[Samba] Samba 4: 'Access denied' error when accessing user profile during logon

Rowland Penny rpenny at samba.org
Thu Sep 20 09:58:12 UTC 2018

On Thu, 20 Sep 2018 12:25:00 +0700
Konstantin Boyandin via samba <samba at lists.samba.org> wrote:

> Hello,
> After joining Windows 7 to a Samba 4 (AD), when logging on I
> experience 'Access denied' error accessing user profile. As a result,
> Windows creates temporary profile for the domain user (the profile is
> deleted upon logoff).
> The roaming profiles directory has been created according to 
> instructions in
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

No it hasn't 

> Note: the home directory (also shared by the AD DC) is accessible 
> without problem, user can create/delete/whatever objects in it
> without problems.
> For every domain user 'username' profilePath has been set to 
> \\DC\profiles\username , using ldbmodify, i.e. via a string
> profilePath: \\DC\profiles\username
> in corresponding LDIF.
> Technical details:
> OS: Ubuntu 18.04.1, Samba version (package) 
> 4.7.6+dfsg~ubuntu-0ubuntu2.2, latest in official repository.
> # samba-tool testparm

	netbios name = DC
	realm = AD-LAN.COM
	server role = active directory domain controller
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = AD-LAN
	idmap_ldb:use rfc2307 = yes
	server string = AD-LAN.COM domain controller
	bind interfaces only = Yes
	interfaces = lo ens3
	log file = /var/log/samba/log.%m
	log level = 3
	max log size = 1000
	template homedir = /home/%u
	template shell = /bin/bash
	panic action = /usr/share/samba/panic-action %d

Nothing wrong with the above

	passdb backend = tdbsam
	tls cafile = tls/ca.pem
	tls certfile = tls/cert.pem
	tls enabled = Yes
	tls keyfile = tls/key.pem

The above lines are not required, they are the defaults

	map to guest = Bad User
	obey pam restrictions = Yes
	pam password change = Yes
	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	passwd program = /usr/bin/passwd %u
	unix password sync = Yes
	usershare allow guests = Yes
	winbind enum groups = Yes
	winbind enum users = Yes
	winbind nss info = rfc2307
	acl:search = no

Why have you set these on a DC ?
Especially 'unix password sync = Yes' ???
You don't map Unix users in AD.
> [profiles]
> 	browseable = No
> 	comment = Users profiles
> 	csc policy = disable
> 	force create mode = 0600
> 	force directory mode = 0700
> 	path = /srv/samba/profiles/
> 	read only = No
> 	store dos attributes = Yes
> 	vfs objects = acl_xattr

We now come to your main problem, yes, you have set up the profiles
share as per the wiki page, but you totally missed the big blue info
box that says:

When setting up the share on a Samba Active Directory (AD) domain
controller (DC), you cannot use POSIX ACLs. On an Samba DC, only shares
using extended ACLs are supported. For further details, see Enable
Extended ACL Support in the smb.conf File. To set up the share on a
Samba AD DC, see Setting up the Profiles Share on the Samba File Server
- Using Windows ACLs.

You are trying to do it with POSIX ACLs, it will not work.

You must set up the profiles share from Windows, as shown above the
heading 'Using POSIX ACLs'

Finally, the last line of the log fragment contains this:

connect to service profiles initially as user AD-LAN\mbo (uid=1000,
gid=513) (pid 7848)

Did you classic upgrade a PDC to AD, if not, why are you using IDs like
'100' and '513' ?


More information about the samba mailing list