ( Appy to Only
> > subfolders and files )
> > Administrator 		Full control ( Appy to This 
> Folder, subfolders and 
> > files )
> > Domain Users 		Special with browse/exec, Read 
> file/folder, create/add
> > folder  ( Only this folder )
> > 
> > And in my thats on  \\server\profiles\user.v2
> > The resulting user folders should show ( in Windows )
> > SYSTEM 	Full control
> > Username 	Full control
> > 
> > 
> > Which results in ( for me ) with getfacl
> > 
> > # file: home/samba/profiles
> > # owner: root
> > # group: root
> > # flags: --t
> > user::rwx
> > user:root:rwx
> > group::---
> > group:root:---
> > group:domain\040users:rwx
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:group::---
> > default:group:root:---
> > default:mask::rwx
> > default:other::---
> > 
> > #( Group 2005 is SYSTEM  )
> > # file: home/samba/profiles/username.V2
> > # owner: username
> > # group: domain\040users
> > user::rwx
> > user:username:rwx
> > group::---
> > group:2005:rwx
> > group:domain\040users:---
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:username:rwx
> > default:group::---
> > default:group:2005:rwx
> > default:group:domain\040users:---
> > default:mask::rwx
> > default:other::---
> > 
> > Now, you will probely get diffent ( more relaxed ) results, which in
> > the end might give problems for the Win pc's.
> > 
> > Set :
> > [profiles]
> >     browseable = yes
> >     path = /home/samba/profiles
> >     read only = no
> >     acl_xattr:ignore system acl = yes
> > 
> > And now apply the rights again from within windows.
> > And dont touch it with chmod again..
> > If needed use setfacl/getfacl.
> > If you think its complex, then read :
> > https://serversforhackers.com/c/beyond-permissions-linux-acls
> > Good explained.
> > 
> > The acl_xattr:ignore system acl = yes in profiles is imo a must 
> > because,
> > you will have much less problems with your profile folders and the
> > rights windows expects.
> > 
> > 
> > Greetz,
> > 
> > Louis
> > 
> > 
> > 
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Konstantin Boyandin via samba
> >> Verzonden: donderdag 20 september 2018 9:26
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] [SOLVED] Samba 4: 'Access denied' error
> >> when accessing user profile during logon
> >> 
> >> Hello,
> >> 
> >> Looks like the solution was rather simple.
> >> 
> >> If user profile matching OS doesn't yet exist, Windows
attempts to
> >> create one under '[profiles]'. I.e., for user
'username'
> >> Windows 7 will
> >> attempt to create [profiledir]\username.V2
> >> 
> >> If it can't create that directory, 'Access denied' is
written
> >> to system
> >> event log and a temporary profile is created.
> >> 
> >> The solution (following the default how-to directories structure):
> >> 
> >> # chmod g+w /srv/samba/profiles
> >> 
> >> The hint posted in
> >> 
> >> https://windowsserveressentials.com/2011/02/25/quick-fix-acces
> >> s-denied-to-romaing-profile-windows-7/
> >> 
> >> Note: taking the above into account, I believe that corresponding
> >> section (Using POSIX ACLs) should be updated in
> >> 
> >> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
> >> 
> >> namely, replace
> >> 
> >> # chmod 1750 /srv/samba/profiles/
> >> 
> >> with
> >> 
> >> # chmod 1770 /srv/samba/profiles/
> >> 
> >> Sincerely,
> >> Konstantin
> >> 
> >> Konstantin Boyandin via samba ?????????? 2018-09-20 12:25:
> >> > Hello,
> >> >
> >> > After joining Windows 7 to a Samba 4 (AD), when logging on I
> >> > experience 'Access denied' error accessing user
profile. As
> >> a result,
> >> > Windows creates temporary profile for the domain user (the
> >> profile is
> >> > deleted upon logoff).
> >> >
> >> > [...]
> >> 
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >> 
> >> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Fri, 21 Sep 2018 08:52:43 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai, 
> 
> Now, i did not know you used the DC for the profiles here but yes it
> looks good. 
> 
> Small comment on point 3 and 4. 
> 3) Its good, you might notice a few more rights there compaired to
> what i posted, thats because you have your profiles on the DC but the
> settings are good. 
> 
> 4) yes, the security is ok, i like the higher security setting and
> try to mimic the windows settings as much as possible. You can relax
> it a bit, but i dont recommend that. 
> 
> Your ready for the next step ;-) 
> 
> And a tip ahead. 
> Settings like this apply to \\server\ ( users-home)  | profiles |
> print$  for example. 
> 
> The why?, because this these shares might needs some extra windows
> love ;-) On these shares i apply the ignore systemacls to mimic the
> windows rights as close as possible. Reason for that is simple, less
> problems, but this doe depend on how you use the network. 
> 
If you use 'ignore systemacls', then you must also ignore the output of
getfacl. This is because you are telling Samba to only use the ACLs
found in the EA 'security.NTACL' for the share and these can be, and
probably are, different from what getfacl shows.

