[Samba] Problems with samba and profile syncing from various windows versions

Rowland Penny rpenny at samba.org
Thu May 4 08:01:02 UTC 2017


On Thu, 4 May 2017 09:39:17 +0200
Arnaud FLORENT <aflorent at iris-tech.fr> wrote:

> 
> 
> Le 04/05/2017 à 09:36, Rowland Penny a écrit :
> > On Thu, 4 May 2017 09:07:11 +0200
> > Arnaud FLORENT <aflorent at iris-tech.fr> wrote:
> >
> >> Le 04/05/2017 à 08:45, Rowland Penny via samba a écrit :
> >>> On Wed, 3 May 2017 22:48:06 +0200
> >>> Jakub Kulesza via samba <samba at lists.samba.org> wrote:
> >>>
> >>>> Thanks for pointing this out.
> >>>>
> >>>> I have read that again, now my profiles do not have "vfs objects
> >>>> = full_audit" and disabled the csc policy. I have verified that I
> >>>> have set up my profiles share properly and that it has all the
> >>>> right entitlements. I have reset the entitlements for the users
> >>>> that have issues (as Administrator right click on the folder and
> >>>> do the dance there with Windows). We'll see tomorrow.
> >>>>
> >>>> Is "profile acls" required anymore on Samba 4.3? What effect will
> >>>> it have on Windows 10?
> >>>>
> >>> On a Samba AD DC, no, you must use windows ACLs, but, on a Unix
> >>> domain member, you can use the old way i.e. 'create mask' etc
> >>>
> >>> Rowland
> >>>    
> >>>
> >> Could you explain why  the old way can not be used please?
> >>
> >> why only shares using extended ACLs are supported on a Samba AD DC?
> >>
> >> extended ACL support is automatically enabled globally
> >> but there may be a way to disable it for a specific share?
> > You answered your question yourself ;-)
> >
> > Extended ACL support is automatically enabled globally and you
> > cannot turn it off.
> >
> > Rowland
> >
> >
> nt acl =no
> seems to work
> 
> am i wrong to use this?

YES!

> what kind of errors may occurs?

The AD DC relies on NT ACLs, you need to accept that you must use
Windows ACLs on a Samba AD DC if you use it as a fileserver. If you
must use the old way of doing things, set up a Unix domain member and
use this as a fileserver instead.

If you go here:

https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

Under the heading 'Using POSIX ACLs', you will find an info box
containing this:

 When setting up the share on a Samba Active Directory (AD) domain
 controller (DC), you cannot use POSIX ACLs. On an Samba DC, only
 shares using extended ACLs are supported. For further details, see
 Enable Extended ACL Support in the smb.conf File. To set up the share
 on a Samba AD DC, see Setting up the Profiles Share on the Samba File
 Server - Using Windows ACLs.

This wasn't written for no reason.

Rowland



More information about the samba mailing list