[Samba] Samba 4: 'Access denied' error when accessing user profile during logon
Konstantin Boyandin
lists at boyandin.info
Thu Sep 20 05:25:00 UTC 2018
Hello,
After joining Windows 7 to a Samba 4 (AD), when logging on I experience
'Access denied' error accessing user profile. As a result, Windows
creates temporary profile for the domain user (the profile is deleted
upon logoff).
The roaming profiles directory has been created according to
instructions in
https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
Note: the home directory (also shared by the AD DC) is accessible
without problem, user can create/delete/whatever objects in it without
problems.
For every domain user 'username' profilePath has been set to
\\DC\profiles\username , using ldbmodify, i.e. via a string
profilePath: \\DC\profiles\username
in corresponding LDIF.
Technical details:
OS: Ubuntu 18.04.1, Samba version (package)
4.7.6+dfsg~ubuntu-0ubuntu2.2, latest in official repository.
# samba-tool testparm
[global]
bind interfaces only = Yes
interfaces = lo ens3
log file = /var/log/samba/log.%m
log level = 3
map to guest = Bad User
max log size = 1000
netbios name = DC
obey pam restrictions = Yes
pam password change = Yes
panic action = /usr/share/samba/panic-action %d
passdb backend = tdbsam
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd program = /usr/bin/passwd %u
realm = AD-LAN.COM
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
server string = AD-LAN.COM domain controller
template homedir = /home/%u
template shell = /bin/bash
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls enabled = Yes
tls keyfile = tls/key.pem
unix password sync = Yes
usershare allow guests = Yes
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
workgroup = AD-LAN
acl:search = no
idmap_ldb:use rfc2307 = yes
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/sysvol/ad-lan.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[profiles]
browseable = No
comment = Users profiles
csc policy = disable
force create mode = 0600
force directory mode = 0700
path = /srv/samba/profiles/
read only = No
store dos attributes = Yes
vfs objects = acl_xattr
[users]
force create mode = 0600
force directory mode = 0700
path = /srv/samba/users/
read only = No
[printers]
browseable = No
comment = All Printers
create mask = 0700
path = /var/spool/samba
printable = Yes
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
## In Samba log files matching the computer's IP:
# cat /var/log/samba/log.10.11.12.153
[...]
[2018/09/20 10:15:57.475422, 3]
../source3/smbd/msdfs.c:1008(get_referred_path)
get_referred_path: |profiles| in dfs path \DC\profiles is not a dfs
root.
[2018/09/20 10:15:57.475451, 3]
../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:309
[2018/09/20 10:15:57.475858, 3] ../lib/util/access.c:365(allow_access)
Allowed connection from 10.11.12.153 (10.11.12.153)
[2018/09/20 10:15:57.475912, 3]
../source3/smbd/service.c:595(make_connection_snum)
Connect path is '/srv/samba/profiles/' for service [profiles]
[2018/09/20 10:15:57.475938, 3]
../source3/smbd/vfs.c:113(vfs_init_default)
Initialising default vfs hooks
[2018/09/20 10:15:57.475946, 3]
../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2018/09/20 10:15:57.475954, 3]
../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [acl_xattr]
[2018/09/20 10:15:57.475966, 2]
../source3/modules/vfs_acl_xattr.c:236(connect_acl_xattr)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
and 'force unknown acl user = true' for service profiles
[2018/09/20 10:15:57.476109, 2]
../source3/smbd/service.c:841(make_connection_snum)
10.11.12.153 (ipv4:10.11.12.153:61964) connect to service profiles
initially as user AD-LAN\mbo (uid=1000, gid=513) (pid 7848)
[...]
I would appreciate pieces of advice on what causes the mentioned "Access
denied" problem and how to handle it.
Sincerely,
Konstantin
More information about the samba
mailing list