Rowland

Hai Rowland, 
> 
> If you use 'ignore systemacls', then you must also ignore the 
> output of getfacl. This is because you are telling Samba to only use the
ACLs
> found in the EA 'security.NTACL' for the share and these can be,
and
> probably are, different from what getfacl shows.
> 
> Rowland
>  
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
So far i've seen, the output of getfacl is exact of what is set in
secrutiy.NTACL.
If that isnt the case then we have a problem in my opinion. 
And you could compair it with :  getfattr -n security.NTACL yourFile/folder 

And I would not ignore the getfacl even with the known limitation of the
"SYSTEM" and some other BUILTIN\xxx..  Users/groups.
As long we see these (missing) names/groups in numbers im fine with it. Linux is
not windows.

Imo, setting like this has only one problem, changing to much with CHMOD/CHOWN, 
that might kill the acls and you need to set it again FROM WINDOWS! 

This is why you set it, export the settings with getfacl ( if needed recusive )
handy to have that if you need to recover.
You set the acls in linux first en from windows again and the both match again. 
Just dont touch it after you've set it. 

Om totaly open for a better setup ;-) and if im wrong here please tell me, only
with comments, we learn.


Greetz, 

Louis

On Fri, 21 Sep 2018 09:35:13 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai Rowland, 
> 
> So far i've seen, the output of getfacl is exact of what is set in
> secrutiy.NTACL. If that isnt the case then we have a problem in my
> opinion. And you could compair it with :  getfattr -n security.NTACL
> yourFile/folder 
> 
> And I would not ignore the getfacl even with the known limitation of
> the "SYSTEM" and some other BUILTIN\xxx..  Users/groups. As long
we
> see these (missing) names/groups in numbers im fine with it. Linux is
> not windows. 
> 
> Imo, setting like this has only one problem, changing to much with
> CHMOD/CHOWN, that might kill the acls and you need to set it again
> FROM WINDOWS! 
> 
> This is why you set it, export the settings with getfacl ( if needed
> recusive ) handy to have that if you need to recover. You set the
> acls in linux first en from windows again and the both match again.
> Just dont touch it after you've set it. 
> 
> Om totaly open for a better setup ;-) and if im wrong here please
> tell me, only with comments, we learn. 
> 
> 
Try reading 'man vfs_acl_xattr'

This plainly says that ACLs are stored in the EA 'security.NTACL'

It also says that when 'acl_xattr:ignore system acls' is set to
'yes',  it will not map to or from the POSIX Layer i.e. the Unix OS.

It also says the following settings will be enforced:

    create mask = 0666
    directory mask = 0777
    map archive = no
    map hidden = no
    map readonly = no
    map system = no
    store dos attributes = yes

