[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012

Rowland Penny rowlandpenny at googlemail.com
Fri Jun 12 02:40:38 MDT 2015 

On 11/06/15 16:29, Yanni wrote:
> Hello Samba
>
> I have been trying to fix the problem below for several days with no 
> success and I can't understand why.
> Please help me if you can.
>
> I've got a windows server 2012 running AD and I want to store the user 
> profiles in a Samba filestore server called "Jimmy". Jimmy has the 
> following smb.conf:
>
>  [global]
>   server string = Samba4 file server
>   workgroup = TESTAD
>   security = ADS
>   realm = TESTAD.BIO.AC.UK
>   domain master = no
>   prefered master = no
>   local master = no
>   os level = 0
>   browse list = yes
>   encrypt passwords = yes
>   template shell = /bin/bash
>   name resolve order = bcast
> #-------- Mapping RID--------
>    idmap config *:backend = tdb
>    idmap config *:range = 2000-3999
>    idmap config TESTAD: backend = rid
>    idmap config TESTAD: range = 10000-99999
> #------- Winbind ----------
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users = yes
>    winbind enum groups = yes
>    winbind refresh tickets = Yes
>    winbind expand groups = 4
>    winbind normalize names = Yes
>
>    vfs objects = acl_xattr
>    map acl inherit = yes
>
> #Logging Settings
>    log level = 3
>    log file = /var/log/samba/log.%m
>    max log size = 50
>
> #----Profile Store Settings---------
> [profs]
>    comment = WinProfsStorage
>    path = /disk1/profs
>    read only = no
>    store dos attributes = yes
>    create mask = 0600
>    directory mask = 0755
>    profile acls = yes
>    csc policy = disable
>
> My problem is that users get temp profile whenever they log into a 
> win7 client which is also a TESTAD member.
> The error I get is: You have been logged on with a temp profile. In 
> the event log it is indicated that this is due to "insufficient 
> security rights". EventID: 1521 and 1511.
>
> Below are my settings on Jimmy:
> 1. I can confirm that Selinux, iptables and firewalld are all disabled
> 2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo 
> -u", "wbinfo -g", "getent passwd" and
>     "getent group" return the right values.
> 3. I can confirm that clocks on Jimmy and AD server are in sync.
> 4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root 
> domain_users 23 Jun 11 15:57 profs
>
>
> Windows AD server facts/settings:
> 1. I can view,access and write to "/disk1/profs"
> 2. The security tab of "profs" shows the following user names and 
> their permissions:
>     Creator Owner: has only the "special permissions" ticked, which is 
> greyed out
>     Domain Users: Full Control
>     Administrators (JIMMY\Administrators): Full Control
>     Users: (JIMMY\Users): Full Control
>
> 3. Under the "Advanced" button in the "Security tab" I can see these 
> permission entries:
>     Root (unix user\root)
>     Administrators (JIMMY\Administrators)
>     CREATOR OWNER
>     Domain Users
>     Users (JIMMY\Users)
>
> 4. For all the above entries:
>    "type" is set to "Allow"
>    "Access" is set to "Full Control"
>    "Inherit from" is set to "None"
>    "Applies to" are set to "This folder, subfolder and files", except 
> CREATOR OWNER which is set to "Sub-folders and files only".
>
> Note: I can edit any of these permission entries except "Creator 
> owner". If I attempt to change the "applies to" setting of this entry 
> to something else, the change reverses back when I hit "Apply"
>
> Windows 7 client, when logged in with temp profile as domain user
> 1. user can view,access and write to "/disk1/profs"
> 2. the "do not check profile ownership on roaming profiles" is enabled 
> on the client (desperate move)
> 3. the network security setting: "Restrict NTLM: outgoing  NTLM 
> traffic to remote servers" is set to "ALLOW ALL"
>
>
> Please provide any suggestions you may have and ofcourse have the time 
> to do so.
>
> Many thanks for your help
> Yanni
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

Hi, have a look here: 
https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles

You do not need everything you have put into [profs]

Also do your users know where [profs] is ? do they have the 
'profilePath' attribute set on their AD objects ?

Rowland

More information about the samba mailing list