[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
L.P.H. van Belle
belle at bazuin.nl
Fri Jun 12 02:52:42 MDT 2015
3 obligated settings !! your missing one...
# For ACL support on member file server
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes <===== is missing in your config.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: y.goudetsidis at mail.cryst.bbk.ac.uk
>[mailto:samba-bounces at lists.samba.org] Namens Yanni
>Verzonden: donderdag 11 juni 2015 17:30
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] you have been logged on with a temporary
>profile_win7 client+samba 4+WinServ2012
>
>Hello Samba
>
>I have been trying to fix the problem below for several days with no
>success and I can't understand why.
>Please help me if you can.
>
>I've got a windows server 2012 running AD and I want to store the user
>profiles in a Samba filestore server called "Jimmy". Jimmy has the
>following smb.conf:
>
> [global]
> server string = Samba4 file server
> workgroup = TESTAD
> security = ADS
> realm = TESTAD.BIO.AC.UK
> domain master = no
> prefered master = no
> local master = no
> os level = 0
> browse list = yes
> encrypt passwords = yes
> template shell = /bin/bash
> name resolve order = bcast
>#-------- Mapping RID--------
> idmap config *:backend = tdb
> idmap config *:range = 2000-3999
> idmap config TESTAD: backend = rid
> idmap config TESTAD: range = 10000-99999
>#------- Winbind ----------
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = Yes
> winbind expand groups = 4
> winbind normalize names = Yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
>
>#Logging Settings
> log level = 3
> log file = /var/log/samba/log.%m
> max log size = 50
>
>#----Profile Store Settings---------
>[profs]
> comment = WinProfsStorage
> path = /disk1/profs
> read only = no
> store dos attributes = yes
> create mask = 0600
> directory mask = 0755
> profile acls = yes
> csc policy = disable
>
>My problem is that users get temp profile whenever they log
>into a win7
>client which is also a TESTAD member.
>The error I get is: You have been logged on with a temp
>profile. In the
>event log it is indicated that this is due to "insufficient security
>rights". EventID: 1521 and 1511.
>
>Below are my settings on Jimmy:
>1. I can confirm that Selinux, iptables and firewalld are all disabled
>2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo
>-u", "wbinfo -g", "getent passwd" and
> "getent group" return the right values.
>3. I can confirm that clocks on Jimmy and AD server are in sync.
>4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root
>domain_users 23 Jun 11 15:57 profs
>
>
>Windows AD server facts/settings:
>1. I can view,access and write to "/disk1/profs"
>2. The security tab of "profs" shows the following user names
>and their
>permissions:
> Creator Owner: has only the "special permissions" ticked,
>which is
>greyed out
> Domain Users: Full Control
> Administrators (JIMMY\Administrators): Full Control
> Users: (JIMMY\Users): Full Control
>
>3. Under the "Advanced" button in the "Security tab" I can see these
>permission entries:
> Root (unix user\root)
> Administrators (JIMMY\Administrators)
> CREATOR OWNER
> Domain Users
> Users (JIMMY\Users)
>
>4. For all the above entries:
> "type" is set to "Allow"
> "Access" is set to "Full Control"
> "Inherit from" is set to "None"
> "Applies to" are set to "This folder, subfolder and files", except
>CREATOR OWNER which is set to "Sub-folders and files only".
>
>Note: I can edit any of these permission entries except
>"Creator owner".
>If I attempt to change the "applies to" setting of this entry to
>something else, the change reverses back when I hit "Apply"
>
>Windows 7 client, when logged in with temp profile as domain user
>1. user can view,access and write to "/disk1/profs"
>2. the "do not check profile ownership on roaming profiles" is enabled
>on the client (desperate move)
>3. the network security setting: "Restrict NTLM: outgoing
>NTLM traffic
>to remote servers" is set to "ALLOW ALL"
>
>
>Please provide any suggestions you may have and ofcourse have the time
>to do so.
>
>Many thanks for your help
>Yanni
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list