Rowland

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: vrijdag 21 september 2018 10:11
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] [SOLVED] Samba 4: 'Access denied' 
> error when accessing user profile during logon
> 
> On Fri, 21 Sep 2018 09:35:13 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> 
> > Hai Rowland, 
> > 
> > So far i've seen, the output of getfacl is exact of what is set in
> > secrutiy.NTACL. If that isnt the case then we have a problem in my
> > opinion. And you could compair it with :  getfattr -n security.NTACL
> > yourFile/folder 
> > 
> > And I would not ignore the getfacl even with the known limitation of
> > the "SYSTEM" and some other BUILTIN\xxx..  Users/groups. As
long we
> > see these (missing) names/groups in numbers im fine with 
> it. Linux is
> > not windows. 
> > 
> > Imo, setting like this has only one problem, changing to much with
> > CHMOD/CHOWN, that might kill the acls and you need to set it again
> > FROM WINDOWS! 
> > 
> > This is why you set it, export the settings with getfacl ( if needed
> > recusive ) handy to have that if you need to recover. You set the
> > acls in linux first en from windows again and the both match again.
> > Just dont touch it after you've set it. 
> > 
> > Om totaly open for a better setup ;-) and if im wrong here please
> > tell me, only with comments, we learn. 
> > 
> > 
> 
> Try reading 'man vfs_acl_xattr'
> 
> This plainly says that ACLs are stored in the EA 'security.NTACL'
> 
> It also says that when 'acl_xattr:ignore system acls' is set to
> 'yes',  it will not map to or from the POSIX Layer i.e. the Unix
OS.
> 
> It also says the following settings will be enforced:
> 
>     create mask = 0666
>     directory mask = 0777
>     map archive = no
>     map hidden = no
>     map readonly = no
>     map system = no
>     store dos attributes = yes
> 
> Rowland
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> Try reading 'man vfs_acl_xattr'
> 
> This plainly says that ACLs are stored in the EA 'security.NTACL'
Ok, i did read that. (again)  ;-) 

Yes, thats correct, but only when you access it from a \\server\share 
The setting :  acl_xattr:default acl style = posix  helps also. 

Maybe a misunderstanding but i dont think so, you correct me.. 
Yes, your right about the vfs_acl_xattr. 

Why i set both. 
User1 is working on windows, saves a file on a share \\server\share\file.   (
uses vfs_acl_xattr )
User2 is working on linux, login with ssh, no shares used, and uses the same
file. /home/path/folder/file ( and does not use vfs_acl_xattr )
Here default acl style = posix is doing its work for the 2 users.  ( mainly the
windows users )

At least thats how i did understand the implementation of these settings. 
This is why i did setup like this, so windows/linux users see (almost) the same
rights.
At least thats how i see it, in the network here. And it works great. 

Think in the GPO rights.  Only used by windows. 
If you use the syvol and netlogon share realy only for windows then the setting
:
acl_xattr:default acl style = windows   is te best. 
But touching the linux acls in from within linux, is a no go. That kills you
sysvol.
That did happen in 4.5.x and before, i havent tested that in 4.6+ since i dont
have any GPO or sysvol problems.

I think in ( so people understand better why i set some things )
1) windows only users ( note, a computer is a user dont forget that.  ) 
2) linux only users
3) windows and linux users
4) server services. 
5) mixed the above. 

Based on the use of one of these 5 above i setup a share. 
Thats key, setup a share, for the way how you use it and avoid problem. 


Greetz, 

Louis

Hello Louis,

In fact, the shares mentioned in my original messages are used in
Windows-only.

The accounts, however, are used in both Windows and Unix-type
environments (we have quite a zoo of OSes in active use); so we actually
use the Posix part of accounts for attributes and Kerberos component to
authenticate in all non-Windows use.

So my primary intent is to make the homes/profiles shares most
convenient and secure from Windows viewpoint.

Thanks.

