[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
Rowland Penny
rowlandpenny at googlemail.com
Fri Jun 12 03:47:48 MDT 2015
On 12/06/15 10:15, joseph-andre Guaragna wrote:
> No they have no profilePath attribute sets up, they have however a
> base directory set up by default as you can see on the link below.
>
> https://app.box.com/s/32jbi0dwac23uypqvm6i0v8suqtbfijd
>
>
> Meilleures salutations / Best regards,
>
> Joseph-André GUARAGNA
>
>
>
>
>
>
> 2015-06-12 10:40 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
>> On 11/06/15 16:29, Yanni wrote:
>>> Hello Samba
>>>
>>> I have been trying to fix the problem below for several days with no
>>> success and I can't understand why.
>>> Please help me if you can.
>>>
>>> I've got a windows server 2012 running AD and I want to store the user
>>> profiles in a Samba filestore server called "Jimmy". Jimmy has the following
>>> smb.conf:
>>>
>>> [global]
>>> server string = Samba4 file server
>>> workgroup = TESTAD
>>> security = ADS
>>> realm = TESTAD.BIO.AC.UK
>>> domain master = no
>>> prefered master = no
>>> local master = no
>>> os level = 0
>>> browse list = yes
>>> encrypt passwords = yes
>>> template shell = /bin/bash
>>> name resolve order = bcast
>>> #-------- Mapping RID--------
>>> idmap config *:backend = tdb
>>> idmap config *:range = 2000-3999
>>> idmap config TESTAD: backend = rid
>>> idmap config TESTAD: range = 10000-99999
>>> #------- Winbind ----------
>>> winbind trusted domains only = no
>>> winbind use default domain = yes
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind refresh tickets = Yes
>>> winbind expand groups = 4
>>> winbind normalize names = Yes
>>>
>>> vfs objects = acl_xattr
>>> map acl inherit = yes
>>>
>>> #Logging Settings
>>> log level = 3
>>> log file = /var/log/samba/log.%m
>>> max log size = 50
>>>
>>> #----Profile Store Settings---------
>>> [profs]
>>> comment = WinProfsStorage
>>> path = /disk1/profs
>>> read only = no
>>> store dos attributes = yes
>>> create mask = 0600
>>> directory mask = 0755
>>> profile acls = yes
>>> csc policy = disable
>>>
>>> My problem is that users get temp profile whenever they log into a win7
>>> client which is also a TESTAD member.
>>> The error I get is: You have been logged on with a temp profile. In the
>>> event log it is indicated that this is due to "insufficient security
>>> rights". EventID: 1521 and 1511.
>>>
>>> Below are my settings on Jimmy:
>>> 1. I can confirm that Selinux, iptables and firewalld are all disabled
>>> 2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo -u",
>>> "wbinfo -g", "getent passwd" and
>>> "getent group" return the right values.
>>> 3. I can confirm that clocks on Jimmy and AD server are in sync.
>>> 4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root
>>> domain_users 23 Jun 11 15:57 profs
>>>
>>>
>>> Windows AD server facts/settings:
>>> 1. I can view,access and write to "/disk1/profs"
>>> 2. The security tab of "profs" shows the following user names and their
>>> permissions:
>>> Creator Owner: has only the "special permissions" ticked, which is
>>> greyed out
>>> Domain Users: Full Control
>>> Administrators (JIMMY\Administrators): Full Control
>>> Users: (JIMMY\Users): Full Control
>>>
>>> 3. Under the "Advanced" button in the "Security tab" I can see these
>>> permission entries:
>>> Root (unix user\root)
>>> Administrators (JIMMY\Administrators)
>>> CREATOR OWNER
>>> Domain Users
>>> Users (JIMMY\Users)
>>>
>>> 4. For all the above entries:
>>> "type" is set to "Allow"
>>> "Access" is set to "Full Control"
>>> "Inherit from" is set to "None"
>>> "Applies to" are set to "This folder, subfolder and files", except
>>> CREATOR OWNER which is set to "Sub-folders and files only".
>>>
>>> Note: I can edit any of these permission entries except "Creator owner".
>>> If I attempt to change the "applies to" setting of this entry to something
>>> else, the change reverses back when I hit "Apply"
>>>
>>> Windows 7 client, when logged in with temp profile as domain user
>>> 1. user can view,access and write to "/disk1/profs"
>>> 2. the "do not check profile ownership on roaming profiles" is enabled on
>>> the client (desperate move)
>>> 3. the network security setting: "Restrict NTLM: outgoing NTLM traffic to
>>> remote servers" is set to "ALLOW ALL"
>>>
>>>
>>> Please provide any suggestions you may have and ofcourse have the time to
>>> do so.
>>>
>>> Many thanks for your help
>>> Yanni
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>> Hi, have a look here:
>> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>>
>> You do not need everything you have put into [profs]
>>
>> Also do your users know where [profs] is ? do they have the 'profilePath'
>> attribute set on their AD objects ?
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
You seem to be mounting a path to a drive letter there, I think you want
the line above.
Anyway, I have found something that might help, have a look here:
https://social.technet.microsoft.com/Forums/windows/en-US/ad1ab74e-e155-4622-9b37-629c2c52b38b/keep-local-profile-as-domain-profile-whenafter-joining-windows-7-box-to-domain?forum=w7itprogeneral
Rowland
More information about the samba
mailing list