[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon

L.P.H. van Belle belle at bazuin.nl
Fri Sep 21 06:52:43 UTC 2018 

Hai, 

Now, i did not know you used the DC for the profiles here but yes it looks good. 

Small comment on point 3 and 4. 
3) Its good, you might notice a few more rights there compaired to what i posted, 
thats because you have your profiles on the DC but the settings are good. 

4) yes, the security is ok, i like the higher security setting and try to mimic the windows settings as much as possible. 
You can relax it a bit, but i dont recommend that. 

Your ready for the next step ;-) 

And a tip ahead. 
Settings like this apply to \\server\ ( users-home)  | profiles | print$  for example. 

The why?, because this these shares might needs some extra windows love ;-) 
On these shares i apply the ignore systemacls to mimic the windows rights as close as possible. 
Reason for that is simple, less problems, but this doe depend on how you use the network. 

Test what applies best for you, but these shares where "normaly" only windows connect to. 
I set the ignore systemacl's.  Try it and test it. 
Shares which need "\SYSTEM" for example are best to set the ignore. 

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Konstantin Boyandin via samba
> Verzonden: vrijdag 21 september 2018 6:49
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] [SOLVED] Samba 4: 'Access denied' 
> error when accessing user profile during logon
> 
> Thanks for the response. I followed your instructions:
> 
> - set the "chmod 1750 /srv/samba/profiles"
> 
> - set, after logging as AD-LAN\Administrator, the permissions for 
> \\DC\profiles :
> 
> Creator Owner: all; applied to: Subfolders and files
> Administrator: all; applied to: This folder, Subfolders and files
> Domain Users: Traverse folder/Execute file,List folder/Read data,Read 
> attributes,Read extended attributes,Create files/Write data,Create 
> folders/Append data; applied to: This folder only
> 
> Results:
> 
> 1. Permissions mask:
> # ls -al /srv/samba | grep profiles
> drwxrwx--T+ 1 root AD-LAN\domain users   34 Sep 21 11:25 profiles
> 
> 2. ACL list for [profiles]
> # getfacl /srv/samba/profiles
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/profiles
> # owner: root
> # group: AD-LAN\134domain\040users
> # flags: --t
> user::rwx
> user:root:rwx
> group::rwx
> group:AD-LAN\134domain\040users:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:AD-LAN\134domain\040users:---
> default:mask::rwx
> default:other::---
> 
> 3. When logging in without local profile/roaming profile, 
> username gets 
> a roaming profile folder created:
> # getfacl /srv/samba/profiles/username.V2
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/profiles/username.V2
> # owner: AD-LAN\134username
> # group: AD-LAN\134domain\040users
> user::rwx
> user:AD-LAN\134username:rwx
> user:3000000:rwx
> group::---
> group:AD-LAN\134domain\040users:---
> group:NT\040AUTHORITY\134system:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:AD-LAN\134username:rwx
> default:user:3000000:rwx
> default:group::---
> default:group:AD-LAN\134domain\040users:---
> default:group:NT\040AUTHORITY\134system:rwx
> default:mask::rwx
> default:other::---
> 
> 4. The non-Administrator domain users cannot access profiles 
> permissions, nor they can access profiles of other users.
> 
> Is the above fine from viewpoint of access rights?
> 
> Sincerely,
> Konstantin
> 
> L.P.H. van Belle via samba ?????????? 2018-09-20 16:01:
> > Hai,
> > 
> > Sorry to say but..
> >> The solution (following the default how-to directories structure):
> > 
> > No, the solution is to setup correctly.
> > Just do a a small test here to see if its all correct.
> > 
> > With a windows computer, browse to \\server
> > 
> > Right klik the profiles share, check security.
> > 	If this is set correct, the user should not be able to 
> see the rights.
> > 
> > Repaet, now as Adminsitrator.
