Hi,
On Windows Server 2008 R2 Enterprise
Profiles path: \\fs\profiles\rprofile
On Centos Version 7
Samba Version 4.7.1
ROLE_DOMAIN_MEMBER
[profiles]
comment = Users profiles
path = /profiles
browseable = No
read only = No
force create mode = 0600
force directory mode = 0700
csc policy = disable
store dos attributes = yes
vfs objects = acl_xattr
map acl inherit = yes
mkdir /profiles/
chgrp -R "Domain Users" /profiles/
chmod 1770 /profiles/
if 1750, rprofile.V6 will not be created so changed it to 1770.
rprofiles.V6 is created with 0755 permission when the first login, but does
not create any directories or files when logging out. If I manually delete
the directory and log out, it will recreate rprofiles.V6 with 0755 and
directories and files in a subdirectory.
I have tried different permissions of force create mode, force directory
mode, create mask, directory mask. I was getting Event ID 1521, 1526, 1530,
6001 on Windows 10 PC. Right now Error Event IDs are 1530 and 1526.
Do you have any recommendations on what to try?
Thanks!
Bob S.
On Fri, 12 Apr 2019 12:42:46 -0400 Bob Smith via samba <samba at lists.samba.org> wrote:> Hi, > > On Windows Server 2008 R2 Enterprise > Profiles path: \\fs\profiles\rprofile > > On Centos Version 7 > Samba Version 4.7.1 > ROLE_DOMAIN_MEMBER > > [profiles] > comment = Users profiles > path = /profiles > browseable = No > read only = No > force create mode = 0600 > force directory mode = 0700 > csc policy = disable > store dos attributes = yes > vfs objects = acl_xattr > map acl inherit = yes > > mkdir /profiles/ > chgrp -R "Domain Users" /profiles/ > chmod 1770 /profiles/ > > if 1750, rprofile.V6 will not be created so changed it to 1770. > > rprofiles.V6 is created with 0755 permission when the first login, > but does not create any directories or files when logging out. If I > manually delete the directory and log out, it will recreate > rprofiles.V6 with 0755 and directories and files in a subdirectory. > > I have tried different permissions of force create mode, force > directory mode, create mask, directory mask. I was getting Event ID > 1521, 1526, 1530, 6001 on Windows 10 PC. Right now Error Event IDs > are 1530 and 1526. > > Do you have any recommendations on what to try? > > Thanks! > Bob S.Try reading this: https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles Rowland
On Thu, 18 Apr 2019 14:29:30 -0400 Bob Smith <bobs04475 at gmail.com> wrote:> Hello Rowland, > > Thank you for the suggested link! > > I followed "Using POSIX ACLs on a Unix domain member" also.Don't ;-) Use Windows acls> "Granting the SeDiskOperatorPrivilege Privilege" > # net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege > -U"SAMDOM\Administrator" > Enter SAMDOM\Administrator's password: > Failed to grant privileges for SAMDOM\Domain Admins > (NT_STATUS_NO_SUCH_USER)> Used a workaround of a user_map parameter in smb.conf: > "username map = /etc/samba/user.map", added in global > created the filemap /etc/samba/user.map including > !root = SAMDOM\Administrator SAMDOM\administratorThat isn't a 'workaround', it is what you are supposed to do ;-)> > #net rpc rights grant "Domain Admins" SeDiskOperatorPrivilege > -U"SAMDOM\Administrator" > Enter SAMDOM\Administrator's password: > Successfully granted rights. > > # net rpc rights list privileges SeDiskOperatorPrivilege > -U"SAMDOM\Administrator" > Enter SAMDOM\Administrator's password: > SeDiskOperatorPrivilege: > Unix Group\domain admins > BUILTIN\Administrators > > It is displaying "Unix Group\domain admins" instead of 'SADOM\Domain > Admins"?Strange, does 'Domain Admins' have a gidNumber attribute or are you using the 'rid' backend.> > "Adding a Share' > # mkdir -p /profiles/ > > # chown root:"Domain Admins" /profiles/ > # chmod 0770 /profiles/ > > [profiles] > path = /profiles/ > read only = no > > # smbcontrol all reload-config > > "Setting Share Permissions and ACLs" > Signed in to Windows 10 with a domain admin account, Computer > management, profiles shares, > Share Permissions tab - this was already set to Full Control for > EveryoneIgnore the share tab.