[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon

Fri Sep 21 08:52:29 UTC 2018

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: vrijdag 21 september 2018 10:11
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] [SOLVED] Samba 4: 'Access denied' 
> error when accessing user profile during logon
> 
> On Fri, 21 Sep 2018 09:35:13 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> 
> > Hai Rowland, 
> > 
> > So far i've seen, the output of getfacl is exact of what is set in
> > secrutiy.NTACL. If that isnt the case then we have a problem in my
> > opinion. And you could compair it with :  getfattr -n security.NTACL
> > yourFile/folder 
> > 
> > And I would not ignore the getfacl even with the known limitation of
> > the "SYSTEM" and some other BUILTIN\xxx..  Users/groups. As long we
> > see these (missing) names/groups in numbers im fine with 
> it. Linux is
> > not windows. 
> > 
> > Imo, setting like this has only one problem, changing to much with
> > CHMOD/CHOWN, that might kill the acls and you need to set it again
> > FROM WINDOWS! 
> > 
> > This is why you set it, export the settings with getfacl ( if needed
> > recusive ) handy to have that if you need to recover. You set the
> > acls in linux first en from windows again and the both match again.
> > Just dont touch it after you've set it. 
> > 
> > Om totaly open for a better setup ;-) and if im wrong here please
> > tell me, only with comments, we learn. 
> > 
> > 
> 
> Try reading 'man vfs_acl_xattr'
> 
> This plainly says that ACLs are stored in the EA 'security.NTACL'
> 
> It also says that when 'acl_xattr:ignore system acls' is set to
> 'yes',  it will not map to or from the POSIX Layer i.e. the Unix OS.
> 
> It also says the following settings will be enforced:
> 
>     create mask = 0666
>     directory mask = 0777
>     map archive = no
>     map hidden = no
>     map readonly = no
>     map system = no
>     store dos attributes = yes
> 
> Rowland
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 

> Try reading 'man vfs_acl_xattr'
> 
> This plainly says that ACLs are stored in the EA 'security.NTACL'

Ok, i did read that. (again)  ;-) 

Yes, thats correct, but only when you access it from a \\server\share 
The setting :  acl_xattr:default acl style = posix  helps also. 

Maybe a misunderstanding but i dont think so, you correct me.. 
Yes, your right about the vfs_acl_xattr. 

Why i set both. 
User1 is working on windows, saves a file on a share \\server\share\file.   ( uses vfs_acl_xattr )
User2 is working on linux, login with ssh, no shares used, and uses the same file. /home/path/folder/file ( and does not use vfs_acl_xattr )
Here default acl style = posix is doing its work for the 2 users.  ( mainly the windows users ) 

At least thats how i did understand the implementation of these settings. 
This is why i did setup like this, so windows/linux users see (almost) the same rights. 
At least thats how i see it, in the network here. And it works great. 

Think in the GPO rights.  Only used by windows. 
If you use the syvol and netlogon share realy only for windows then the setting :
acl_xattr:default acl style = windows   is te best. 
But touching the linux acls in from within linux, is a no go. That kills you sysvol. 
That did happen in 4.5.x and before, i havent tested that in 4.6+ since i dont have any GPO or sysvol problems.

I think in ( so people understand better why i set some things )
1) windows only users ( note, a computer is a user dont forget that.  ) 
2) linux only users
3) windows and linux users
4) server services. 
5) mixed the above. 

Based on the use of one of these 5 above i setup a share. 
Thats key, setup a share, for the way how you use it and avoid problem. 

Greetz, 

Louis