[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon

L.P.H. van Belle belle at bazuin.nl
Thu Sep 20 09:01:15 UTC 2018


Hai, 

Sorry to say but.. 
> The solution (following the default how-to directories structure):

No, the solution is to setup correctly. 
Just do a a small test here to see if its all correct. 

With a windows computer, browse to \\server 

Right klik the profiles share, check security. 
	If this is set correct, the user should not be able to see the rights. 

Repaet, now as Adminsitrator. 
	You should see the needed rights.

And in my thats on  \\server\profiles 
Creator Owner ( 1700 ) 	Full with Special rights ( Appy to Only subfolders and files ) 
Administrator 		Full control ( Appy to This Folder, subfolders and files ) 
Domain Users 		Special with browse/exec, Read file/folder, create/add folder  ( Only this folder ) 

And in my thats on  \\server\profiles\user.v2 
The resulting user folders should show ( in Windows ) 
SYSTEM 	Full control
Username 	Full control


Which results in ( for me ) with getfacl 

# file: home/samba/profiles
# owner: root
# group: root
# flags: --t
user::rwx
user:root:rwx
group::---
group:root:---
group:domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:mask::rwx
default:other::---

#( Group 2005 is SYSTEM  ) 
# file: home/samba/profiles/username.V2
# owner: username
# group: domain\040users
user::rwx
user:username:rwx
group::---
group:2005:rwx
group:domain\040users:---
mask::rwx
other::---
default:user::rwx
default:user:username:rwx
default:group::---
default:group:2005:rwx
default:group:domain\040users:---
default:mask::rwx
default:other::---

Now, you will probely get diffent ( more relaxed ) results, which in the end might give problems for the Win pc's. 

Set : 
[profiles]
    browseable = yes
    path = /home/samba/profiles
    read only = no
    acl_xattr:ignore system acl = yes

And now apply the rights again from within windows. 
And dont touch it with chmod again.. 
If needed use setfacl/getfacl. 
If you think its complex, then read : https://serversforhackers.com/c/beyond-permissions-linux-acls 
Good explained. 

The acl_xattr:ignore system acl = yes in profiles is imo a must because,
you will have much less problems with your profile folders and the rights windows expects. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Konstantin Boyandin via samba
> Verzonden: donderdag 20 september 2018 9:26
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] [SOLVED] Samba 4: 'Access denied' error 
> when accessing user profile during logon
> 
> Hello,
> 
> Looks like the solution was rather simple.
> 
> If user profile matching OS doesn't yet exist, Windows attempts to 
> create one under '[profiles]'. I.e., for user 'username' 
> Windows 7 will 
> attempt to create [profiledir]\username.V2
> 
> If it can't create that directory, 'Access denied' is written 
> to system 
> event log and a temporary profile is created.
> 
> The solution (following the default how-to directories structure):
> 
> # chmod g+w /srv/samba/profiles
> 
> The hint posted in
> 
> https://windowsserveressentials.com/2011/02/25/quick-fix-acces
> s-denied-to-romaing-profile-windows-7/
> 
> Note: taking the above into account, I believe that corresponding 
> section (Using POSIX ACLs) should be updated in
> 
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
> 
> namely, replace
> 
> # chmod 1750 /srv/samba/profiles/
> 
> with
> 
> # chmod 1770 /srv/samba/profiles/
> 
> Sincerely,
> Konstantin
> 
> Konstantin Boyandin via samba ?????????? 2018-09-20 12:25:
> > Hello,
> > 
> > After joining Windows 7 to a Samba 4 (AD), when logging on I
> > experience 'Access denied' error accessing user profile. As 
> a result,
> > Windows creates temporary profile for the domain user (the 
> profile is
> > deleted upon logoff).
> > 
> > [...]
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list