[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
joseph-andre Guaragna
jaguaragna at rdmo.com
Fri Jun 12 03:15:12 MDT 2015
No they have no profilePath attribute sets up, they have however a
base directory set up by default as you can see on the link below.
https://app.box.com/s/32jbi0dwac23uypqvm6i0v8suqtbfijd
Meilleures salutations / Best regards,
Joseph-André GUARAGNA
2015-06-12 10:40 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
> On 11/06/15 16:29, Yanni wrote:
>>
>> Hello Samba
>>
>> I have been trying to fix the problem below for several days with no
>> success and I can't understand why.
>> Please help me if you can.
>>
>> I've got a windows server 2012 running AD and I want to store the user
>> profiles in a Samba filestore server called "Jimmy". Jimmy has the following
>> smb.conf:
>>
>> [global]
>> server string = Samba4 file server
>> workgroup = TESTAD
>> security = ADS
>> realm = TESTAD.BIO.AC.UK
>> domain master = no
>> prefered master = no
>> local master = no
>> os level = 0
>> browse list = yes
>> encrypt passwords = yes
>> template shell = /bin/bash
>> name resolve order = bcast
>> #-------- Mapping RID--------
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-3999
>> idmap config TESTAD: backend = rid
>> idmap config TESTAD: range = 10000-99999
>> #------- Winbind ----------
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind refresh tickets = Yes
>> winbind expand groups = 4
>> winbind normalize names = Yes
>>
>> vfs objects = acl_xattr
>> map acl inherit = yes
>>
>> #Logging Settings
>> log level = 3
>> log file = /var/log/samba/log.%m
>> max log size = 50
>>
>> #----Profile Store Settings---------
>> [profs]
>> comment = WinProfsStorage
>> path = /disk1/profs
>> read only = no
>> store dos attributes = yes
>> create mask = 0600
>> directory mask = 0755
>> profile acls = yes
>> csc policy = disable
>>
>> My problem is that users get temp profile whenever they log into a win7
>> client which is also a TESTAD member.
>> The error I get is: You have been logged on with a temp profile. In the
>> event log it is indicated that this is due to "insufficient security
>> rights". EventID: 1521 and 1511.
>>
>> Below are my settings on Jimmy:
>> 1. I can confirm that Selinux, iptables and firewalld are all disabled
>> 2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo -u",
>> "wbinfo -g", "getent passwd" and
>> "getent group" return the right values.
>> 3. I can confirm that clocks on Jimmy and AD server are in sync.
>> 4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root
>> domain_users 23 Jun 11 15:57 profs
>>
>>
>> Windows AD server facts/settings:
>> 1. I can view,access and write to "/disk1/profs"
>> 2. The security tab of "profs" shows the following user names and their
>> permissions:
>> Creator Owner: has only the "special permissions" ticked, which is
>> greyed out
>> Domain Users: Full Control
>> Administrators (JIMMY\Administrators): Full Control
>> Users: (JIMMY\Users): Full Control
>>
>> 3. Under the "Advanced" button in the "Security tab" I can see these
>> permission entries:
>> Root (unix user\root)
>> Administrators (JIMMY\Administrators)
>> CREATOR OWNER
>> Domain Users
>> Users (JIMMY\Users)
>>
>> 4. For all the above entries:
>> "type" is set to "Allow"
>> "Access" is set to "Full Control"
>> "Inherit from" is set to "None"
>> "Applies to" are set to "This folder, subfolder and files", except
>> CREATOR OWNER which is set to "Sub-folders and files only".
>>
>> Note: I can edit any of these permission entries except "Creator owner".
>> If I attempt to change the "applies to" setting of this entry to something
>> else, the change reverses back when I hit "Apply"
>>
>> Windows 7 client, when logged in with temp profile as domain user
>> 1. user can view,access and write to "/disk1/profs"
>> 2. the "do not check profile ownership on roaming profiles" is enabled on
>> the client (desperate move)
>> 3. the network security setting: "Restrict NTLM: outgoing NTLM traffic to
>> remote servers" is set to "ALLOW ALL"
>>
>>
>> Please provide any suggestions you may have and ofcourse have the time to
>> do so.
>>
>> Many thanks for your help
>> Yanni
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
> Hi, have a look here:
> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>
> You do not need everything you have put into [profs]
>
> Also do your users know where [profs] is ? do they have the 'profilePath'
> attribute set on their AD objects ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list