[Samba] you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
joseph-andre Guaragna
jaguaragna at rdmo.com
Fri Jun 12 03:53:14 MDT 2015
Nope no scripts at all
Meilleures salutations / Best regards,
Joseph-André GUARAGNA
ingénieur Système et Réseau / Network and System engineer
RD MACHINES-OUTILS
77, allée de l'Industrie F-74130 CONTAMINE SUR ARVE
Tel : +33 (0) 4 50 03 90 77 - Fax :+33 (0) 4 50 03 66 79
www.rdmo.com / www.rdmo-spare-parts.com
2015-06-12 11:47 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
> Ok, my bad..
>
> The if you use policies.. check you gpo settings for :
> Computer Configuration \ Administrative Templates \ System \ User Profiles
> - Delete cached copies of roaming profiles
> - Delete user profiles older than a specified number of days on system restart
>
> and/or read :
> https://support.microsoft.com/en-us/kb/983544
> which may apply.
>
> and you dont have any script running for cleanup local profiles?
>
> Greetz,
>
> louis
>
>
>>-----Oorspronkelijk bericht-----
>>Van: jaguaragna at rdmo.com
>>[mailto:samba-bounces at lists.samba.org] Namens joseph-andre Guaragna
>>Verzonden: vrijdag 12 juni 2015 11:21
>>CC: samba at lists.samba.org
>>Onderwerp: Re: [Samba] you have been logged on with a
>>temporary profile_win7 client+samba 4+WinServ2012
>>
>>I am a bit confused by your answer L.P.H.
>>
>>I have no problem at all with my shares ACl are correctly applied to
>>them, and i can easily managed them directly what I do in order to
>>avoid mixing POSIX and Windows ACL.
>>
>>My problem is not on shares but on data blanking on local profile on
>>the workstation which as I understand are unlink from a share
>>settings.
>>
>>
>>Cheers
>>
>>
>>Meilleures salutations / Best regards,
>>
>>Joseph-André GUARAGNA
>>ingénieur Système et Réseau / Network and System engineer
>>
>>
>>
>>RD MACHINES-OUTILS
>>
>>77, allée de l'Industrie F-74130 CONTAMINE SUR ARVE
>>Tel : +33 (0) 4 50 03 90 77 - Fax :+33 (0) 4 50 03 66 79
>>www.rdmo.com / www.rdmo-spare-parts.com
>>
>>
>>2015-06-12 10:52 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
>>> 3 obligated settings !! your missing one...
>>>
>>> # For ACL support on member file server
>>> vfs objects = acl_xattr
>>> map acl inherit = yes
>>> store dos attributes = yes <===== is missing in your config.
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>>-----Oorspronkelijk bericht-----
>>>>Van: y.goudetsidis at mail.cryst.bbk.ac.uk
>>>>[mailto:samba-bounces at lists.samba.org] Namens Yanni
>>>>Verzonden: donderdag 11 juni 2015 17:30
>>>>Aan: samba at lists.samba.org
>>>>Onderwerp: [Samba] you have been logged on with a temporary
>>>>profile_win7 client+samba 4+WinServ2012
>>>>
>>>>Hello Samba
>>>>
>>>>I have been trying to fix the problem below for several days with no
>>>>success and I can't understand why.
>>>>Please help me if you can.