Sincerely,
Konstantin

On 21.09.2018 13:52, L.P.H. van Belle via samba wrote:
> Hai, 
> 
> Now, i did not know you used the DC for the profiles here but yes it looks
 good. 
> 
> Small comment on point 3 and 4. 
> 3) Its good, you might notice a few more rights there compaired to what i
 posted, 
> thats because you have your profiles on the DC but the settings are good. 
> 
> 4) yes, the security is ok, i like the higher security setting and try to
 mimic the windows settings as much as possible. 
> You can relax it a bit, but i dont recommend that. 
> 
> Your ready for the next step ;-) 
> 
> And a tip ahead. 
> Settings like this apply to \\server\ ( users-home)  | profiles | print$ 
 for example. 
> 
> The why?, because this these shares might needs some extra windows love
 ;-) 
> On these shares i apply the ignore systemacls to mimic the windows rights
 as close as possible. 
> Reason for that is simple, less problems, but this doe depend on how you
 use the network. 
> 
> Test what applies best for you, but these shares where "normaly"
only
 windows connect to. 
> I set the ignore systemacl's.  Try it and test it. 
> Shares which need "\SYSTEM" for example are best to set the
ignore.
> 
> Greetz, 
> 
> Louis
> 
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>> Konstantin Boyandin via samba
>> Verzonden: vrijdag 21 september 2018 6:49
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] [SOLVED] Samba 4: 'Access denied' 
>> error when accessing user profile during logon
>>
>> Thanks for the response. I followed your instructions:
>>
>> - set the "chmod 1750 /srv/samba/profiles"
>>
>> - set, after logging as AD-LAN\Administrator, the permissions for 
>> \\DC\profiles :
>>
>> Creator Owner: all; applied to: Subfolders and files
>> Administrator: all; applied to: This folder, Subfolders and files
>> Domain Users: Traverse folder/Execute file,List folder/Read data,Read 
>> attributes,Read extended attributes,Create files/Write data,Create 
>> folders/Append data; applied to: This folder only
>>
>> Results:
>>
>> 1. Permissions mask:
>> # ls -al /srv/samba | grep profiles
>> drwxrwx--T+ 1 root AD-LAN\domain users   34 Sep 21 11:25 profiles
>>
>> 2. ACL list for [profiles]
>> # getfacl /srv/samba/profiles
>> getfacl: Removing leading '/' from absolute path names
>> # file: srv/samba/profiles
>> # owner: root
>> # group: AD-LAN\134domain\040users
>> # flags: --t
>> user::rwx
>> user:root:rwx
>> group::rwx
>> group:AD-LAN\134domain\040users:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:group::---
>> default:group:AD-LAN\134domain\040users:---
>> default:mask::rwx
>> default:other::---
>>
>> 3. When logging in without local profile/roaming profile, 
>> username gets 
>> a roaming profile folder created:
>> # getfacl /srv/samba/profiles/username.V2
>> getfacl: Removing leading '/' from absolute path names
>> # file: srv/samba/profiles/username.V2
>> # owner: AD-LAN\134username
>> # group: AD-LAN\134domain\040users
>> user::rwx
>> user:AD-LAN\134username:rwx
>> user:3000000:rwx
>> group::---
>> group:AD-LAN\134domain\040users:---
>> group:NT\040AUTHORITY\134system:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:AD-LAN\134username:rwx
>> default:user:3000000:rwx
>> default:group::---
>> default:group:AD-LAN\134domain\040users:---
>> default:group:NT\040AUTHORITY\134system:rwx
>> default:mask::rwx
>> default:other::---
>>
>> 4. The non-Administrator domain users cannot access profiles 
>> permissions, nor they can access profiles of other users.
>>
>> Is the above fine from viewpoint of access rights?
>>
>> Sincerely,
>> Konstantin
>>
>> L.P.H. van Belle via samba ?????????? 2018-09-20 16:01:
>>> Hai,
>>>
>>> Sorry to say but..
>>>> The solution (following the default how-to directories
structure):
>>>
>>> No, the solution is to setup correctly.
>>> Just do a a small test here to see if its all correct.
>>>
>>> With a windows computer, browse to \\server
>>>
>>> Right klik the profiles share, check security.
>>> 	If this is set correct, the user should not be able to 
>> see the rights.
>>>
>>> Repaet, now as Adminsitrator.
>>> 	You should see the needed rights.
>>>
>>> And in my thats on  \\server\profiles
>>> Creator Owner ( 1700 ) 	Full with Special rights ( Appy to Only
>>> subfolders and files )
>>> Administrator 		Full control ( Appy to This 
>> Folder, subfolders and 
>>> files )
>>> Domain Users 		Special with browse/exec, Read 
