[Samba] Samba 4: 'Access denied' error when accessing user profile during logon
Rowland Penny
rpenny at samba.org
Thu Sep 20 09:58:12 UTC 2018
On Thu, 20 Sep 2018 12:25:00 +0700
Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> Hello,
>
> After joining Windows 7 to a Samba 4 (AD), when logging on I
> experience 'Access denied' error accessing user profile. As a result,
> Windows creates temporary profile for the domain user (the profile is
> deleted upon logoff).
>
> The roaming profiles directory has been created according to
> instructions in
>
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
No it hasn't
>
> Note: the home directory (also shared by the AD DC) is accessible
> without problem, user can create/delete/whatever objects in it
> without problems.
>
> For every domain user 'username' profilePath has been set to
> \\DC\profiles\username , using ldbmodify, i.e. via a string
>
> profilePath: \\DC\profiles\username
>
> in corresponding LDIF.
>
> Technical details:
>
> OS: Ubuntu 18.04.1, Samba version (package)
> 4.7.6+dfsg~ubuntu-0ubuntu2.2, latest in official repository.
>
> # samba-tool testparm
[global]
netbios name = DC
realm = AD-LAN.COM
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = AD-LAN
idmap_ldb:use rfc2307 = yes
server string = AD-LAN.COM domain controller
bind interfaces only = Yes
interfaces = lo ens3
log file = /var/log/samba/log.%m
log level = 3
max log size = 1000
template homedir = /home/%u
template shell = /bin/bash
panic action = /usr/share/samba/panic-action %d
Nothing wrong with the above
passdb backend = tdbsam
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls enabled = Yes
tls keyfile = tls/key.pem
The above lines are not required, they are the defaults
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd program = /usr/bin/passwd %u
unix password sync = Yes
usershare allow guests = Yes
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
acl:search = no
Why have you set these on a DC ?
Especially 'unix password sync = Yes' ???
You don't map Unix users in AD.
> [profiles]
> browseable = No
> comment = Users profiles
> csc policy = disable
> force create mode = 0600
> force directory mode = 0700
> path = /srv/samba/profiles/
> read only = No
> store dos attributes = Yes
> vfs objects = acl_xattr
>
We now come to your main problem, yes, you have set up the profiles
share as per the wiki page, but you totally missed the big blue info
box that says:
When setting up the share on a Samba Active Directory (AD) domain
controller (DC), you cannot use POSIX ACLs. On an Samba DC, only shares
using extended ACLs are supported. For further details, see Enable
Extended ACL Support in the smb.conf File. To set up the share on a
Samba AD DC, see Setting up the Profiles Share on the Samba File Server
- Using Windows ACLs.
You are trying to do it with POSIX ACLs, it will not work.
You must set up the profiles share from Windows, as shown above the
heading 'Using POSIX ACLs'
Finally, the last line of the log fragment contains this:
connect to service profiles initially as user AD-LAN\mbo (uid=1000,
gid=513) (pid 7848)
Did you classic upgrade a PDC to AD, if not, why are you using IDs like
'100' and '513' ?
Rowland
More information about the samba
mailing list