[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon

Konstantin Boyandin lists at boyandin.info
Fri Sep 21 04:49:00 UTC 2018 

Thanks for the response. I followed your instructions:

- set the "chmod 1750 /srv/samba/profiles"

- set, after logging as AD-LAN\Administrator, the permissions for 
\\DC\profiles :

Creator Owner: all; applied to: Subfolders and files
Administrator: all; applied to: This folder, Subfolders and files
Domain Users: Traverse folder/Execute file,List folder/Read data,Read 
attributes,Read extended attributes,Create files/Write data,Create 
folders/Append data; applied to: This folder only

Results:

1. Permissions mask:
# ls -al /srv/samba | grep profiles
drwxrwx--T+ 1 root AD-LAN\domain users   34 Sep 21 11:25 profiles

2. ACL list for [profiles]
# getfacl /srv/samba/profiles
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/profiles
# owner: root
# group: AD-LAN\134domain\040users
# flags: --t
user::rwx
user:root:rwx
group::rwx
group:AD-LAN\134domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:AD-LAN\134domain\040users:---
default:mask::rwx
default:other::---

3. When logging in without local profile/roaming profile, username gets 
a roaming profile folder created:
# getfacl /srv/samba/profiles/username.V2
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/profiles/username.V2
# owner: AD-LAN\134username
# group: AD-LAN\134domain\040users
user::rwx
user:AD-LAN\134username:rwx
user:3000000:rwx
group::---
group:AD-LAN\134domain\040users:---
group:NT\040AUTHORITY\134system:rwx
mask::rwx
other::---
default:user::rwx
default:user:AD-LAN\134username:rwx
default:user:3000000:rwx
default:group::---
default:group:AD-LAN\134domain\040users:---
default:group:NT\040AUTHORITY\134system:rwx
default:mask::rwx
default:other::---

4. The non-Administrator domain users cannot access profiles 
permissions, nor they can access profiles of other users.

Is the above fine from viewpoint of access rights?

Sincerely,
Konstantin

L.P.H. van Belle via samba писал 2018-09-20 16:01:
> Hai,
> 
> Sorry to say but..
>> The solution (following the default how-to directories structure):
> 
> No, the solution is to setup correctly.
> Just do a a small test here to see if its all correct.
> 
> With a windows computer, browse to \\server
> 
> Right klik the profiles share, check security.
> 	If this is set correct, the user should not be able to see the rights.
> 
> Repaet, now as Adminsitrator.
> 	You should see the needed rights.
> 
> And in my thats on  \\server\profiles
> Creator Owner ( 1700 ) 	Full with Special rights ( Appy to Only
> subfolders and files )
> Administrator 		Full control ( Appy to This Folder, subfolders and 
> files )
> Domain Users 		Special with browse/exec, Read file/folder, create/add
> folder  ( Only this folder )
> 
> And in my thats on  \\server\profiles\user.v2
> The resulting user folders should show ( in Windows )
> SYSTEM 	Full control
> Username 	Full control
> 
> 
> Which results in ( for me ) with getfacl
> 
> # file: home/samba/profiles
> # owner: root
> # group: root
> # flags: --t
> user::rwx
> user:root:rwx
> group::---
> group:root:---
> group:domain\040users:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:root:---
> default:mask::rwx
> default:other::---
> 
> #( Group 2005 is SYSTEM  )
> # file: home/samba/profiles/username.V2
> # owner: username
> # group: domain\040users
> user::rwx
> user:username:rwx
> group::---
> group:2005:rwx
> group:domain\040users:---
> mask::rwx
> other::---
> default:user::rwx
> default:user:username:rwx
> default:group::---
> default:group:2005:rwx
> default:group:domain\040users:---
> default:mask::rwx
> default:other::---
> 
> Now, you will probely get diffent ( more relaxed ) results, which in
> the end might give problems for the Win pc's.
> 
> Set :
> [profiles]
>     browseable = yes
>     path = /home/samba/profiles
>     read only = no
>     acl_xattr:ignore system acl = yes
> 
> And now apply the rights again from within windows.
> And dont touch it with chmod again..
> If needed use setfacl/getfacl.
> If you think its complex, then read :
> https://serversforhackers.com/c/beyond-permissions-linux-acls
> Good explained.
> 
> The acl_xattr:ignore system acl = yes in profiles is imo a must 
> because,
> you will have much less problems with your profile folders and the
> rights windows expects.
> 
> 
> Greetz,
> 
> Louis
> 
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Konstantin Boyandin via samba
>> Verzonden: donderdag 20 september 2018 9:26
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] [SOLVED] Samba 4: 'Access denied' error
>> when accessing user profile during logon
>> 
>> Hello,
>> 
>> Looks like the solution was rather simple.
>> 
>> If user profile matching OS doesn't yet exist, Windows attempts to
>> create one under '[profiles]'. I.e., for user 'username'
>> Windows 7 will
>> attempt to create [profiledir]\username.V2
>> 
>> If it can't create that directory, 'Access denied' is written
>> to system
>> event log and a temporary profile is created.
>> 
>> The solution (following the default how-to directories structure):
>> 
>> # chmod g+w /srv/samba/profiles
>> 
>> The hint posted in
>> 
>> https://windowsserveressentials.com/2011/02/25/quick-fix-acces
>> s-denied-to-romaing-profile-windows-7/
>> 
>> Note: taking the above into account, I believe that corresponding
>> section (Using POSIX ACLs) should be updated in
>> 
>> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
>> 
>> namely, replace
>> 
>> # chmod 1750 /srv/samba/profiles/
>> 
>> with
>> 
>> # chmod 1770 /srv/samba/profiles/
>> 
>> Sincerely,
>> Konstantin
>> 
>> Konstantin Boyandin via samba ?????????? 2018-09-20 12:25:
>> > Hello,
>> >
>> > After joining Windows 7 to a Samba 4 (AD), when logging on I
>> > experience 'Access denied' error accessing user profile. As
>> a result,
>> > Windows creates temporary profile for the domain user (the
>> profile is
>> > deleted upon logoff).
>> >
>> > [...]
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
>>

More information about the samba mailing list