[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012

L.P.H. van Belle belle at bazuin.nl
Fri Jun 12 02:50:57 MDT 2015 

and.. make it yourself more easy.. use : ignore system acl 

The profiles share is only ( or should be ) only use by windows computers. 
Therefore you can use this as profiles setup which does not care about the linux posix rights. 

like this :  
[profiles]
    browseable = yes
    path = /home/samba/profiles
    read only = no
    acl_xattr:ignore system acl = yes

If you setup is done, and very well tested, you can set
 "browseable = yes" to "browseable = no" 
and now your profiles share is correct configured, and a hidden share. 

This is my profiles folder : 
drwxrwx--T+  2 root root  4096 Jun  3 16:45 profiles 

!!! Make user you first set the share options, reload the samba config and then change the rights on the share from within windows. 
!!!  set it conform the wiki !! 


and choose !! 

OR : Profile share using Windows ACLs  
OR : Profile share with using POSIX ACLs  
and dont mix these to settings. 


Greetz, 

Louis
 

>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: vrijdag 12 juni 2015 10:41
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] you have been logged on with a 
>temporary profile_win7 client+samba 4+WinServ2012
>
>On 11/06/15 16:29, Yanni wrote:
>> Hello Samba
>>
>> I have been trying to fix the problem below for several days with no 
>> success and I can't understand why.
>> Please help me if you can.
>>
>> I've got a windows server 2012 running AD and I want to 
>store the user 
>> profiles in a Samba filestore server called "Jimmy". Jimmy has the 
>> following smb.conf:
>>
>>  [global]
>>   server string = Samba4 file server
>>   workgroup = TESTAD
>>   security = ADS
>>   realm = TESTAD.BIO.AC.UK
>>   domain master = no
>>   prefered master = no
>>   local master = no
>>   os level = 0
>>   browse list = yes
>>   encrypt passwords = yes
>>   template shell = /bin/bash
>>   name resolve order = bcast
>> #-------- Mapping RID--------
>>    idmap config *:backend = tdb
>>    idmap config *:range = 2000-3999
>>    idmap config TESTAD: backend = rid
>>    idmap config TESTAD: range = 10000-99999
>> #------- Winbind ----------
>>    winbind trusted domains only = no
>>    winbind use default domain = yes
>>    winbind enum users = yes
>>    winbind enum groups = yes
>>    winbind refresh tickets = Yes
>>    winbind expand groups = 4
>>    winbind normalize names = Yes
>>
>>    vfs objects = acl_xattr
>>    map acl inherit = yes
>>
>> #Logging Settings
>>    log level = 3
>>    log file = /var/log/samba/log.%m
>>    max log size = 50
>>
>> #----Profile Store Settings---------
>> [profs]
>>    comment = WinProfsStorage
>>    path = /disk1/profs
>>    read only = no
>>    store dos attributes = yes
>>    create mask = 0600
>>    directory mask = 0755
>>    profile acls = yes
>>    csc policy = disable
>>
>> My problem is that users get temp profile whenever they log into a 
>> win7 client which is also a TESTAD member.
>> The error I get is: You have been logged on with a temp profile. In 
>> the event log it is indicated that this is due to "insufficient 
>> security rights". EventID: 1521 and 1511.
>>
>> Below are my settings on Jimmy:
>> 1. I can confirm that Selinux, iptables and firewalld are 
>all disabled
>> 2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo 
>> -u", "wbinfo -g", "getent passwd" and
>>     "getent group" return the right values.
>> 3. I can confirm that clocks on Jimmy and AD server are in sync.
>> 4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root 
>> domain_users 23 Jun 11 15:57 profs
>>
>>
>> Windows AD server facts/settings:
>> 1. I can view,access and write to "/disk1/profs"
>> 2. The security tab of "profs" shows the following user names and 
>> their permissions:
>>     Creator Owner: has only the "special permissions" 
>ticked, which is 
>> greyed out
>>     Domain Users: Full Control
>>     Administrators (JIMMY\Administrators): Full Control
>>     Users: (JIMMY\Users): Full Control
>>
>> 3. Under the "Advanced" button in the "Security tab" I can see these 
>> permission entries:
>>     Root (unix user\root)
>>     Administrators (JIMMY\Administrators)
>>     CREATOR OWNER
>>     Domain Users
>>     Users (JIMMY\Users)
>>
>> 4. For all the above entries:
>>    "type" is set to "Allow"
>>    "Access" is set to "Full Control"
>>    "Inherit from" is set to "None"
>>    "Applies to" are set to "This folder, subfolder and 
>files", except 
>> CREATOR OWNER which is set to "Sub-folders and files only".
>>
>> Note: I can edit any of these permission entries except "Creator 
>> owner". If I attempt to change the "applies to" setting of 
>this entry 
>> to something else, the change reverses back when I hit "Apply"
>>
>> Windows 7 client, when logged in with temp profile as domain user
>> 1. user can view,access and write to "/disk1/profs"
>> 2. the "do not check profile ownership on roaming profiles" 
>is enabled 
>> on the client (desperate move)
>> 3. the network security setting: "Restrict NTLM: outgoing  NTLM 
>> traffic to remote servers" is set to "ALLOW ALL"
>>
>>
>> Please provide any suggestions you may have and ofcourse 
>have the time 
>> to do so.
>>
>> Many thanks for your help
>> Yanni
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>Hi, have a look here: 
>https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>
>You do not need everything you have put into [profs]
>
>Also do your users know where [profs] is ? do they have the 
>'profilePath' attribute set on their AD objects ?
>
>Rowland
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list