[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012

joseph-andre Guaragna jaguaragna at rdmo.com
Fri Jun 12 03:15:12 MDT 2015 

No they have no profilePath attribute sets up, they have however a
base directory set up by default as you can see on the link below.

 https://app.box.com/s/32jbi0dwac23uypqvm6i0v8suqtbfijd


Meilleures salutations / Best regards,

Joseph-André GUARAGNA






2015-06-12 10:40 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
> On 11/06/15 16:29, Yanni wrote:
>>
>> Hello Samba
>>
>> I have been trying to fix the problem below for several days with no
>> success and I can't understand why.
>> Please help me if you can.
>>
>> I've got a windows server 2012 running AD and I want to store the user
>> profiles in a Samba filestore server called "Jimmy". Jimmy has the following
>> smb.conf:
>>
>>  [global]
>>   server string = Samba4 file server
>>   workgroup = TESTAD
>>   security = ADS
>>   realm = TESTAD.BIO.AC.UK
>>   domain master = no
>>   prefered master = no
>>   local master = no
>>   os level = 0
>>   browse list = yes
>>   encrypt passwords = yes
>>   template shell = /bin/bash
>>   name resolve order = bcast
>> #-------- Mapping RID--------
>>    idmap config *:backend = tdb
>>    idmap config *:range = 2000-3999
>>    idmap config TESTAD: backend = rid
>>    idmap config TESTAD: range = 10000-99999
>> #------- Winbind ----------
>>    winbind trusted domains only = no
>>    winbind use default domain = yes
>>    winbind enum users = yes
>>    winbind enum groups = yes
>>    winbind refresh tickets = Yes
>>    winbind expand groups = 4
>>    winbind normalize names = Yes
>>
>>    vfs objects = acl_xattr
>>    map acl inherit = yes
>>
>> #Logging Settings
>>    log level = 3
>>    log file = /var/log/samba/log.%m
>>    max log size = 50
>>
>> #----Profile Store Settings---------
>> [profs]
>>    comment = WinProfsStorage
>>    path = /disk1/profs
>>    read only = no
>>    store dos attributes = yes
>>    create mask = 0600
>>    directory mask = 0755
>>    profile acls = yes
>>    csc policy = disable
>>
>> My problem is that users get temp profile whenever they log into a win7
>> client which is also a TESTAD member.
>> The error I get is: You have been logged on with a temp profile. In the
>> event log it is indicated that this is due to "insufficient security
>> rights". EventID: 1521 and 1511.
>>
>> Below are my settings on Jimmy:
>> 1. I can confirm that Selinux, iptables and firewalld are all disabled
>> 2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo -u",
>> "wbinfo -g", "getent passwd" and
>>     "getent group" return the right values.
>> 3. I can confirm that clocks on Jimmy and AD server are in sync.
>> 4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root
>> domain_users 23 Jun 11 15:57 profs
>>
>>
>> Windows AD server facts/settings:
>> 1. I can view,access and write to "/disk1/profs"
>> 2. The security tab of "profs" shows the following user names and their
>> permissions:
>>     Creator Owner: has only the "special permissions" ticked, which is
>> greyed out
>>     Domain Users: Full Control
>>     Administrators (JIMMY\Administrators): Full Control
>>     Users: (JIMMY\Users): Full Control
>>
>> 3. Under the "Advanced" button in the "Security tab" I can see these
>> permission entries:
>>     Root (unix user\root)
>>     Administrators (JIMMY\Administrators)
>>     CREATOR OWNER
>>     Domain Users
>>     Users (JIMMY\Users)
>>
>> 4. For all the above entries:
>>    "type" is set to "Allow"
>>    "Access" is set to "Full Control"
>>    "Inherit from" is set to "None"
>>    "Applies to" are set to "This folder, subfolder and files", except
>> CREATOR OWNER which is set to "Sub-folders and files only".
>>
>> Note: I can edit any of these permission entries except "Creator owner".
>> If I attempt to change the "applies to" setting of this entry to something
>> else, the change reverses back when I hit "Apply"
>>
>> Windows 7 client, when logged in with temp profile as domain user
>> 1. user can view,access and write to "/disk1/profs"
>> 2. the "do not check profile ownership on roaming profiles" is enabled on
>> the client (desperate move)
>> 3. the network security setting: "Restrict NTLM: outgoing  NTLM traffic to
>> remote servers" is set to "ALLOW ALL"
>>
>>
>> Please provide any suggestions you may have and ofcourse have the time to
>> do so.
>>
>> Many thanks for your help
>> Yanni
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
> Hi, have a look here:
> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>
> You do not need everything you have put into [profs]
>
> Also do your users know where [profs] is ? do they have the 'profilePath'
> attribute set on their AD objects ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list