samba - Jul 2020 - Users, home directories and profiles

> root at localhost:~# getfacl /home/samba/users/
> getfacl: Removing leading '/' from absolute path names
> # file: home/samba/users/
> # owner: root
> # group: root
> user::rwx
> group::rwx
> other::rwx
> root at localhost:~# samba-tool ntacl get /home/samba/users --as-sddl
>
O:LAG:S-1-22-2-0D:(A;;0x001f01ff;;;LA)(A;;0x001f01ff;;;S-1-22-2-0)(A;;0x001f01ff;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)
--------------------------------------------------------------------------------------------------------------------
Sorry for the bad format....I am fighting to get lists.samba.org into a
newsreader without success (bloody Austrian A1 doesn't have a news server
anymore and I couldn't find a nntp server with samba lists)
  
If you change the file/directory owner to a unix user, windows explorer is
crashing immediately in the security tab. The only exception is the user root,
because it mapped to Administrator.


Mani

On 01/07/2020 12:15, Robi. T. Wagner via samba wrote:
>> root at localhost:~# getfacl /home/samba/users/
>> getfacl: Removing leading '/' from absolute path names
>> # file: home/samba/users/
>> # owner: root
>> # group: root
>> user::rwx
>> group::rwx
>> other::rwx
>> root at localhost:~# samba-tool ntacl get /home/samba/users --as-sddl
>>
O:LAG:S-1-22-2-0D:(A;;0x001f01ff;;;LA)(A;;0x001f01ff;;;S-1-22-2-0)(A;;0x001f01ff;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)
>
--------------------------------------------------------------------------------------------------------------------
> Sorry for the bad format....I am fighting to get lists.samba.org into a
newsreader without success (bloody Austrian A1 doesn't have a news server
anymore and I couldn't find a nntp server with samba lists)
>    
> If you change the file/directory owner to a unix user, windows explorer is
crashing immediately in the security tab. The only exception is the user root,
because it mapped to Administrator.
>
>
> Mani
Now I think about it, we have had this before and it is a Windows bug, 
if I remember correctly, someone at Windows was supposed to be looking 
into it.

Rowland

On 01.07.2020 13:35, Rowland penny via samba wrote:
> On 01/07/2020 12:15, Robi. T. Wagner via samba wrote:
>>> root at localhost:~# getfacl /home/samba/users/
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: home/samba/users/
>>> # owner: root
>>> # group: root
>>> user::rwx
>>> group::rwx
>>> other::rwx
>>> root at localhost:~# samba-tool ntacl get /home/samba/users
--as-sddl
>>>
O:LAG:S-1-22-2-0D:(A;;0x001f01ff;;;LA)(A;;0x001f01ff;;;S-1-22-2-0)(A;;0x001f01ff;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)
>>>
>>
--------------------------------------------------------------------------------------------------------------------
>>
>> Sorry for the bad format....I am fighting to get lists.samba.org into 
>> a newsreader without success (bloody Austrian A1 doesn't have a
news
>> server anymore and I couldn't find a nntp server with samba lists)
>> ?? If you change the file/directory owner to a unix user, windows 
>> explorer is crashing immediately in the security tab. The only 
>> exception is the user root, because it mapped to Administrator.
>>
>>
>> Mani
>
> Now I think about it, we have had this before and it is a Windows bug, 
> if I remember correctly, someone at Windows was supposed to be looking 
> into it.
>
> Rowland
>
Yes, this was a short discussion a year ago with no outcome, till I 
found by accident the post from Julia with the patch a few months ago.

Lets put it this way: Explorer shouldn't crash, when Samba is sending 
nonsense, when a user is mis-using an AD-DC as member server ;-)

