Rowland Penny
2018-Sep-21 14:38 UTC
[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
On 21 Sep 2018 10:10:22 -0400 Konstantin Boyandin via samba <samba at lists.samba.org> wrote:> Hello Louis, > > In fact, the shares mentioned in my original messages are used in > Windows-only. > > The accounts, however, are used in both Windows and Unix-type > environments (we have quite a zoo of OSes in active use); so we > actually use the Posix part of accounts for attributes and Kerberos > component to authenticate in all non-Windows use. > > So my primary intent is to make the homes/profiles shares most > convenient and secure from Windows viewpoint. >Lets be honest about this, the sysvol, netlogon and profiles shares are only used by Windows clients (unless somebody knows differently). This means that no Unix client needs to be able to connect to them, so the best way to set the required permissions is to set them from Windows and add 'acl_xattr:ignore system acls = yes' to each share. Rowland
Robert Marcano
2018-Sep-21 15:47 UTC
[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
On 9/21/18 10:38 AM, Rowland Penny via samba wrote:> On 21 Sep 2018 10:10:22 -0400 > Konstantin Boyandin via samba <samba at lists.samba.org> wrote: > >> Hello Louis, >> >> In fact, the shares mentioned in my original messages are used in >> Windows-only. >> >> The accounts, however, are used in both Windows and Unix-type >> environments (we have quite a zoo of OSes in active use); so we >> actually use the Posix part of accounts for attributes and Kerberos >> component to authenticate in all non-Windows use. >> >> So my primary intent is to make the homes/profiles shares most >> convenient and secure from Windows viewpoint. >> > > Lets be honest about this, the sysvol, netlogon and profiles shares are > only used by Windows clients (unless somebody knows differently). This > means that no Unix client needs to be able to connect to them, so the > best way to set the required permissions is to set them from Windows > and add 'acl_xattr:ignore system acls = yes' to each share. >If someone is using SSSD (not a Samba provided module) instead of winbind and is using its GPO support [1], those Linux clients must be reading sysvol, but not in a direct way in in which 'acl_xattr:ignore system acls = yes' can affect them [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-gpo> Rowland >
Rowland Penny
2018-Sep-21 15:55 UTC
[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
On Fri, 21 Sep 2018 11:47:47 -0400 Robert Marcano via samba <samba at lists.samba.org> wrote:> On 9/21/18 10:38 AM, Rowland Penny via samba wrote: > > On 21 Sep 2018 10:10:22 -0400 > > Konstantin Boyandin via samba <samba at lists.samba.org> wrote: > > > >> Hello Louis, > >> > >> In fact, the shares mentioned in my original messages are used in > >> Windows-only. > >> > >> The accounts, however, are used in both Windows and Unix-type > >> environments (we have quite a zoo of OSes in active use); so we > >> actually use the Posix part of accounts for attributes and Kerberos > >> component to authenticate in all non-Windows use. > >> > >> So my primary intent is to make the homes/profiles shares most > >> convenient and secure from Windows viewpoint. > >> > > > > Lets be honest about this, the sysvol, netlogon and profiles shares > > are only used by Windows clients (unless somebody knows > > differently). This means that no Unix client needs to be able to > > connect to them, so the best way to set the required permissions is > > to set them from Windows and add 'acl_xattr:ignore system acls > > yes' to each share. > > > > If someone is using SSSD (not a Samba provided module) instead of > winbind and is using its GPO support [1], those Linux clients must be > reading sysvol, but not in a direct way in in which 'acl_xattr:ignore > system acls = yes' can affect them >Then that is an sssd problem and, as you have said, it isn't a Samba product. Rowland
Seemingly Similar Threads
- [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
- [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
- [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
- [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
- Samba 4: 'Access denied' error when accessing user profile during logon