[Samba] Are some Group Policies broken?

L.P.H. van Belle belle at bazuin.nl
Wed Jun 13 07:34:39 UTC 2018

Hai Mark, 

I've replied in between the lines belown. 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark 
> Foley via samba
> Verzonden: woensdag 13 juni 2018 0:03
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Are some Group Policies broken?
> Louis - I tried your suggestion. It didn't help. When the 
> user logged back on after I had
> removed their redirected folder, nothing was created on the AD server.
> The Windows event log gives several GroupPolicy related 
> events. One is event 1096:
> ErrorCode: 5
> ErrorDescription: Access is denied.
> DCName: \\mail.hprs.local
> GPOCNName: 
> LDAP://CN=User,cn={178C3418-E432-414A-9185-DCD1AB359A3B},cn=po
> licies,cn=system,DC=hprs,DC=local
> FilePath: \\hprs.local\SysVol\hprs.local\Policies\{178C ... 
> A3B}/User/registry.pol
> Does anyone have any idea on why this is "Access denied"?
> THX --Mark
Yes, thats probely a mismatch in ACL's and the share ACL. 

Check you share rights from withing windows, if needed reapply them.
If thats dont, the start GPO editor, and fix the GPO acls by klikking on them.
Windows wil complain about incorrect rights, then klik ok, should be fixed. 

> -----Original Message-----
> Date: Thu, 07 Jun 2018 12:01:24 -0400
> Organization: Ohio Highway Patrol Retirement System
> To: belle at bazuin.nl
> Subject: Re: [Samba] Are some Group Policies broken?
> From: Mark Foley via samba <samba at lists.samba.org>
> Louis - thanks for this response. Unbeknownst to me my mail 
> filter was not working and I've
> seen your message only today. I'm still struggling with this 
> problem and have not found any
> answers yet. I'm interested in trying your solution, but need 
> a bit of clarification. You
> wrote:
> > When i remove the user folder, and reappy it again from 
> RSAT, but now with the UID/GID set,
> > Redirections work fine. 
> Our users' redirected folder physically reside on 
> \\ADDC\redirectedFolders\Users\username and
> have subfolders 'Desktop', 'Favorites' and 'My Documents', 
> per the policy.  Which user
> folder(s) are you saying you deleted? 
> /redirectedFolders/Users/username, or one or all of the
> subfolders only? I assume you preserved the contents somewhere?

Ok, yes, i do delete the redirectedFolders/Users/  >  username <  folder. 
And yes, if you do have content, backup it. 
After a correct acl is set, use getfacl to see how its set, then its pretty easy to re-apply that for every user folder.

I must also say, all my user folders an on a member server, not addc, so keep in mind there is a small beheavior change between these.

> When you say, "reappy it again from RSAT", from where are you 
> doing this? Group Policy Management? What do you mean by "reapply"? Do you remove and recreate the Policy?

No, after i removed the user folder from the server, i goto ADUC, goto a user.
I set the UID/GID ( klik apply), ( i use win7 with ADUC, so i still have the unix tab )  now, i goto 
the profile tab. 
Path to user profile, i use : \\host.my.dom.tld\profiles\%username% 
Basic folder mapping connection (Letter:"), i use : \\host.my.dom.tld\users\%username% 

I just remove 1 character from the username ( no need to apply or ok) , and put it direct back, 
Windows sees this as a change, klik apply and the folder is recreated. And now login as the user again. 

For me, i do believe i created this problem myself, because i use
    idmap config BAZRTD : unix_nss_info = yes
    idmap config BAZRTD : unix_primary_group = yes

And i use :  acl_xattr:ignore system acl = yes on my users and profiles folders.
But this helped me match the windows ACL's better. ( think in samba 4.4- 4.6 when i really needed this. )
But it works, and the workaround is pretty simple, ... I should not forget to set the UID/GID first.
And due to that i cant use "copy" a user to a new user, that make it fail for me. 

> Thanks for any help you can provide. I'm delaying adding a 
> new domain member to the domain
> until I can get this solved.
> THX -- Mark
> On Wed, 25 Apr 2018 09:31:53 +0200 L.P.H. van Belle wrote:
> >
> > Hai Mark, 
> >
> > Yes, i know this problem. 
> >
> > Check the following. 
> >
> > I use samba with AD backend.
> > When i create a new users ( copy from other ), the user 
> profile and homedir settings are copyied.
> > In form of \\QFDN\users\%username% 
> >
> > At the copy moment, the user folder is created. Now im 
> setting UID/GIDs for the user, up2here its all working fine. 
> > When i now login with this users, i have the same, no 
> folder redirections.
> >
> > When i remove the user folder, and reappy it again from 
> RSAT, but now with the UID/GID set,
> > Redirections work fine. 
> >
> > If i create a new users, set this UID/GID first, and then 
> set the profile/user folders it works fine.
> >
> > Can you try if this works for you also?
> >
> >
> > Greetz, 
> >
> > Louis
> >
> >
> >

More information about the samba mailing list