On Wed, 1 Jul 2020 12:35:08 +0100
Rowland penny via samba <samba at lists.samba.org> wrote:
> On 01/07/2020 12:15, Robi. T. Wagner via samba wrote:
> >> root at localhost:~# getfacl /home/samba/users/
> >> getfacl: Removing leading '/' from absolute path names
> >> # file: home/samba/users/
> >> # owner: root
> >> # group: root
> >> user::rwx
> >> group::rwx
> >> other::rwx
> >> root at localhost:~# samba-tool ntacl get /home/samba/users
--as-sddl
> >>
O:LAG:S-1-22-2-0D:(A;;0x001f01ff;;;LA)(A;;0x001f01ff;;;S-1-22-2-0)(A;;0x001f01ff;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)
> >
--------------------------------------------------------------------------------------------------------------------
> > Sorry for the bad format....I am fighting to get lists.samba.org
> > into a newsreader without success (bloody Austrian A1 doesn't have
> > a news server anymore and I couldn't find a nntp server with samba
> > lists) If you change the file/directory owner to a unix user,
> > windows explorer is crashing immediately in the security tab. The
> > only exception is the user root, because it mapped to Administrator.
> >
> >
> > Mani  
> 
> Now I think about it, we have had this before and it is a Windows
> bug, if I remember correctly, someone at Windows was supposed to be
> looking into it.
> 
> Rowland
> 
> 
> 
Ok, for the moment with the patch I'm able to set the permissions to the
home directories of the domain users.
Now the other problem is that after I created new users on samba server
I'm unable to login into the windows client. When I try to login using
a new user I receive:

We can't sign you with this credential because your domain isn't
available. Make sure your device is connected to your organization's
network and try again. If you previously signed in on this device with
another credential, you can sign in with that credential.


But I'm able to login using the user I created as administrator.



-- 
-----------------------------------------------------------
  Enrico Morelli
  System Administrator | Programmer | Web Developer

  CERM - Polo Scientifico
  via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
------------------------------------------------------------

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Enrico Morelli via samba
> Verzonden: woensdag 1 juli 2020 14:06
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Users, home directories and profiles
> 
> On Wed, 1 Jul 2020 12:35:08 +0100
> Rowland penny via samba <samba at lists.samba.org> wrote:
> 
> > On 01/07/2020 12:15, Robi. T. Wagner via samba wrote:
> > >> root at localhost:~# getfacl /home/samba/users/
> > >> getfacl: Removing leading '/' from absolute path
names
> > >> # file: home/samba/users/
> > >> # owner: root
> > >> # group: root
> > >> user::rwx
> > >> group::rwx
> > >> other::rwx
> > >> root at localhost:~# samba-tool ntacl get /home/samba/users 
> --as-sddl
> > >> 
> O:LAG:S-1-22-2-0D:(A;;0x001f01ff;;;LA)(A;;0x001f01ff;;;S-1-22-
> 2-0)(A;;0x001f01ff;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x
> 001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)  
> > > 
> --------------------------------------------------------------
> ------------------------------------------------------
> > > Sorry for the bad format....I am fighting to get lists.samba.org
> > > into a newsreader without success (bloody Austrian A1 doesn't
have
> > > a news server anymore and I couldn't find a nntp server with
samba
> > > lists) If you change the file/directory owner to a unix user,
> > > windows explorer is crashing immediately in the security tab. The
> > > only exception is the user root, because it mapped to 
> Administrator.
> > >
> > >
> > > Mani  
> > 
> > Now I think about it, we have had this before and it is a Windows
> > bug, if I remember correctly, someone at Windows was supposed to be
> > looking into it.
> > 
> > Rowland
> > 
> > 
> > 
> 
> Ok, for the moment with the patch I'm able to set the permissions to
the
> home directories of the domain users. 
Why are you "manualy" setting the permissions, thats not needed. 

In ADUC, you need to set 2 things and profiles and homedirs are created
automaticly.
Tab Profile 
Path to user profile :  \\server.fqdn\profiles\%username% 
BaseFolder : Connect (choose a letter:) connect with : 
\\server.fqdn\users\%username%

Apply and its created, ( note, profiles is created when you login/loggoff )
> Now the other problem is that after I created new users on samba server
> I'm unable to login into the windows client. When I try to login using
> a new user I receive:
> 
> We can't sign you with this credential because your domain isn't
> available. Make sure your device is connected to your organization's
> network and try again. If you previously signed in on this device with
> another credential, you can sign in with that credential.
Any windows Event ID's might help .. ID + description .. 
> 
> 
> But I'm able to login using the user I created as administrator.
> 
Try in the GPO's, Wait for Network ( apply for computer ). 
Reboot 2 times. 

And try again. 

Greetz, 

Louis