[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012

L.P.H. van Belle belle at bazuin.nl
Fri Jun 12 02:52:42 MDT 2015 

3 obligated settings !!  your missing one...  

   # For ACL support on member file server
   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes	<===== is missing in your config. 

Greetz, 

Louis
 

>-----Oorspronkelijk bericht-----
>Van: y.goudetsidis at mail.cryst.bbk.ac.uk 
>[mailto:samba-bounces at lists.samba.org] Namens Yanni
>Verzonden: donderdag 11 juni 2015 17:30
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] you have been logged on with a temporary 
>profile_win7 client+samba 4+WinServ2012
>
>Hello Samba
>
>I have been trying to fix the problem below for several days with no 
>success and I can't understand why.
>Please help me if you can.
>
>I've got a windows server 2012 running AD and I want to store the user 
>profiles in a Samba filestore server called "Jimmy". Jimmy has the 
>following smb.conf:
>
>  [global]
>   server string = Samba4 file server
>   workgroup = TESTAD
>   security = ADS
>   realm = TESTAD.BIO.AC.UK
>   domain master = no
>   prefered master = no
>   local master = no
>   os level = 0
>   browse list = yes
>   encrypt passwords = yes
>   template shell = /bin/bash
>   name resolve order = bcast
>#-------- Mapping RID--------
>    idmap config *:backend = tdb
>    idmap config *:range = 2000-3999
>    idmap config TESTAD: backend = rid
>    idmap config TESTAD: range = 10000-99999
>#------- Winbind ----------
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users = yes
>    winbind enum groups = yes
>    winbind refresh tickets = Yes
>    winbind expand groups = 4
>    winbind normalize names = Yes
>
>    vfs objects = acl_xattr
>    map acl inherit = yes
>
>#Logging Settings
>    log level = 3
>    log file = /var/log/samba/log.%m
>    max log size = 50
>
>#----Profile Store Settings---------
>[profs]
>    comment = WinProfsStorage
>    path = /disk1/profs
>    read only = no
>    store dos attributes = yes
>    create mask = 0600
>    directory mask = 0755
>    profile acls = yes
>    csc policy = disable
>
>My problem is that users get temp profile whenever they log 
>into a win7 
>client which is also a TESTAD member.
>The error I get is: You have been logged on with a temp 
>profile. In the 
>event log it is indicated that this is due to "insufficient security 
>rights". EventID: 1521 and 1511.
>
>Below are my settings on Jimmy:
>1. I can confirm that Selinux, iptables and firewalld are all disabled
>2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo 
>-u", "wbinfo -g", "getent passwd" and
>     "getent group" return the right values.
>3. I can confirm that clocks on Jimmy and AD server are in sync.
>4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root 
>domain_users 23 Jun 11 15:57 profs
>
>
>Windows AD server facts/settings:
>1. I can view,access and write to "/disk1/profs"
>2. The security tab of "profs" shows the following user names 
>and their 
>permissions:
>     Creator Owner: has only the "special permissions" ticked, 
>which is 
>greyed out
>     Domain Users: Full Control
>     Administrators (JIMMY\Administrators): Full Control
>     Users: (JIMMY\Users): Full Control
>
>3. Under the "Advanced" button in the "Security tab" I can see these 
>permission entries:
>     Root (unix user\root)
>     Administrators (JIMMY\Administrators)
>     CREATOR OWNER
>     Domain Users
>     Users (JIMMY\Users)
>
>4. For all the above entries:
>    "type" is set to "Allow"
>    "Access" is set to "Full Control"
>    "Inherit from" is set to "None"
>    "Applies to" are set to "This folder, subfolder and files", except 
>CREATOR OWNER which is set to "Sub-folders and files only".
>
>Note: I can edit any of these permission entries except 
>"Creator owner". 
>If I attempt to change the "applies to" setting of this entry to 
>something else, the change reverses back when I hit "Apply"
>
>Windows 7 client, when logged in with temp profile as domain user
>1. user can view,access and write to "/disk1/profs"
>2. the "do not check profile ownership on roaming profiles" is enabled 
>on the client (desperate move)
>3. the network security setting: "Restrict NTLM: outgoing  
>NTLM traffic 
>to remote servers" is set to "ALLOW ALL"
>
>
>Please provide any suggestions you may have and ofcourse have the time 
>to do so.
>
>Many thanks for your help
>Yanni
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list