[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon

Rowland Penny rpenny at samba.org
Fri Sep 21 09:09:41 UTC 2018


On Fri, 21 Sep 2018 10:52:29 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

>  
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Rowland Penny via samba
> > Verzonden: vrijdag 21 september 2018 10:11
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] [SOLVED] Samba 4: 'Access denied' 
> > error when accessing user profile during logon
> > 
> > On Fri, 21 Sep 2018 09:35:13 +0200
> > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> > 
> > > Hai Rowland, 
> > > 
> > > So far i've seen, the output of getfacl is exact of what is set in
> > > secrutiy.NTACL. If that isnt the case then we have a problem in my
> > > opinion. And you could compair it with :  getfattr -n
> > > security.NTACL yourFile/folder 
> > > 
> > > And I would not ignore the getfacl even with the known limitation
> > > of the "SYSTEM" and some other BUILTIN\xxx..  Users/groups. As
> > > long we see these (missing) names/groups in numbers im fine with 
> > it. Linux is
> > > not windows. 
> > > 
> > > Imo, setting like this has only one problem, changing to much with
> > > CHMOD/CHOWN, that might kill the acls and you need to set it again
> > > FROM WINDOWS! 
> > > 
> > > This is why you set it, export the settings with getfacl ( if
> > > needed recusive ) handy to have that if you need to recover. You
> > > set the acls in linux first en from windows again and the both
> > > match again. Just dont touch it after you've set it. 
> > > 
> > > Om totaly open for a better setup ;-) and if im wrong here please
> > > tell me, only with comments, we learn. 
> > > 
> > > 
> > 
> > Try reading 'man vfs_acl_xattr'
> > 
> > This plainly says that ACLs are stored in the EA 'security.NTACL'
> > 
> > It also says that when 'acl_xattr:ignore system acls' is set to
> > 'yes',  it will not map to or from the POSIX Layer i.e. the Unix OS.
> > 
> > It also says the following settings will be enforced:
> > 
> >     create mask = 0666
> >     directory mask = 0777
> >     map archive = no
> >     map hidden = no
> >     map readonly = no
> >     map system = no
> >     store dos attributes = yes
> > 
> > Rowland
> > 
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> > 
> 
> > Try reading 'man vfs_acl_xattr'
> > 
> > This plainly says that ACLs are stored in the EA 'security.NTACL'
> 
> Ok, i did read that. (again)  ;-) 
> 
> