[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012

joseph-andre Guaragna jaguaragna at rdmo.com
Fri Jun 12 03:53:14 MDT 2015 

Nope no scripts at all
Meilleures salutations / Best regards,

Joseph-André GUARAGNA
ingénieur Système et Réseau / Network and System engineer



RD MACHINES-OUTILS

77, allée de l'Industrie  F-74130 CONTAMINE SUR ARVE
Tel : +33 (0) 4 50 03 90 77    -   Fax :+33 (0) 4 50 03 66 79
www.rdmo.com / www.rdmo-spare-parts.com


2015-06-12 11:47 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
> Ok, my bad..
>
> The if you use policies.. check you gpo settings for :
> Computer Configuration \ Administrative Templates \ System \ User Profiles
> - Delete cached copies of roaming profiles
> - Delete user profiles older than a specified number of days on system restart
>
> and/or read :
> https://support.microsoft.com/en-us/kb/983544
> which may apply.
>
> and you dont have any script running for cleanup local profiles?
>
> Greetz,
>
> louis
>
>
>>-----Oorspronkelijk bericht-----
>>Van: jaguaragna at rdmo.com
>>[mailto:samba-bounces at lists.samba.org] Namens joseph-andre Guaragna
>>Verzonden: vrijdag 12 juni 2015 11:21
>>CC: samba at lists.samba.org
>>Onderwerp: Re: [Samba] you have been logged on with a
>>temporary profile_win7 client+samba 4+WinServ2012
>>
>>I am a bit confused by your answer L.P.H.
>>
>>I have no problem at all with my shares ACl are correctly applied to
>>them, and i can easily managed them directly what I do in order to
>>avoid mixing POSIX and Windows ACL.
>>
>>My problem is not on shares but on data blanking on local profile on
>>the workstation which as I understand are unlink from a share
>>settings.
>>
>>
>>Cheers
>>
>>
>>Meilleures salutations / Best regards,
>>
>>Joseph-André GUARAGNA
>>ingénieur Système et Réseau / Network and System engineer
>>
>>
>>
>>RD MACHINES-OUTILS
>>
>>77, allée de l'Industrie  F-74130 CONTAMINE SUR ARVE
>>Tel : +33 (0) 4 50 03 90 77    -   Fax :+33 (0) 4 50 03 66 79
>>www.rdmo.com / www.rdmo-spare-parts.com
>>
>>
>>2015-06-12 10:52 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
>>> 3 obligated settings !!  your missing one...
>>>
>>>    # For ACL support on member file server
>>>    vfs objects = acl_xattr
>>>    map acl inherit = yes
>>>    store dos attributes = yes   <===== is missing in your config.
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>>-----Oorspronkelijk bericht-----
>>>>Van: y.goudetsidis at mail.cryst.bbk.ac.uk
>>>>[mailto:samba-bounces at lists.samba.org] Namens Yanni
>>>>Verzonden: donderdag 11 juni 2015 17:30
>>>>Aan: samba at lists.samba.org
>>>>Onderwerp: [Samba] you have been logged on with a temporary
>>>>profile_win7 client+samba 4+WinServ2012
>>>>
>>>>Hello Samba
>>>>
>>>>I have been trying to fix the problem below for several days with no
>>>>success and I can't understand why.
>>>>Please help me if you can.
>>>>
>>>>I've got a windows server 2012 running AD and I want to
>>store the user
>>>>profiles in a Samba filestore server called "Jimmy". Jimmy has the
>>>>following smb.conf:
>>>>
>>>>  [global]
>>>>   server string = Samba4 file server
>>>>   workgroup = TESTAD
>>>>   security = ADS
>>>>   realm = TESTAD.BIO.AC.UK
>>>>   domain master = no
>>>>   prefered master = no
>>>>   local master = no
>>>>   os level = 0
>>>>   browse list = yes
>>>>   encrypt passwords = yes
>>>>   template shell = /bin/bash
>>>>   name resolve order = bcast
>>>>#-------- Mapping RID--------
>>>>    idmap config *:backend = tdb
>>>>    idmap config *:range = 2000-3999
>>>>    idmap config TESTAD: backend = rid
>>>>    idmap config TESTAD: range = 10000-99999
>>>>#------- Winbind ----------
>>>>    winbind trusted domains only = no
>>>>    winbind use default domain = yes
>>>>    winbind enum users = yes
>>>>    winbind enum groups = yes
>>>>    winbind refresh tickets = Yes
>>>>    winbind expand groups = 4
>>>>    winbind normalize names = Yes
>>>>
>>>>    vfs objects = acl_xattr
>>>>    map acl inherit = yes
>>>>
>>>>#Logging Settings
>>>>    log level = 3
>>>>    log file = /var/log/samba/log.%m
>>>>    max log size = 50
>>>>
>>>>#----Profile Store Settings---------
>>>>[profs]
>>>>    comment = WinProfsStorage
>>>>    path = /disk1/profs
>>>>    read only = no
>>>>    store dos attributes = yes
>>>>    create mask = 0600
>>>>    directory mask = 0755
>>>>    profile acls = yes
>>>>    csc policy = disable
>>>>
>>>>My problem is that users get temp profile whenever they log
>>>>into a win7
>>>>client which is also a TESTAD member.
>>>>The error I get is: You have been logged on with a temp
>>>>profile. In the
>>>>event log it is indicated that this is due to "insufficient security
>>>>rights". EventID: 1521 and 1511.
>>>>
>>>>Below are my settings on Jimmy:
>>>>1. I can confirm that Selinux, iptables and firewalld are
>>all disabled
>>>>2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo
>>>>-u", "wbinfo -g", "getent passwd" and
>>>>     "getent group" return the right values.
>>>>3. I can confirm that clocks on Jimmy and AD server are in sync.
>>>>4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root
>>>>domain_users 23 Jun 11 15:57 profs
>>>>
>>>>
>>>>Windows AD server facts/settings:
>>>>1. I can view,access and write to "/disk1/profs"
>>>>2. The security tab of "profs" shows the following user names
>>>>and their
>>>>permissions:
>>>>     Creator Owner: has only the "special permissions" ticked,
>>>>which is
>>>>greyed out
>>>>     Domain Users: Full Control
>>>>     Administrators (JIMMY\Administrators): Full Control
>>>>     Users: (JIMMY\Users): Full Control
>>>>
>>>>3. Under the "Advanced" button in the "Security tab" I can see these
>>>>permission entries:
>>>>     Root (unix user\root)
>>>>     Administrators (JIMMY\Administrators)
>>>>     CREATOR OWNER
>>>>     Domain Users
>>>>     Users (JIMMY\Users)
>>>>
>>>>4. For all the above entries:
>>>>    "type" is set to "Allow"
>>>>    "Access" is set to "Full Control"
>>>>    "Inherit from" is set to "None"
>>>>    "Applies to" are set to "This folder, subfolder and
>>files", except
>>>>CREATOR OWNER which is set to "Sub-folders and files only".
>>>>
>>>>Note: I can edit any of these permission entries except
>>>>"Creator owner".
>>>>If I attempt to change the "applies to" setting of this entry to
>>>>something else, the change reverses back when I hit "Apply"
>>>>
>>>>Windows 7 client, when logged in with temp profile as domain user
>>>>1. user can view,access and write to "/disk1/profs"
>>>>2. the "do not check profile ownership on roaming profiles"
>>is enabled
>>>>on the client (desperate move)
>>>>3. the network security setting: "Restrict NTLM: outgoing
>>>>NTLM traffic
>>>>to remote servers" is set to "ALLOW ALL"
>>>>
>>>>
>>>>Please provide any suggestions you may have and ofcourse
>>have the time
>>>>to do so.
>>>>
>>>>Many thanks for your help
>>>>Yanni
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>--
>>>>To unsubscribe from this list go to the following URL and read the
>>>>instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  https://lists.samba.org/mailman/options/samba
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list