[Samba] SAMBA AD DC Access Denied to Redirected Folders
Philippe LeCavalier
support at plecavalier.com
Sat Mar 25 14:21:30 UTC 2017
On Sat, Mar 25, 2017 at 9:21 AM Philippe LeCavalier <support at plecavalier.com>
wrote:
On Thu, Feb 16, 2017 at 1:16 PM Philippe LeCavalier <support at plecavalier.com>
wrote:
Hi everyone,
I'm re-posting this because my previous thread (see below) for whatever
reason I cannot reply to. So I'm starting a new one in the hopes that I can
respond to those who made suggestions and hopefully get to a solution.
In a nutshell, I've got a SAMBA4 AD DC server running Debian 8 stable. It's
setup for roaming profiles, home dirs and redirected folders. Randomly,
when users login they get an error about the recycle bin folders on each of
their redirected folders and are then denied access. The folders in
question are:
Desktop
Documents
Favorites
Start Menu
One response I got from Rowland is *exactly* what is happening. Furthermore
the fix does work (and is what I had discovered as a workable fix as well).
However, it only "sticks" for a few days and then it happens again. So I
reapply the fix, have the user log out/in...wash, rinse and repeat.
This is the MS fix Rowland suggested:
http://www.ieple.com/blog/fixing-corrupted-recycle-bin-in-redirected-folders-server-2012-r2-essentials
Another response suggested I disable the recycle bin on the desktop to see
if that is the cause. In windows 10 however, I cannot find how to do that.
If I right click on the recycle bin in the desktop it does list the various
recycle bin and their properties but no function to disabled them is
apparent. Also, I would be concerned with leaving that disabled if I
figured out how to considering how much data the users leave on their
desktops. HEnce the need for redirected folders. Perhaps it was jsut
suggested for test purposes...
Hopefully you guys can respond to this b/c I really need to address this.
Worse case, please cc me directly.
The original thread:
https://lists.samba.org/archive/samba/2017-January/206138.html
--
Regards,
Phil
I'm just reviving this because I was unable to reply due to access issues
with the mailing list. Any suggestions are greatly appreciated.
On a side note: thank you Bjorn and Rowland for your assistance in getting
things sorted to get me back on the list.
--
Regards,
Phil
As requested by an earlier reply to the original thread, here are my
configs:
smb.conf
# Global parameters
[global]
workgroup = INTRANET
realm = INTRANET.DOMAIN.COM
netbios name = DC11
server role = active directory domain controller
dns forwarder = 192.168.1.1
idmap_ldb:use rfc2307 = yes
map acl inherit = yes
client ldap sasl wrapping = sign
# Default idmap config for local BUILTIN accounts and groups
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# idmap config for the INTRANET domain
idmap config INTRANET:backend = ad
idmap config INTRANET:schema_mode = rfc2307
idmap config INTRANET:range = 10000-999999
# Template settings for login shell and home directory
winbind nss info = template
template shell = /bin/bash
template homedir = /data/home/%U
[netlogon]
path = /var/lib/samba/sysvol/intranet.domain.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[profiles]
path = /data/profiles
read only = no
[home]
path = /data/home
read only = no
As you can see I did create a [home] share and perhaps that is the source
of the problem. I wanted each users redirected folders to be as safe from
each other as possible.
nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
resolv.conf
cat /etc/resolv.conf
domain intranet.domain.com
search intranet.domain.com
nameserver 192.168.1.11
hosts.conf
cat /etc/hosts
127.0.0.1 localhost
192.168.1.11 dc11.intranet.domain.com dc11
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
I think that covers it for what was requested. If not please ask away.
--
Regards,
Phil
More information about the samba
mailing list