[Samba] Problems with samba and profile syncing from various windows versions

Arnaud FLORENT aflorent at iris-tech.fr
Thu May 4 08:22:30 UTC 2017 


Le 04/05/2017 à 10:01, Rowland Penny a écrit :
> On Thu, 4 May 2017 09:39:17 +0200
> Arnaud FLORENT <aflorent at iris-tech.fr> wrote:
>
>>
>> Le 04/05/2017 à 09:36, Rowland Penny a écrit :
>>> On Thu, 4 May 2017 09:07:11 +0200
>>> Arnaud FLORENT <aflorent at iris-tech.fr> wrote:
>>>
>>>> Le 04/05/2017 à 08:45, Rowland Penny via samba a écrit :
>>>>> On Wed, 3 May 2017 22:48:06 +0200
>>>>> Jakub Kulesza via samba <samba at lists.samba.org> wrote:
>>>>>
>>>>>> Thanks for pointing this out.
>>>>>>
>>>>>> I have read that again, now my profiles do not have "vfs objects
>>>>>> = full_audit" and disabled the csc policy. I have verified that I
>>>>>> have set up my profiles share properly and that it has all the
>>>>>> right entitlements. I have reset the entitlements for the users
>>>>>> that have issues (as Administrator right click on the folder and
>>>>>> do the dance there with Windows). We'll see tomorrow.
>>>>>>
>>>>>> Is "profile acls" required anymore on Samba 4.3? What effect will
>>>>>> it have on Windows 10?
>>>>>>
>>>>> On a Samba AD DC, no, you must use windows ACLs, but, on a Unix
>>>>> domain member, you can use the old way i.e. 'create mask' etc
>>>>>
>>>>> Rowland
>>>>>     
>>>>>
>>>> Could you explain why  the old way can not be used please?
>>>>
>>>> why only shares using extended ACLs are supported on a Samba AD DC?
>>>>
>>>> extended ACL support is automatically enabled globally
>>>> but there may be a way to disable it for a specific share?
>>> You answered your question yourself ;-)
>>>
>>> Extended ACL support is automatically enabled globally and you
>>> cannot turn it off.
>>>
>>> Rowland
>>>
>>>
>> nt acl =no
>> seems to work
>>
>> am i wrong to use this?
> YES!
>
>> what kind of errors may occurs?
> The AD DC relies on NT ACLs, you need to accept that you must use
> Windows ACLs on a Samba AD DC if you use it as a fileserver. If you
> must use the old way of doing things, set up a Unix domain member and
> use this as a fileserver instead.
>
> If you go here:
>
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
>
> Under the heading 'Using POSIX ACLs', you will find an info box
> containing this:
>
>   When setting up the share on a Samba Active Directory (AD) domain
>   controller (DC), you cannot use POSIX ACLs. On an Samba DC, only
>   shares using extended ACLs are supported. For further details, see
>   Enable Extended ACL Support in the smb.conf File. To set up the share
>   on a Samba AD DC, see Setting up the Profiles Share on the Samba File
>   Server - Using Windows ACLs.
>
> This wasn't written for no reason.
>
> Rowland
Thank you Rowloand

so my next question is

is there a way to setup the share and windows acl only from server 
command line?

More information about the samba mailing list