> > 	You should see the needed rights.
> > 
> > And in my thats on  \\server\profiles
> > Creator Owner ( 1700 ) 	Full with Special rights ( Appy to Only
> > subfolders and files )
> > Administrator 		Full control ( Appy to This 
> Folder, subfolders and 
> > files )
> > Domain Users 		Special with browse/exec, Read 
> file/folder, create/add
> > folder  ( Only this folder )
> > 
> > And in my thats on  \\server\profiles\user.v2
> > The resulting user folders should show ( in Windows )
> > SYSTEM 	Full control
> > Username 	Full control
> > 
> > 
> > Which results in ( for me ) with getfacl
> > 
> > # file: home/samba/profiles
> > # owner: root
> > # group: root
> > # flags: --t
> > user::rwx
> > user:root:rwx
> > group::---
> > group:root:---
> > group:domain\040users:rwx
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:group::---
> > default:group:root:---
> > default:mask::rwx
> > default:other::---
> > 
> > #( Group 2005 is SYSTEM  )
> > # file: home/samba/profiles/username.V2
> > # owner: username
> > # group: domain\040users
> > user::rwx
> > user:username:rwx
> > group::---
> > group:2005:rwx
> > group:domain\040users:---
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:username:rwx
> > default:group::---
> > default:group:2005:rwx
> > default:group:domain\040users:---
> > default:mask::rwx
> > default:other::---
> > 
> > Now, you will probely get diffent ( more relaxed ) results, which in
> > the end might give problems for the Win pc's.
> > 
> > Set :
> > [profiles]
> >     browseable = yes
> >     path = /home/samba/profiles
> >     read only = no
> >     acl_xattr:ignore system acl = yes
> > 
> > And now apply the rights again from within windows.
> > And dont touch it with chmod again..
> > If needed use setfacl/getfacl.
> > If you think its complex, then read :
> > https://serversforhackers.com/c/beyond-permissions-linux-acls
> > Good explained.
> > 
> > The acl_xattr:ignore system acl = yes in profiles is imo a must 
> > because,
> > you will have much less problems with your profile folders and the
> > rights windows expects.
> > 
> > 
> > Greetz,
> > 
> > Louis
> > 
> > 
> > 
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Konstantin Boyandin via samba
> >> Verzonden: donderdag 20 september 2018 9:26
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] [SOLVED] Samba 4: 'Access denied' error
> >> when accessing user profile during logon
> >> 
> >> Hello,
> >> 
> >> Looks like the solution was rather simple.
> >> 
> >> If user profile matching OS doesn't yet exist, Windows attempts to
> >> create one under '[profiles]'. I.e., for user 'username'
> >> Windows 7 will
> >> attempt to create [profiledir]\username.V2
> >> 
> >> If it can't create that directory, 'Access denied' is written
> >> to system
> >> event log and a temporary profile is created.
> >> 
> >> The solution (following the default how-to directories structure):
> >> 
> >> # chmod g+w /srv/samba/profiles
> >> 
> >> The hint posted in
> >> 
> >> https://windowsserveressentials.com/2011/02/25/quick-fix-acces
> >> s-denied-to-romaing-profile-windows-7/
> >> 
> >> Note: taking the above into account, I believe that corresponding
> >> section (Using POSIX ACLs) should be updated in
> >> 
> >> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
> >> 
> >> namely, replace
> >> 
> >> # chmod 1750 /srv/samba/profiles/
> >> 
> >> with
> >> 
> >> # chmod 1770 /srv/samba/profiles/
> >> 
> >> Sincerely,
> >> Konstantin
> >> 
> >> Konstantin Boyandin via samba ?????????? 2018-09-20 12:25:
> >> > Hello,
> >> >
> >> > After joining Windows 7 to a Samba 4 (AD), when logging on I
> >> > experience 'Access denied' error accessing user profile. As
> >> a result,
> >> > Windows creates temporary profile for the domain user (the
> >> profile is
> >> > deleted upon logoff).
> >> >
> >> > [...]
> >> 
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >> 
> >> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list