[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
L.P.H. van Belle
belle at bazuin.nl
Fri Jun 12 03:47:22 MDT 2015
Ok, my bad..
The if you use policies.. check you gpo settings for :
Computer Configuration \ Administrative Templates \ System \ User Profiles
- Delete cached copies of roaming profiles
- Delete user profiles older than a specified number of days on system restart
and/or read :
https://support.microsoft.com/en-us/kb/983544
which may apply.
and you dont have any script running for cleanup local profiles?
Greetz,
louis
>-----Oorspronkelijk bericht-----
>Van: jaguaragna at rdmo.com
>[mailto:samba-bounces at lists.samba.org] Namens joseph-andre Guaragna
>Verzonden: vrijdag 12 juni 2015 11:21
>CC: samba at lists.samba.org
>Onderwerp: Re: [Samba] you have been logged on with a
>temporary profile_win7 client+samba 4+WinServ2012
>
>I am a bit confused by your answer L.P.H.
>
>I have no problem at all with my shares ACl are correctly applied to
>them, and i can easily managed them directly what I do in order to
>avoid mixing POSIX and Windows ACL.
>
>My problem is not on shares but on data blanking on local profile on
>the workstation which as I understand are unlink from a share
>settings.
>
>
>Cheers
>
>
>Meilleures salutations / Best regards,
>
>Joseph-André GUARAGNA
>ingénieur Système et Réseau / Network and System engineer
>
>
>
>RD MACHINES-OUTILS
>
>77, allée de l'Industrie F-74130 CONTAMINE SUR ARVE
>Tel : +33 (0) 4 50 03 90 77 - Fax :+33 (0) 4 50 03 66 79
>www.rdmo.com / www.rdmo-spare-parts.com
>
>
>2015-06-12 10:52 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
>> 3 obligated settings !! your missing one...
>>
>> # For ACL support on member file server
>> vfs objects = acl_xattr
>> map acl inherit = yes
>> store dos attributes = yes <===== is missing in your config.
>>
>> Greetz,
>>
>> Louis
>>
>>
>>>-----Oorspronkelijk bericht-----
>>>Van: y.goudetsidis at mail.cryst.bbk.ac.uk
>>>[mailto:samba-bounces at lists.samba.org] Namens Yanni
>>>Verzonden: donderdag 11 juni 2015 17:30
>>>Aan: samba at lists.samba.org
>>>Onderwerp: [Samba] you have been logged on with a temporary
>>>profile_win7 client+samba 4+WinServ2012
>>>
>>>Hello Samba
>>>
>>>I have been trying to fix the problem below for several days with no
>>>success and I can't understand why.
>>>Please help me if you can.
>>>
>>>I've got a windows server 2012 running AD and I want to
>store the user
>>>profiles in a Samba filestore server called "Jimmy". Jimmy has the
>>>following smb.conf:
>>>
>>> [global]
>>> server string = Samba4 file server
>>> workgroup = TESTAD
>>> security = ADS
>>> realm = TESTAD.BIO.AC.UK
>>> domain master = no
>>> prefered master = no
>>> local master = no
>>> os level = 0
>>> browse list = yes
>>> encrypt passwords = yes
>>> template shell = /bin/bash
>>> name resolve order = bcast
>>>#-------- Mapping RID--------
>>> idmap config *:backend = tdb
>>> idmap config *:range = 2000-3999
>>> idmap config TESTAD: backend = rid
>>> idmap config TESTAD: range = 10000-99999
>>>#------- Winbind ----------
>>> winbind trusted domains only = no
>>> winbind use default domain = yes
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind refresh tickets = Yes
>>> winbind expand groups = 4
>>> winbind normalize names = Yes
>>>
>>> vfs objects = acl_xattr
>>> map acl inherit = yes
>>>
>>>#Logging Settings
>>> log level = 3
>>> log file = /var/log/samba/log.%m
>>> max log size = 50
>>>
>>>#----Profile Store Settings---------
>>>[profs]
>>> comment = WinProfsStorage
>>> path = /disk1/profs
>>> read only = no
>>> store dos attributes = yes
>>> create mask = 0600
>>> directory mask = 0755
>>> profile acls = yes
>>> csc policy = disable
>>>
>>>My problem is that users get temp profile whenever they log
>>>into a win7
>>>client which is also a TESTAD member.
>>>The error I get is: You have been logged on with a temp
>>>profile. In the
>>>event log it is indicated that this is due to "insufficient security
>>>rights". EventID: 1521 and 1511.
>>>
>>>Below are my settings on Jimmy:
>>>1. I can confirm that Selinux, iptables and firewalld are
>all disabled
>>>2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo
>>>-u", "wbinfo -g", "getent passwd" and
>>> "getent group" return the right values.
>>>3. I can confirm that clocks on Jimmy and AD server are in sync.
>>>4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root
>>>domain_users 23 Jun 11 15:57 profs
>>>
>>>
>>>Windows AD server facts/settings:
>>>1. I can view,access and write to "/disk1/profs"
>>>2. The security tab of "profs" shows the following user names
>>>and their
>>>permissions:
>>> Creator Owner: has only the "special permissions" ticked,
>>>which is
>>>greyed out
>>> Domain Users: Full Control
>>> Administrators (JIMMY\Administrators): Full Control
>>> Users: (JIMMY\Users): Full Control
>>>
>>>3. Under the "Advanced" button in the "Security tab" I can see these
>>>permission entries:
>>> Root (unix user\root)
>>> Administrators (JIMMY\Administrators)
>>> CREATOR OWNER
>>> Domain Users
>>> Users (JIMMY\Users)
>>>
>>>4. For all the above entries:
>>> "type" is set to "Allow"
>>> "Access" is set to "Full Control"
>>> "Inherit from" is set to "None"
>>> "Applies to" are set to "This folder, subfolder and
>files", except
>>>CREATOR OWNER which is set to "Sub-folders and files only".
>>>
>>>Note: I can edit any of these permission entries except
>>>"Creator owner".
>>>If I attempt to change the "applies to" setting of this entry to
>>>something else, the change reverses back when I hit "Apply"
>>>
>>>Windows 7 client, when logged in with temp profile as domain user
>>>1. user can view,access and write to "/disk1/profs"
>>>2. the "do not check profile ownership on roaming profiles"
>is enabled
>>>on the client (desperate move)
>>>3. the network security setting: "Restrict NTLM: outgoing
>>>NTLM traffic
>>>to remote servers" is set to "ALLOW ALL"
>>>
>>>
>>>Please provide any suggestions you may have and ofcourse
>have the time
>>>to do so.
>>>
>>>Many thanks for your help
>>>Yanni
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>--
>>>To unsubscribe from this list go to the following URL and read the
>>>instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list