[Samba] Samba 4: 'Access denied' error when accessing user profile during logon

Konstantin Boyandin lists at boyandin.info
Thu Sep 20 05:25:00 UTC 2018 

Hello,

After joining Windows 7 to a Samba 4 (AD), when logging on I experience 
'Access denied' error accessing user profile. As a result, Windows 
creates temporary profile for the domain user (the profile is deleted 
upon logoff).

The roaming profiles directory has been created according to 
instructions in

https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

Note: the home directory (also shared by the AD DC) is accessible 
without problem, user can create/delete/whatever objects in it without 
problems.

For every domain user 'username' profilePath has been set to 
\\DC\profiles\username , using ldbmodify, i.e. via a string

profilePath: \\DC\profiles\username

in corresponding LDIF.

Technical details:

OS: Ubuntu 18.04.1, Samba version (package) 
4.7.6+dfsg~ubuntu-0ubuntu2.2, latest in official repository.

# samba-tool testparm
[global]
	bind interfaces only = Yes
	interfaces = lo ens3
	log file = /var/log/samba/log.%m
	log level = 3
	map to guest = Bad User
	max log size = 1000
	netbios name = DC
	obey pam restrictions = Yes
	pam password change = Yes
	panic action = /usr/share/samba/panic-action %d
	passdb backend = tdbsam
	passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	passwd program = /usr/bin/passwd %u
	realm = AD-LAN.COM
	server role = active directory domain controller
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate
	server string = AD-LAN.COM domain controller
	template homedir = /home/%u
	template shell = /bin/bash
	tls cafile = tls/ca.pem
	tls certfile = tls/cert.pem
	tls enabled = Yes
	tls keyfile = tls/key.pem
	unix password sync = Yes
	usershare allow guests = Yes
	winbind enum groups = Yes
	winbind enum users = Yes
	winbind nss info = rfc2307
	workgroup = AD-LAN
	acl:search = no
	idmap_ldb:use rfc2307 = yes

[netlogon]
	comment = Network Logon Service
	path = /var/lib/samba/sysvol/ad-lan.com/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

[profiles]
	browseable = No
	comment = Users profiles
	csc policy = disable
	force create mode = 0600
	force directory mode = 0700
	path = /srv/samba/profiles/
	read only = No
	store dos attributes = Yes
	vfs objects = acl_xattr

[users]
	force create mode = 0600
	force directory mode = 0700
	path = /srv/samba/users/
	read only = No

[printers]
	browseable = No
	comment = All Printers
	create mask = 0700
	path = /var/spool/samba
	printable = Yes

[print$]
	comment = Printer Drivers
	path = /var/lib/samba/printers

## In Samba log files matching the computer's IP:
# cat /var/log/samba/log.10.11.12.153

[...]
[2018/09/20 10:15:57.475422,  3] 
../source3/smbd/msdfs.c:1008(get_referred_path)
   get_referred_path: |profiles| in dfs path \DC\profiles is not a dfs 
root.
[2018/09/20 10:15:57.475451,  3] 
../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex)
   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:309
[2018/09/20 10:15:57.475858,  3] ../lib/util/access.c:365(allow_access)
   Allowed connection from 10.11.12.153 (10.11.12.153)
[2018/09/20 10:15:57.475912,  3] 
../source3/smbd/service.c:595(make_connection_snum)
   Connect path is '/srv/samba/profiles/' for service [profiles]
[2018/09/20 10:15:57.475938,  3] 
../source3/smbd/vfs.c:113(vfs_init_default)
   Initialising default vfs hooks
[2018/09/20 10:15:57.475946,  3] 
../source3/smbd/vfs.c:139(vfs_init_custom)
   Initialising custom vfs hooks from [/[Default VFS]/]
[2018/09/20 10:15:57.475954,  3] 
../source3/smbd/vfs.c:139(vfs_init_custom)
   Initialising custom vfs hooks from [acl_xattr]
[2018/09/20 10:15:57.475966,  2] 
../source3/modules/vfs_acl_xattr.c:236(connect_acl_xattr)
   connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' 
and 'force unknown acl user = true' for service profiles
[2018/09/20 10:15:57.476109,  2] 
../source3/smbd/service.c:841(make_connection_snum)
   10.11.12.153 (ipv4:10.11.12.153:61964) connect to service profiles 
initially as user AD-LAN\mbo (uid=1000, gid=513) (pid 7848)
[...]

I would appreciate pieces of advice on what causes the mentioned "Access 
denied" problem and how to handle it.

Sincerely,
Konstantin

More information about the samba mailing list