> Security Tab - by default Special Permissions were set to > (Everyone, root (Unix User\root), domain admins (Unix Group\Domain > admins), CREATOR OWNER, and CREATOR GROUP) > Removed all of them and added 'Full Control' for "SAMDOM\Domain > Admins" and 'Modify, Read & execute, List folder contents, Read, and > Write' for "SAMDON\Domain Users" > When I clicked Apply, it closed properties by itself. On Security > tab, it says "You do not have permission to view or edit this > object's permission settings." (I just lost access to the share)Try following the page I pointed you at: https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles> > Signed in to Windows 10 with a domain user, getting "User Profile > Service" message for Roaming profile issue, > Event ID: 1521 > Source: User Profile Service > Windows cannot locate the server copy of your roaming profile and is > attempting to log you on with your local profile. Changes to the > profile will not be copied to the server when you log off. This error > may be caused by network problems or insufficient security rights. > DETAIL - Access is denied. > > To check the list the extended ACLs of /profiles/ > # getfacl /profiles/ > getfacl: Removing leading '/' from absolute path names > # file: /profiles/ > # owner: root > # group: domain\040admins > user::rwx > user:root:rwx > group::rwx > group:domain\040admins:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:group::r-x > default:group:domain\040admins:r-x > default:mask::rwx > default:other::r-x > > Looks like domain users (domain\040users) don't have access to the > share.Very nice, but that isn't the only place where the permissions are stored.> > I’m trying different combinations of share permissions and ACLs from > windows side with a Domain Admin.Just follow the wiki, it is known to work.> > Which one should I use for the share? > > [Profiles] > path = /profiles/ > read only = no >Just that, do everything else from Windows. Rowland
On Sat, 27 Apr 2019 21:35:43 -0400 Bob Smith <bobs04475 at gmail.com> wrote:> >Strange, does 'Domain Admins' have a gidNumber attribute or are you > >using the 'rid' backend. > > Domain Admins doesn't have a gidNumber attribute. Its value is <not > set>. backend is tdb >can you post your smb.conf, it sounds like it may not be set up correctly. Rowland
On Sun, 28 Apr 2019 09:31:25 -0400 Bob Smith <bobs04475 at gmail.com> wrote:> > can you post your smb.conf, it sounds like it may not be set up > > correctly. > > Here is my smb.conf. > > [global] > netbios name = fs > server string = Samba Server Version %v > > log file = /var/log/samba/%m.log > log level = 3 > max log size = 500 > > workgroup = SAMDOM > realm = SAMDOM.LOCAL > security = adsOK to here> encrypt passwords = yes > passdb backend = tdbsamThe above two lines are defaults, so are not require.> ldap ssl = no > ldap suffix = dc=samdom,dc=local > ldap admin dn = cn=fsadmin,dc=samdom,dc=localWhy the ldap lines ? they are not required on a Unix domain member.> kerberos method = secrets and keytab > > idmap config * : backend = tdb > idmap config * : range = 16777216-33554431Now we come to the big question, are you also using sssd ? If so, Samba isn't doing the authentication, if not, then you also need 'idmap config' lines for the 'SAMDOM' domain. Rowland
On Sun, 28 Apr 2019 10:15:30 -0400 Bob Smith <bobs04475 at gmail.com> wrote:> > > > >Now we come to the big question, are you also using sssd ? > > >If so, Samba isn't doing the authentication, if not, then you also > > >need > > '>idmap config' lines for the 'SAMDOM' domain. > > > > Yes, I'm using sssd. I was using winbind on Redhat, but started using > Centos and built with sssd. > > Thanks! > B.Then I cannot help you further, we do not support sssd, mainly because we do not produce it, I suggest you ask on the sssd-users mailing list. Your main problem is that Domain Admins is unknown to the Unix OS, I could advise you how to fix this problem, but only if you actually use winbind (which must be running, as it is now required) and remove sssd. Rowland
On Sun, 28 Apr 2019 11:21:35 -0400 Bob Smith <bobs04475 at gmail.com> wrote:> > Then I cannot help you further, we do not support sssd, mainly > > because we do not produce it, I suggest you ask on the sssd-users > > mailing list. Your main problem is that Domain Admins is unknown to > > the Unix OS, I could advise you how to fix this problem, but only > > if you actually use winbind (which must be running, as it is now > > required) and remove sssd. > > I wish I was still using winbind... I will ask on the sssd-users > mailing list. > > Thanks! > B.Then use it, There is very little that sssd can do that winbind cannot. Rowland