[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
Yanni
y.goudetsidis at mail.cryst.bbk.ac.uk
Thu Jun 11 09:29:49 MDT 2015
Hello Samba
I have been trying to fix the problem below for several days with no
success and I can't understand why.
Please help me if you can.
I've got a windows server 2012 running AD and I want to store the user
profiles in a Samba filestore server called "Jimmy". Jimmy has the
following smb.conf:
[global]
server string = Samba4 file server
workgroup = TESTAD
security = ADS
realm = TESTAD.BIO.AC.UK
domain master = no
prefered master = no
local master = no
os level = 0
browse list = yes
encrypt passwords = yes
template shell = /bin/bash
name resolve order = bcast
#-------- Mapping RID--------
idmap config *:backend = tdb
idmap config *:range = 2000-3999
idmap config TESTAD: backend = rid
idmap config TESTAD: range = 10000-99999
#------- Winbind ----------
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
winbind expand groups = 4
winbind normalize names = Yes
vfs objects = acl_xattr
map acl inherit = yes
#Logging Settings
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
#----Profile Store Settings---------
[profs]
comment = WinProfsStorage
path = /disk1/profs
read only = no
store dos attributes = yes
create mask = 0600
directory mask = 0755
profile acls = yes
csc policy = disable
My problem is that users get temp profile whenever they log into a win7
client which is also a TESTAD member.
The error I get is: You have been logged on with a temp profile. In the
event log it is indicated that this is due to "insufficient security
rights". EventID: 1521 and 1511.
Below are my settings on Jimmy:
1. I can confirm that Selinux, iptables and firewalld are all disabled
2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo
-u", "wbinfo -g", "getent passwd" and
"getent group" return the right values.
3. I can confirm that clocks on Jimmy and AD server are in sync.
4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root
domain_users 23 Jun 11 15:57 profs
Windows AD server facts/settings:
1. I can view,access and write to "/disk1/profs"
2. The security tab of "profs" shows the following user names and their
permissions:
Creator Owner: has only the "special permissions" ticked, which is
greyed out
Domain Users: Full Control
Administrators (JIMMY\Administrators): Full Control
Users: (JIMMY\Users): Full Control
3. Under the "Advanced" button in the "Security tab" I can see these
permission entries:
Root (unix user\root)
Administrators (JIMMY\Administrators)
CREATOR OWNER
Domain Users
Users (JIMMY\Users)
4. For all the above entries:
"type" is set to "Allow"
"Access" is set to "Full Control"
"Inherit from" is set to "None"
"Applies to" are set to "This folder, subfolder and files", except
CREATOR OWNER which is set to "Sub-folders and files only".
Note: I can edit any of these permission entries except "Creator owner".
If I attempt to change the "applies to" setting of this entry to
something else, the change reverses back when I hit "Apply"
Windows 7 client, when logged in with temp profile as domain user
1. user can view,access and write to "/disk1/profs"
2. the "do not check profile ownership on roaming profiles" is enabled
on the client (desperate move)
3. the network security setting: "Restrict NTLM: outgoing NTLM traffic
to remote servers" is set to "ALLOW ALL"
Please provide any suggestions you may have and ofcourse have the time
to do so.
Many thanks for your help
Yanni
More information about the samba
mailing list