[Samba] SAMBA AD DC Access Denied to Redirected Folders

Philippe LeCavalier support at plecavalier.com
Sat Mar 25 14:21:30 UTC 2017


On Sat, Mar 25, 2017 at 9:21 AM Philippe LeCavalier <support at plecavalier.com>
wrote:

On Thu, Feb 16, 2017 at 1:16 PM Philippe LeCavalier <support at plecavalier.com>
wrote:

Hi everyone,

I'm re-posting this because my previous thread (see below) for whatever
reason I cannot reply to. So I'm starting a new one in the hopes that I can
respond to those who made suggestions and hopefully get to a solution.

In a nutshell, I've got a SAMBA4 AD DC server running Debian 8 stable. It's
setup for roaming profiles, home dirs and redirected folders. Randomly,
when users login they get an error about the recycle bin folders on each of
their redirected folders and are then denied access. The folders in
question are:

Desktop
Documents
Favorites
Start Menu

One response I got from Rowland is *exactly* what is happening. Furthermore
the fix does work (and is what I had discovered as a workable fix as well).
However, it only "sticks" for a few days and then it happens again. So I
reapply the fix, have the user log out/in...wash, rinse and repeat.

This is the MS fix Rowland suggested:
http://www.ieple.com/blog/fixing-corrupted-recycle-bin-in-redirected-folders-server-2012-r2-essentials

Another response suggested I disable the recycle bin on the desktop to see
if that is the cause. In windows 10 however, I cannot find how to do that.
If I right click on the recycle bin in the desktop it does list the various
recycle bin and their properties but no function to disabled them is
apparent. Also, I would be concerned with leaving that disabled if I
figured out how to considering how much data the users leave on their
desktops. HEnce the need for redirected folders. Perhaps it was jsut
suggested for test purposes...

Hopefully you guys can respond to this b/c I really need to address this.
Worse case, please cc me directly.

The original thread:
https://lists.samba.org/archive/samba/2017-January/206138.html
-- 
Regards,
Phil


I'm just reviving this because I was unable to reply due to access issues
with the mailing list. Any suggestions are greatly appreciated.

On a side note: thank you Bjorn and Rowland for your assistance in getting
things sorted to get me back on the list.
-- 
Regards,
Phil


As requested by an earlier reply to the original thread, here are my
configs:

smb.conf

 # Global parameters
[global]
        workgroup = INTRANET
        realm = INTRANET.DOMAIN.COM
        netbios name = DC11
        server role = active directory domain controller
        dns forwarder = 192.168.1.1
        idmap_ldb:use rfc2307 = yes
        map acl inherit = yes
        client ldap sasl wrapping = sign

# Default idmap config for local BUILTIN accounts and groups
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

# idmap config for the INTRANET domain
        idmap config INTRANET:backend = ad
        idmap config INTRANET:schema_mode = rfc2307
        idmap config INTRANET:range = 10000-999999

# Template settings for login shell and home directory
        winbind nss info = template
        template shell = /bin/bash
        template homedir = /data/home/%U

[netlogon]
        path = /var/lib/samba/sysvol/intranet.domain.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[profiles]
        path = /data/profiles
        read only = no

[home]
        path = /data/home
        read only = no

As you can see I did create a [home] share and perhaps that is the source
of the problem. I wanted each users redirected folders to be as safe from
each other as possible.

nsswitch.conf

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

resolv.conf

cat /etc/resolv.conf
domain intranet.domain.com
search intranet.domain.com
nameserver 192.168.1.11

hosts.conf

cat /etc/hosts
127.0.0.1       localhost
192.168.1.11    dc11.intranet.domain.com   dc11

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

I think that covers it for what was requested. If not please ask away.
-- 
Regards,
Phil


More information about the samba mailing list