samba - Sep 2018 - [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon

On 21 Sep 2018 10:10:22 -0400
Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> Hello Louis,
> 
> In fact, the shares mentioned in my original messages are used in
> Windows-only.
> 
> The accounts, however, are used in both Windows and Unix-type
> environments (we have quite a zoo of OSes in active use); so we
> actually use the Posix part of accounts for attributes and Kerberos
> component to authenticate in all non-Windows use.
> 
> So my primary intent is to make the homes/profiles shares most
> convenient and secure from Windows viewpoint.
> 
Lets be honest about this, the sysvol, netlogon and profiles shares are
only used by Windows clients (unless somebody knows differently). This
means that no Unix client needs to be able to connect to them, so the
best way to set the required permissions is to set them from Windows
and add 'acl_xattr:ignore system acls = yes' to each share.

Rowland

On 9/21/18 10:38 AM, Rowland Penny via samba wrote:
> On 21 Sep 2018 10:10:22 -0400
> Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> 
>> Hello Louis,
>>
>> In fact, the shares mentioned in my original messages are used in
>> Windows-only.
>>
>> The accounts, however, are used in both Windows and Unix-type
>> environments (we have quite a zoo of OSes in active use); so we
>> actually use the Posix part of accounts for attributes and Kerberos
>> component to authenticate in all non-Windows use.
>>
>> So my primary intent is to make the homes/profiles shares most
>> convenient and secure from Windows viewpoint.
>>
> 
> Lets be honest about this, the sysvol, netlogon and profiles shares are
> only used by Windows clients (unless somebody knows differently). This
> means that no Unix client needs to be able to connect to them, so the
> best way to set the required permissions is to set them from Windows
> and add 'acl_xattr:ignore system acls = yes' to each share.
> 
If someone is using SSSD (not a Samba provided module) instead of 
winbind and is using its GPO support [1], those Linux clients must be 
reading sysvol, but not in a direct way in in which 'acl_xattr:ignore 
system acls = yes' can affect them

[1] 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-gpo
> Rowland
>

On Fri, 21 Sep 2018 11:47:47 -0400
Robert Marcano via samba <samba at lists.samba.org> wrote:
> On 9/21/18 10:38 AM, Rowland Penny via samba wrote:
> > On 21 Sep 2018 10:10:22 -0400
> > Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> > 
> >> Hello Louis,
> >>
> >> In fact, the shares mentioned in my original messages are used in
> >> Windows-only.
> >>
> >> The accounts, however, are used in both Windows and Unix-type
> >> environments (we have quite a zoo of OSes in active use); so we
> >> actually use the Posix part of accounts for attributes and
Kerberos
> >> component to authenticate in all non-Windows use.
> >>
> >> So my primary intent is to make the homes/profiles shares most
> >> convenient and secure from Windows viewpoint.
> >>
> > 
> > Lets be honest about this, the sysvol, netlogon and profiles shares
> > are only used by Windows clients (unless somebody knows
> > differently). This means that no Unix client needs to be able to
> > connect to them, so the best way to set the required permissions is
> > to set them from Windows and add 'acl_xattr:ignore system acls
> > yes' to each share.
> > 
> 
> If someone is using SSSD (not a Samba provided module) instead of 
> winbind and is using its GPO support [1], those Linux clients must be 
> reading sysvol, but not in a direct way in in which 'acl_xattr:ignore 
> system acls = yes' can affect them
> 
Then that is an sssd problem and, as you have said, it isn't a Samba
product.

Rowland