>>>>
>>>>I've got a windows server 2012 running AD and I want to
>>store the user
>>>>profiles in a Samba filestore server called "Jimmy". Jimmy has the
>>>>following smb.conf:
>>>>
>>>> [global]
>>>> server string = Samba4 file server
>>>> workgroup = TESTAD
>>>> security = ADS
>>>> realm = TESTAD.BIO.AC.UK
>>>> domain master = no
>>>> prefered master = no
>>>> local master = no
>>>> os level = 0
>>>> browse list = yes
>>>> encrypt passwords = yes
>>>> template shell = /bin/bash
>>>> name resolve order = bcast
>>>>#-------- Mapping RID--------
>>>> idmap config *:backend = tdb
>>>> idmap config *:range = 2000-3999
>>>> idmap config TESTAD: backend = rid
>>>> idmap config TESTAD: range = 10000-99999
>>>>#------- Winbind ----------
>>>> winbind trusted domains only = no
>>>> winbind use default domain = yes
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>> winbind refresh tickets = Yes
>>>> winbind expand groups = 4
>>>> winbind normalize names = Yes
>>>>
>>>> vfs objects = acl_xattr
>>>> map acl inherit = yes
>>>>
>>>>#Logging Settings
>>>> log level = 3
>>>> log file = /var/log/samba/log.%m
>>>> max log size = 50
>>>>
>>>>#----Profile Store Settings---------
>>>>[profs]
>>>> comment = WinProfsStorage
>>>> path = /disk1/profs
>>>> read only = no
>>>> store dos attributes = yes
>>>> create mask = 0600
>>>> directory mask = 0755
>>>> profile acls = yes
>>>> csc policy = disable
>>>>
>>>>My problem is that users get temp profile whenever they log
>>>>into a win7
>>>>client which is also a TESTAD member.
>>>>The error I get is: You have been logged on with a temp
>>>>profile. In the
>>>>event log it is indicated that this is due to "insufficient security
>>>>rights". EventID: 1521 and 1511.
>>>>
>>>>Below are my settings on Jimmy:
>>>>1. I can confirm that Selinux, iptables and firewalld are
>>all disabled
>>>>2. Jimmy is a domain member of TESTAD and I can confirm that "wbinfo
>>>>-u", "wbinfo -g", "getent passwd" and
>>>> "getent group" return the right values.
>>>>3. I can confirm that clocks on Jimmy and AD server are in sync.
>>>>4. Permissions on the "path=/disk1/profs" are: drwxrwx--T+ 3 root
>>>>domain_users 23 Jun 11 15:57 profs
>>>>
>>>>
>>>>Windows AD server facts/settings:
>>>>1. I can view,access and write to "/disk1/profs"
>>>>2. The security tab of "profs" shows the following user names
>>>>and their
>>>>permissions:
>>>> Creator Owner: has only the "special permissions" ticked,
>>>>which is
>>>>greyed out
>>>> Domain Users: Full Control
>>>> Administrators (JIMMY\Administrators): Full Control
>>>> Users: (JIMMY\Users): Full Control
>>>>
>>>>3. Under the "Advanced" button in the "Security tab" I can see these
>>>>permission entries:
>>>> Root (unix user\root)
>>>> Administrators (JIMMY\Administrators)
>>>> CREATOR OWNER
>>>> Domain Users
>>>> Users (JIMMY\Users)
>>>>
>>>>4. For all the above entries:
>>>> "type" is set to "Allow"
>>>> "Access" is set to "Full Control"
>>>> "Inherit from" is set to "None"
>>>> "Applies to" are set to "This folder, subfolder and
>>files", except
>>>>CREATOR OWNER which is set to "Sub-folders and files only".
>>>>
>>>>Note: I can edit any of these permission entries except
>>>>"Creator owner".
>>>>If I attempt to change the "applies to" setting of this entry to
>>>>something else, the change reverses back when I hit "Apply"
>>>>
>>>>Windows 7 client, when logged in with temp profile as domain user
>>>>1. user can view,access and write to "/disk1/profs"
>>>>2. the "do not check profile ownership on roaming profiles"
>>is enabled
>>>>on the client (desperate move)
>>>>3. the network security setting: "Restrict NTLM: outgoing
>>>>NTLM traffic
>>>>to remote servers" is set to "ALLOW ALL"
>>>>
>>>>
>>>>Please provide any suggestions you may have and ofcourse
>>have the time
>>>>to do so.
>>>>
>>>>Many thanks for your help
>>>>Yanni
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>--
>>>>To unsubscribe from this list go to the following URL and read the
>>>>instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions: https://lists.samba.org/mailman/options/samba
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list