[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012

Rowland Penny rowlandpenny at googlemail.com
Fri Jun 12 03:47:48 MDT 2015 

On 12/06/15 10:15, joseph-andre Guaragna wrote:
> No they have no profilePath attribute sets up, they have however a
> base directory set up by default as you can see on the link below.
>
>   https://app.box.com/s/32jbi0dwac23uypqvm6i0v8suqtbfijd
>
>
> Meilleures salutations / Best regards,
>
> Joseph-André GUARAGNA
>
>
>
>
>
>
> 2015-06-12 10:40 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
>> On 11/06/15 16:29, Yanni wrote:
>>> Hello Samba
>>>
>>> I have been trying to fix the problem below for several days with no
>>> success and I can't understand why.
>>> Please help me if you can.
>>>
>>> I've got a windows server 2012 running AD and I want to store the user
>>> profiles in a Samba filestore server called "Jimmy". Jimmy has the following
>>> smb.conf:
>>>
>>>   [global]
>>>    server string = Samba4 file server
>>>    workgroup = TESTAD
>>>    security = ADS
>>>    realm = TESTAD.BIO.AC.UK
>>>    domain master = no
>>>    prefered master = no
>>>    local master = no
>>>    os level = 0
>>>    browse list = yes
>>>    encrypt passwords = yes
>>>    template shell = /bin/bash
>>>    name resolve order = bcast
>>> #-------- Mapping RID--------
>>>     idmap config *:backend = tdb
>>>     idmap config *:range = 2000-3999
>>>     idmap config TESTAD: backend = rid
>>>     idmap config TESTAD: range = 10000-99999
>>> #------- Winbind ----------
>>>     winbind trusted domains only = no
>>>     winbind use default domain = yes
>>>     winbind enum users = yes
>>>     winbind enum groups = yes
>>>     winbind refresh tickets = Yes
>>>     winbind expand groups = 4
>>>     winbind normalize names = Yes
>>>
>>>     vfs objects = acl_xattr
>>>     map acl inherit = yes
>>>
>>> #Logging Settings
>>>     log level = 3
>>>     log file = /var/log/samba/log.%m
>>>     max log size = 50
>>>
>>> #----Profile Store Settings---------
>>> [profs]
>>>     comment = WinProfsStorage
>>>     path = /disk1/profs
>>>     read only = no
>>>     store dos attributes = yes
>>>     create mask = 0600
>>>     directory mask = 0755
>>>     profile acls = yes
>>>     csc policy = disable
>>>
>>> My problem is that users get temp profile whenever they log into a win7
>>> client which is also a TESTAD member.
>>> The error I get is: You have been logged on with a temp profile. In the
>>> event log it is indicated that this is due to "insufficient security
>>> rights". EventID: 1521 and 1511.
>>>
>>> Below are my settings on Jimmy:
>>> 1. I can confirm that Selinux, iptables and firewalld are all disabled
>>> 2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo -u",
>>> "wbinfo -g", "getent passwd" and
>>>      "getent group" return the right values.
>>> 3. I can confirm that clocks on Jimmy and AD server are in sync.
>>> 4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root
>>> domain_users 23 Jun 11 15:57 profs
>>>
>>>
>>> Windows AD server facts/settings:
>>> 1. I can view,access and write to "/disk1/profs"
>>> 2. The security tab of "profs" shows the following user names and their
>>> permissions:
>>>      Creator Owner: has only the "special permissions" ticked, which is
>>> greyed out
>>>      Domain Users: Full Control
>>>      Administrators (JIMMY\Administrators): Full Control
>>>      Users: (JIMMY\Users): Full Control
>>>
>>> 3. Under the "Advanced" button in the "Security tab" I can see these
>>> permission entries:
>>>      Root (unix user\root)
>>>      Administrators (JIMMY\Administrators)
>>>      CREATOR OWNER
>>>      Domain Users
>>>      Users (JIMMY\Users)
>>>
>>> 4. For all the above entries:
>>>     "type" is set to "Allow"
>>>     "Access" is set to "Full Control"
>>>     "Inherit from" is set to "None"
>>>     "Applies to" are set to "This folder, subfolder and files", except
>>> CREATOR OWNER which is set to "Sub-folders and files only".
>>>
>>> Note: I can edit any of these permission entries except "Creator owner".
>>> If I attempt to change the "applies to" setting of this entry to something
>>> else, the change reverses back when I hit "Apply"
>>>
>>> Windows 7 client, when logged in with temp profile as domain user
>>> 1. user can view,access and write to "/disk1/profs"
>>> 2. the "do not check profile ownership on roaming profiles" is enabled on
>>> the client (desperate move)
>>> 3. the network security setting: "Restrict NTLM: outgoing  NTLM traffic to
>>> remote servers" is set to "ALLOW ALL"
>>>
>>>
>>> Please provide any suggestions you may have and ofcourse have the time to
>>> do so.
>>>
>>> Many thanks for your help
>>> Yanni
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>> Hi, have a look here:
>> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>>
>> You do not need everything you have put into [profs]
>>
>> Also do your users know where [profs] is ? do they have the 'profilePath'
>> attribute set on their AD objects ?
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

You seem to be mounting a path to a drive letter there, I think you want 
the line above.

Anyway, I have found something that might help, have a look here:

https://social.technet.microsoft.com/Forums/windows/en-US/ad1ab74e-e155-4622-9b37-629c2c52b38b/keep-local-profile-as-domain-profile-whenafter-joining-windows-7-box-to-domain?forum=w7itprogeneral

Rowland

More information about the samba mailing list