[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
Rowland Penny
rowlandpenny at googlemail.com
Fri Jun 12 02:40:38 MDT 2015
On 11/06/15 16:29, Yanni wrote:
> Hello Samba
>
> I have been trying to fix the problem below for several days with no
> success and I can't understand why.
> Please help me if you can.
>
> I've got a windows server 2012 running AD and I want to store the user
> profiles in a Samba filestore server called "Jimmy". Jimmy has the
> following smb.conf:
>
> [global]
> server string = Samba4 file server
> workgroup = TESTAD
> security = ADS
> realm = TESTAD.BIO.AC.UK
> domain master = no
> prefered master = no
> local master = no
> os level = 0
> browse list = yes
> encrypt passwords = yes
> template shell = /bin/bash
> name resolve order = bcast
> #-------- Mapping RID--------
> idmap config *:backend = tdb
> idmap config *:range = 2000-3999
> idmap config TESTAD: backend = rid
> idmap config TESTAD: range = 10000-99999
> #------- Winbind ----------
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = Yes
> winbind expand groups = 4
> winbind normalize names = Yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
>
> #Logging Settings
> log level = 3
> log file = /var/log/samba/log.%m
> max log size = 50
>
> #----Profile Store Settings---------
> [profs]
> comment = WinProfsStorage
> path = /disk1/profs
> read only = no
> store dos attributes = yes
> create mask = 0600
> directory mask = 0755
> profile acls = yes
> csc policy = disable
>
> My problem is that users get temp profile whenever they log into a
> win7 client which is also a TESTAD member.
> The error I get is: You have been logged on with a temp profile. In
> the event log it is indicated that this is due to "insufficient
> security rights". EventID: 1521 and 1511.
>
> Below are my settings on Jimmy:
> 1. I can confirm that Selinux, iptables and firewalld are all disabled
> 2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo
> -u", "wbinfo -g", "getent passwd" and
> "getent group" return the right values.
> 3. I can confirm that clocks on Jimmy and AD server are in sync.
> 4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root
> domain_users 23 Jun 11 15:57 profs
>
>
> Windows AD server facts/settings:
> 1. I can view,access and write to "/disk1/profs"
> 2. The security tab of "profs" shows the following user names and
> their permissions:
> Creator Owner: has only the "special permissions" ticked, which is
> greyed out
> Domain Users: Full Control
> Administrators (JIMMY\Administrators): Full Control
> Users: (JIMMY\Users): Full Control
>
> 3. Under the "Advanced" button in the "Security tab" I can see these
> permission entries:
> Root (unix user\root)
> Administrators (JIMMY\Administrators)
> CREATOR OWNER
> Domain Users
> Users (JIMMY\Users)
>
> 4. For all the above entries:
> "type" is set to "Allow"
> "Access" is set to "Full Control"
> "Inherit from" is set to "None"
> "Applies to" are set to "This folder, subfolder and files", except
> CREATOR OWNER which is set to "Sub-folders and files only".
>
> Note: I can edit any of these permission entries except "Creator
> owner". If I attempt to change the "applies to" setting of this entry
> to something else, the change reverses back when I hit "Apply"
>
> Windows 7 client, when logged in with temp profile as domain user
> 1. user can view,access and write to "/disk1/profs"
> 2. the "do not check profile ownership on roaming profiles" is enabled
> on the client (desperate move)
> 3. the network security setting: "Restrict NTLM: outgoing NTLM
> traffic to remote servers" is set to "ALLOW ALL"
>
>
> Please provide any suggestions you may have and ofcourse have the time
> to do so.
>
> Many thanks for your help
> Yanni
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
Hi, have a look here:
https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
You do not need everything you have put into [profs]
Also do your users know where [profs] is ? do they have the
'profilePath' attribute set on their AD objects ?
Rowland
More information about the samba
mailing list