[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012

L.P.H. van Belle belle at bazuin.nl
Fri Jun 12 03:47:22 MDT 2015 

Ok, my bad.. 

The if you use policies.. check you gpo settings for : 
Computer Configuration \ Administrative Templates \ System \ User Profiles 
- Delete cached copies of roaming profiles 
- Delete user profiles older than a specified number of days on system restart

and/or read : 
https://support.microsoft.com/en-us/kb/983544 
which may apply. 

and you dont have any script running for cleanup local profiles? 

Greetz, 

louis


>-----Oorspronkelijk bericht-----
>Van: jaguaragna at rdmo.com 
>[mailto:samba-bounces at lists.samba.org] Namens joseph-andre Guaragna
>Verzonden: vrijdag 12 juni 2015 11:21
>CC: samba at lists.samba.org
>Onderwerp: Re: [Samba] you have been logged on with a 
>temporary profile_win7 client+samba 4+WinServ2012
>
>I am a bit confused by your answer L.P.H.
>
>I have no problem at all with my shares ACl are correctly applied to
>them, and i can easily managed them directly what I do in order to
>avoid mixing POSIX and Windows ACL.
>
>My problem is not on shares but on data blanking on local profile on
>the workstation which as I understand are unlink from a share
>settings.
>
>
>Cheers
>
>
>Meilleures salutations / Best regards,
>
>Joseph-André GUARAGNA
>ingénieur Système et Réseau / Network and System engineer
>
>
>
>RD MACHINES-OUTILS
>
>77, allée de l'Industrie  F-74130 CONTAMINE SUR ARVE
>Tel : +33 (0) 4 50 03 90 77    -   Fax :+33 (0) 4 50 03 66 79
>www.rdmo.com / www.rdmo-spare-parts.com
>
>
>2015-06-12 10:52 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
>> 3 obligated settings !!  your missing one...
>>
>>    # For ACL support on member file server
>>    vfs objects = acl_xattr
>>    map acl inherit = yes
>>    store dos attributes = yes   <===== is missing in your config.
>>
>> Greetz,
>>
>> Louis
>>
>>
>>>-----Oorspronkelijk bericht-----
>>>Van: y.goudetsidis at mail.cryst.bbk.ac.uk
>>>[mailto:samba-bounces at lists.samba.org] Namens Yanni
>>>Verzonden: donderdag 11 juni 2015 17:30
>>>Aan: samba at lists.samba.org
>>>Onderwerp: [Samba] you have been logged on with a temporary
>>>profile_win7 client+samba 4+WinServ2012
>>>
>>>Hello Samba
>>>
>>>I have been trying to fix the problem below for several days with no
>>>success and I can't understand why.
>>>Please help me if you can.
>>>
>>>I've got a windows server 2012 running AD and I want to 
>store the user
>>>profiles in a Samba filestore server called "Jimmy". Jimmy has the
>>>following smb.conf:
>>>
>>>  [global]
>>>   server string = Samba4 file server
>>>   workgroup = TESTAD
>>>   security = ADS
>>>   realm = TESTAD.BIO.AC.UK
>>>   domain master = no
>>>   prefered master = no
>>>   local master = no
>>>   os level = 0
>>>   browse list = yes
>>>   encrypt passwords = yes
>>>   template shell = /bin/bash
>>>   name resolve order = bcast
>>>#-------- Mapping RID--------
>>>    idmap config *:backend = tdb
>>>    idmap config *:range = 2000-3999
>>>    idmap config TESTAD: backend = rid
>>>    idmap config TESTAD: range = 10000-99999
>>>#------- Winbind ----------
>>>    winbind trusted domains only = no
>>>    winbind use default domain = yes
>>>    winbind enum users = yes
>>>    winbind enum groups = yes
>>>    winbind refresh tickets = Yes
>>>    winbind expand groups = 4
>>>    winbind normalize names = Yes
>>>
>>>    vfs objects = acl_xattr
>>>    map acl inherit = yes
>>>
>>>#Logging Settings
>>>    log level = 3
>>>    log file = /var/log/samba/log.%m
>>>    max log size = 50
>>>
>>>#----Profile Store Settings---------
>>>[profs]
>>>    comment = WinProfsStorage
>>>    path = /disk1/profs
>>>    read only = no
>>>    store dos attributes = yes
>>>    create mask = 0600
>>>    directory mask = 0755
>>>    profile acls = yes
>>>    csc policy = disable
>>>
>>>My problem is that users get temp profile whenever they log
>>>into a win7
>>>client which is also a TESTAD member.
>>>The error I get is: You have been logged on with a temp
>>>profile. In the
>>>event log it is indicated that this is due to "insufficient security
>>>rights". EventID: 1521 and 1511.
>>>
>>>Below are my settings on Jimmy:
>>>1. I can confirm that Selinux, iptables and firewalld are 
>all disabled
>>>2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo
>>>-u", "wbinfo -g", "getent passwd" and
>>>     "getent group" return the right values.
>>>3. I can confirm that clocks on Jimmy and AD server are in sync.
>>>4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root
>>>domain_users 23 Jun 11 15:57 profs
>>>
>>>
>>>Windows AD server facts/settings:
>>>1. I can view,access and write to "/disk1/profs"
>>>2. The security tab of "profs" shows the following user names
>>>and their
>>>permissions:
>>>     Creator Owner: has only the "special permissions" ticked,
>>>which is
>>>greyed out
>>>     Domain Users: Full Control
>>>     Administrators (JIMMY\Administrators): Full Control
>>>     Users: (JIMMY\Users): Full Control
>>>
>>>3. Under the "Advanced" button in the "Security tab" I can see these
>>>permission entries:
>>>     Root (unix user\root)
>>>     Administrators (JIMMY\Administrators)
>>>     CREATOR OWNER
>>>     Domain Users
>>>     Users (JIMMY\Users)
>>>
>>>4. For all the above entries:
>>>    "type" is set to "Allow"
>>>    "Access" is set to "Full Control"
>>>    "Inherit from" is set to "None"
>>>    "Applies to" are set to "This folder, subfolder and 
>files", except
>>>CREATOR OWNER which is set to "Sub-folders and files only".
>>>
>>>Note: I can edit any of these permission entries except
>>>"Creator owner".
>>>If I attempt to change the "applies to" setting of this entry to
>>>something else, the change reverses back when I hit "Apply"
>>>
>>>Windows 7 client, when logged in with temp profile as domain user
>>>1. user can view,access and write to "/disk1/profs"
>>>2. the "do not check profile ownership on roaming profiles" 
>is enabled
>>>on the client (desperate move)
>>>3. the network security setting: "Restrict NTLM: outgoing
>>>NTLM traffic
>>>to remote servers" is set to "ALLOW ALL"
>>>
>>>
>>>Please provide any suggestions you may have and ofcourse 
>have the time
>>>to do so.
>>>
>>>Many thanks for your help
>>>Yanni
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>--
>>>To unsubscribe from this list go to the following URL and read the
>>>instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list