>> file/folder, create/add
>>> folder  ( Only this folder )
>>>
>>> And in my thats on  \\server\profiles\user.v2
>>> The resulting user folders should show ( in Windows )
>>> SYSTEM 	Full control
>>> Username 	Full control
>>>
>>>
>>> Which results in ( for me ) with getfacl
>>>
>>> # file: home/samba/profiles
>>> # owner: root
>>> # group: root
>>> # flags: --t
>>> user::rwx
>>> user:root:rwx
>>> group::---
>>> group:root:---
>>> group:domain\040users:rwx
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:group::---
>>> default:group:root:---
>>> default:mask::rwx
>>> default:other::---
>>>
>>> #( Group 2005 is SYSTEM  )
>>> # file: home/samba/profiles/username.V2
>>> # owner: username
>>> # group: domain\040users
>>> user::rwx
>>> user:username:rwx
>>> group::---
>>> group:2005:rwx
>>> group:domain\040users:---
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:username:rwx
>>> default:group::---
>>> default:group:2005:rwx
>>> default:group:domain\040users:---
>>> default:mask::rwx
>>> default:other::---
>>>
>>> Now, you will probely get diffent ( more relaxed ) results, which
in
>>> the end might give problems for the Win pc's.
>>>
>>> Set :
>>> [profiles]
>>>     browseable = yes
>>>     path = /home/samba/profiles
>>>     read only = no
>>>     acl_xattr:ignore system acl = yes
>>>
>>> And now apply the rights again from within windows.
>>> And dont touch it with chmod again..
>>> If needed use setfacl/getfacl.
>>> If you think its complex, then read :
>>> https://serversforhackers.com/c/beyond-permissions-linux-acls
>>> Good explained.
>>>
>>> The acl_xattr:ignore system acl = yes in profiles is imo a must 
>>> because,
>>> you will have much less problems with your profile folders and the
>>> rights windows expects.
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>> Konstantin Boyandin via samba
>>>> Verzonden: donderdag 20 september 2018 9:26
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: [Samba] [SOLVED] Samba 4: 'Access denied'
error
>>>> when accessing user profile during logon
>>>>
>>>> Hello,
>>>>
>>>> Looks like the solution was rather simple.
>>>>
>>>> If user profile matching OS doesn't yet exist, Windows
attempts to
>>>> create one under '[profiles]'. I.e., for user
'username'
>>>> Windows 7 will
>>>> attempt to create [profiledir]\username.V2
>>>>
>>>> If it can't create that directory, 'Access denied'
is written
>>>> to system
>>>> event log and a temporary profile is created.
>>>>
>>>> The solution (following the default how-to directories
structure):
>>>>
>>>> # chmod g+w /srv/samba/profiles
>>>>
>>>> The hint posted in
>>>>
>>>> https://windowsserveressentials.com/2011/02/25/quick-fix-acces
>>>> s-denied-to-romaing-profile-windows-7/
>>>>
>>>> Note: taking the above into account, I believe that
corresponding
>>>> section (Using POSIX ACLs) should be updated in
>>>>
>>>> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
>>>>
>>>> namely, replace
>>>>
>>>> # chmod 1750 /srv/samba/profiles/
>>>>
>>>> with
>>>>
>>>> # chmod 1770 /srv/samba/profiles/
>>>>
>>>> Sincerely,
>>>> Konstantin
>>>>
>>>> Konstantin Boyandin via samba ?????????? 2018-09-20 12:25:
>>>>> Hello,
>>>>>
>>>>> After joining Windows 7 to a Samba 4 (AD), when logging on
I
>>>>> experience 'Access denied' error accessing user
profile. As
>>>> a result,
>>>>> Windows creates temporary profile for the domain user (the
>>>> profile is
>>>>> deleted upon logoff).
>>>>>
>>>>> [...]
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba

On 21 Sep 2018 10:10:22 -0400
Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> Hello Louis,
> 
> In fact, the shares mentioned in my original messages are used in
> Windows-only.
> 
> The accounts, however, are used in both Windows and Unix-type
> environments (we have quite a zoo of OSes in active use); so we
> actually use the Posix part of accounts for attributes and Kerberos
> component to authenticate in all non-Windows use.
> 
> So my primary intent is to make the homes/profiles shares most
> convenient and secure from Windows viewpoint.
> 
Lets be honest about this, the sysvol, netlogon and profiles shares are
only used by Windows clients (unless somebody knows differently). This
means that no Unix client needs to be able to connect to them, so the
best way to set the required permissions is to set them from Windows
and add 'acl_xattr:ignore system acls = yes' to each share.

Rowland