samba - Nov 2019 - Sometimes Roaming Profile loose rights to restart shutdown...

Hi,
sometimes my Roaming Profile gets buggy and i cant use the Reboot 
Shutdown ... function all other works.
When i make a new users.v6 folder the Profile works again very well.

I tried all GPOs i found for energy settings but nothing helps if the 
Profile is broken.  Only delete and make a new one works

Samba 4.11.2
Win10 1803-1903

any ideas? or Workarounds?


Ren?



Mit freundlichen Gr??en,
Eure IT


-- 
***********************************************
aixtema GmbH
Ren? Fuchs
Philipsstr. 8, 52068 Aachen, Germany
Tel.: +49 241 70515-1323, Fax: +49 241 70515-15
mailto:admins at aixtema.de

WWW: http://www.aixtema.de
Shop: http://shop.aixtema.de

Geschaeftsfuehrer: Oliver Rossbruch
HRB 8201, Amtsgericht Aachen
USt.-Id-Nr. DE 210 906 744
St.-Nr. 201/5942/3737, Finanzamt Aachen Stadt
***********************************************

Hai,  

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> admins aixtema via samba
> Verzonden: donderdag 14 november 2019 14:02
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Sometimes Roaming Profile loose rights to 
> restart shutdown...
> 
> Hi,
> sometimes my Roaming Profile gets buggy and i cant use the Reboot 
> Shutdown ... function all other works.
> When i make a new users.v6 folder the Profile works again very well.
> 
> I tried all GPOs i found for energy settings but nothing helps if the 
> Profile is broken.  Only delete and make a new one works
> 
> Samba 4.11.2
> Win10 1803-1903
> 
> any ideas? or Workarounds?
Same as the previous message on the list. Your rights setup is incorrect. 
Share security : everyone full. 
Folder security : Creater Onwer - Special, only sub folders and files 
			Adminstrator - Full control, This folder and subfolders and files. 
			BUILTIN\Administrators	special, only this folder.

I suggest setup as show. 

[profiles]
    browseable = yes
    path = /your_path_too/profiles
    read only = no
    acl_xattr:ignore system acl = yes
Why not use the better windows mapping in profiles if its only use by windows. 

man smb.conf and read about acl_xattr:ignore system acl

Restart samba 

Then read :
https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles#The_Windows_Roaming_Profile_Versions

And apply exactly as shown, that should work.
DO NOTE, previous rights needs to set again, from within windows. 
Or, use setfact and setup like this. 

drwxrwx--T+ 110 root root  4096 Nov 11 14:42 profiles

getfacl profiles/
# file: profiles/
# owner: root
# group: root
# flags: --t
user::rwx
user:root:rwx
group::---
group:root:---
group:domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:mask::rwx
default:other::---


drwxrwx---+  27 username domain users 4096 Oct 18 18:42 username.V6
getfacl profiles/username.V6/
# file: profiles/username.V6/
# owner: username
# group: domain\040users
user::rwx
user:username:rwx
group::---
group:2005:rwx
group:domain\040users:---
mask::rwx
other::---
default:user::rwx
default:user:username:rwx
default:group::---
default:group:2005:rwx
default:group:domain\040users:---
default:mask::rwx
default:other::---

Verify this, i have 2005, you GID number might be different

wbinfo -Y S-1-5-18
2005

wbinfo -G 2005
S-1-5-18

wbinfo -s S-1-5-18
NT Authority\SYSTEM 5


If not need more info, mail the list again. 
But above works for me since samba 4.6 or so. 
Win7-win10 upto 1903




Greetz, 

Louis

Ow and some might see i use different setting as shown on the wiki. 

Yes, i use Everyone on the share with full control and the wiki not. 
Even i have everyone, nobody (as in guests) can write as guess on the server.
You still need to be domain verified due to the folder rights.

Because of the rights on /home/samba/profiles in this setup. 

There are more options that work fine, but i advice to start with Everyone on
share.
That simplifies a lot.. 
Then when everything works, you can try to tighten security even more. 


Greetz, 

Louis
 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> L.P.H. van Belle via samba
> Verzonden: donderdag 14 november 2019 15:00
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Sometimes Roaming Profile loose rights 
> to restart shutdown...
> 
> Hai,  
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > admins aixtema via samba
> > Verzonden: donderdag 14 november 2019 14:02
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Sometimes Roaming Profile loose rights to 
> > restart shutdown...
> > 
> > Hi,
> > sometimes my Roaming Profile gets buggy and i cant use the Reboot 
> > Shutdown ... function all other works.
> > When i make a new users.v6 folder the Profile works again very well.
> > 
> > I tried all GPOs i found for energy settings but nothing 
> helps if the 
> > Profile is broken.  Only delete and make a new one works
> > 
> > Samba 4.11.2
> > Win10 1803-1903
> > 
> > any ideas? or Workarounds?
> 
> Same as the previous message on the list. Your rights setup 
> is incorrect. 
> Share security : everyone full. 
> Folder security : Creater Onwer - Special, only sub folders and files 
> 			Adminstrator - Full control, This 
> folder and subfolders and files. 
> 			BUILTIN\Administrators	special, only 
> this folder.
> 
> I suggest setup as show. 
> 
> [profiles]
>     browseable = yes
>     path = /your_path_too/profiles
>     read only = no
>     acl_xattr:ignore system acl = yes
> Why not use the better windows mapping in profiles if its 
> only use by windows. 
> 
> man smb.conf and read about acl_xattr:ignore system acl
> 
> Restart samba 
> 
> Then read : 
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
> #The_Windows_Roaming_Profile_Versions 
> 
> And apply exactly as shown, that should work.
> DO NOTE, previous rights needs to set again, from within windows. 
> Or, use setfact and setup like this. 
> 
> drwxrwx--T+ 110 root root  4096 Nov 11 14:42 profiles
> 
> getfacl profiles/
> # file: profiles/
> # owner: root
> # group: root
> # flags: --t
> user::rwx
> user:root:rwx
> group::---
> group:root:---
> group:domain\040users:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:root:---
> default:mask::rwx
> default:other::---
> 
> 
> drwxrwx---+  27 username domain users 4096 Oct 18 18:42 username.V6
> getfacl profiles/username.V6/
> # file: profiles/username.V6/
> # owner: username
> # group: domain\040users
> user::rwx
> user:username:rwx
> group::---
> group:2005:rwx
> group:domain\040users:---
> mask::rwx
> other::---
> default:user::rwx
> default:user:username:rwx
> default:group::---
> default:group:2005:rwx
> default:group:domain\040users:---
> default:mask::rwx
> default:other::---
> 
> Verify this, i have 2005, you GID number might be different
> 
> wbinfo -Y S-1-5-18
> 2005
> 
> wbinfo -G 2005
> S-1-5-18
> 
> wbinfo -s S-1-5-18
> NT Authority\SYSTEM 5
> 
> 
> If not need more info, mail the list again. 
> But above works for me since samba 4.6 or so. 
> Win7-win10 upto 1903
> 
> 
> 
> 
> Greetz, 
> 
> Louis
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>