[Samba] Samba4: Folder Redirection GPO not working with Windows 7

mat at matws.net mat at matws.net
Mon Oct 8 09:40:02 MDT 2012


Ok can you check that this simple user can go in the \\server\sysvol folder and then access all the files under <dnsnamedomain>/policies and cross check that this gpo is really applied by setting in the same gpo a rule for the wallpaper or something else visible.

On Oct 8, 2012, at 12:40 AM, steve <steve at steve-ss.com> wrote:

> On 08/10/12 02:56, Matthieu Patou wrote:
>> Steve
>>>> Hi Rowland
>>>> Thanks for that. I've now got a security tab back. But still no folder
>>>> redirection:(
>>>> 
>>> 
>>> Having the security tab back on \\hh1\USERS now gives everyone
>>> permission to enter and create files in the share and now
>>> Administrator has his Application Data redirected to the share. He has
>>> a file under \\hh1\USERS as per the GPO.
>>> 
>>> However, ordinary users, whilst able to read and write the share do
>>> not have their Application Data redirected.
>>> 
>>> Still works fine for all users with XP but not W7.
>>> 
>> Obviously the biggest change between XP and Seven is the fact that seven
>> will use smb 2.x by default when XP can do smb/cifs.
>> So you have to carefully look at the SMB2 trace between your client and
>> the samba server when doing it with an admininistrator (which works if I
>> understood your emails) and a "normal" user.
>> Most probably our fileserver either deny someting to simple users or
>> didn't answer correctly. For this you'll need to use wireshark.
>> 
>> Once you have more information we might be able to help you, providing
>> information + traces (if no sensitive information) might help even more.
>> 
>> Matthieu.
>> 
>> 
> 
> Hi Mattieu
> Thanks for the offer of help.
> 
> Summary:
> 1. The Folder redirection GPO works fine for all users with XP and with Administrator on W7.
> 2. The folder redirection GPO dopes not work for ordinary domain users on W7.
> 3. I have run samba-tool ntacl sysvolreset
> 
> Here is a screenshot of the GPO:
> http://dl.dropbox.com/u/45150875/gpo.png
> 
> Here is smb.conf:
> [global]
>        workgroup = MARINA
>        realm = hh3.site
>        netbios name = HH1
>        server role = active directory domain controller
>        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winb
>        dns forwarder = 192.168.1.1
>        idmap_ldb:use rfc2307 = Yes
> 
> [netlogon]
>        path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
>        read only = No
> 
> [sysvol]
>        path = /usr/local/samba/var/locks/sysvol
>        read only = No
> 
> [profiles]
>        path = /home2/profiles
>        read only = No
>        create mask = 0700
> 
> [USERS]
>        path = /home2/USERS
>        read only = No
> 
> Here is the wireshark of Administrator logon and logoff:
> http://dl.dropbox.com/u/45150875/logonadmin
> 
> Here is the wireshark of a domain user, steve2, logon and logoff:
> http://dl.dropbox.com/u/45150875/logonuser
> 
> In the user trace, there is no reference to the redirected folder on the server and none is created. The user seems unaware of the gpo.
> 
> TIA for any time you can give.
> Cheers,
> Steve
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
On 08/10/12 02:56, Matthieu Patou wrote:
> Steve
>>> Hi Rowland
>>> Thanks for that. I've now got a security tab back. But still no folder
>>> redirection:(
>>>
>>
>> Having the security tab back on \\hh1\USERS now gives everyone
>> permission to enter and create files in the share and now
>> Administrator has his Application Data redirected to the share. He has
>> a file under \\hh1\USERS as per the GPO.
>>
>> However, ordinary users, whilst able to read and write the share do
>> not have their Application Data redirected.
>>
>> Still works fine for all users with XP but not W7.
>>
> Obviously the biggest change between XP and Seven is the fact that seven
> will use smb 2.x by default when XP can do smb/cifs.
> So you have to carefully look at the SMB2 trace between your client and
> the samba server when doing it with an admininistrator (which works if I
> understood your emails) and a "normal" user.
> Most probably our fileserver either deny someting to simple users or
> didn't answer correctly. For this you'll need to use wireshark.
>
> Once you have more information we might be able to help you, providing
> information + traces (if no sensitive information) might help even more.
>
> Matthieu.
>
>

Hi Mattieu
Thanks for the offer of help.

Summary:
1. The Folder redirection GPO works fine for all users with XP and with 
Administrator on W7.
2. The folder redirection GPO dopes not work for ordinary domain users 
on W7.
3. I have run samba-tool ntacl sysvolreset

Here is a screenshot of the GPO:
http://dl.dropbox.com/u/45150875/gpo.png

Here is smb.conf:
[global]
         workgroup = MARINA
         realm = hh3.site
         netbios name = HH1
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winb
         dns forwarder = 192.168.1.1
         idmap_ldb:use rfc2307 = Yes

[netlogon]
         path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
         read only = No

[sysvol]
         path = /usr/local/samba/var/locks/sysvol
         read only = No

[profiles]
         path = /home2/profiles
         read only = No
         create mask = 0700

[USERS]
         path = /home2/USERS
         read only = No

Here is the wireshark of Administrator logon and logoff:
http://dl.dropbox.com/u/45150875/logonadmin

Here is the wireshark of a domain user, steve2, logon and logoff:
http://dl.dropbox.com/u/45150875/logonuser

In the user trace, there is no reference to the redirected folder on the 
server and none is created. The user seems unaware of the gpo.

TIA for any time you can give.
Cheers,
Steve

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list