[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012

joseph-andre Guaragna jaguaragna at rdmo.com
Fri Jun 12 03:21:27 MDT 2015 

I am a bit confused by your answer L.P.H.

I have no problem at all with my shares ACl are correctly applied to
them, and i can easily managed them directly what I do in order to
avoid mixing POSIX and Windows ACL.

My problem is not on shares but on data blanking on local profile on
the workstation which as I understand are unlink from a share
settings.


Cheers


Meilleures salutations / Best regards,

Joseph-André GUARAGNA
ingénieur Système et Réseau / Network and System engineer



RD MACHINES-OUTILS

77, allée de l'Industrie  F-74130 CONTAMINE SUR ARVE
Tel : +33 (0) 4 50 03 90 77    -   Fax :+33 (0) 4 50 03 66 79
www.rdmo.com / www.rdmo-spare-parts.com


2015-06-12 10:52 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
> 3 obligated settings !!  your missing one...
>
>    # For ACL support on member file server
>    vfs objects = acl_xattr
>    map acl inherit = yes
>    store dos attributes = yes   <===== is missing in your config.
>
> Greetz,
>
> Louis
>
>
>>-----Oorspronkelijk bericht-----
>>Van: y.goudetsidis at mail.cryst.bbk.ac.uk
>>[mailto:samba-bounces at lists.samba.org] Namens Yanni
>>Verzonden: donderdag 11 juni 2015 17:30
>>Aan: samba at lists.samba.org
>>Onderwerp: [Samba] you have been logged on with a temporary
>>profile_win7 client+samba 4+WinServ2012
>>
>>Hello Samba
>>
>>I have been trying to fix the problem below for several days with no
>>success and I can't understand why.
>>Please help me if you can.
>>
>>I've got a windows server 2012 running AD and I want to store the user
>>profiles in a Samba filestore server called "Jimmy". Jimmy has the
>>following smb.conf:
>>
>>  [global]
>>   server string = Samba4 file server
>>   workgroup = TESTAD
>>   security = ADS
>>   realm = TESTAD.BIO.AC.UK
>>   domain master = no
>>   prefered master = no
>>   local master = no
>>   os level = 0
>>   browse list = yes
>>   encrypt passwords = yes
>>   template shell = /bin/bash
>>   name resolve order = bcast
>>#-------- Mapping RID--------
>>    idmap config *:backend = tdb
>>    idmap config *:range = 2000-3999
>>    idmap config TESTAD: backend = rid
>>    idmap config TESTAD: range = 10000-99999
>>#------- Winbind ----------
>>    winbind trusted domains only = no
>>    winbind use default domain = yes
>>    winbind enum users = yes
>>    winbind enum groups = yes
>>    winbind refresh tickets = Yes
>>    winbind expand groups = 4
>>    winbind normalize names = Yes
>>
>>    vfs objects = acl_xattr
>>    map acl inherit = yes
>>
>>#Logging Settings
>>    log level = 3
>>    log file = /var/log/samba/log.%m
>>    max log size = 50
>>
>>#----Profile Store Settings---------
>>[profs]
>>    comment = WinProfsStorage
>>    path = /disk1/profs
>>    read only = no
>>    store dos attributes = yes
>>    create mask = 0600
>>    directory mask = 0755
>>    profile acls = yes
>>    csc policy = disable
>>
>>My problem is that users get temp profile whenever they log
>>into a win7
>>client which is also a TESTAD member.
>>The error I get is: You have been logged on with a temp
>>profile. In the
>>event log it is indicated that this is due to "insufficient security
>>rights". EventID: 1521 and 1511.
>>
>>Below are my settings on Jimmy:
>>1. I can confirm that Selinux, iptables and firewalld are all disabled
>>2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo
>>-u", "wbinfo -g", "getent passwd" and
>>     "getent group" return the right values.
>>3. I can confirm that clocks on Jimmy and AD server are in sync.
>>4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root
>>domain_users 23 Jun 11 15:57 profs
>>
>>
>>Windows AD server facts/settings:
>>1. I can view,access and write to "/disk1/profs"
>>2. The security tab of "profs" shows the following user names
>>and their
>>permissions:
>>     Creator Owner: has only the "special permissions" ticked,
>>which is
>>greyed out
>>     Domain Users: Full Control
>>     Administrators (JIMMY\Administrators): Full Control
>>     Users: (JIMMY\Users): Full Control
>>
>>3. Under the "Advanced" button in the "Security tab" I can see these
>>permission entries:
>>     Root (unix user\root)
>>     Administrators (JIMMY\Administrators)
>>     CREATOR OWNER
>>     Domain Users
>>     Users (JIMMY\Users)
>>
>>4. For all the above entries:
>>    "type" is set to "Allow"
>>    "Access" is set to "Full Control"
>>    "Inherit from" is set to "None"
>>    "Applies to" are set to "This folder, subfolder and files", except
>>CREATOR OWNER which is set to "Sub-folders and files only".
>>
>>Note: I can edit any of these permission entries except
>>"Creator owner".
>>If I attempt to change the "applies to" setting of this entry to
>>something else, the change reverses back when I hit "Apply"
>>
>>Windows 7 client, when logged in with temp profile as domain user
>>1. user can view,access and write to "/disk1/profs"
>>2. the "do not check profile ownership on roaming profiles" is enabled
>>on the client (desperate move)
>>3. the network security setting: "Restrict NTLM: outgoing
>>NTLM traffic
>>to remote servers" is set to "ALLOW ALL"
>>
>>
>>Please provide any suggestions you may have and ofcourse have the time
>>to do so.
>>
>>Many thanks for your help
>>Yanni
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list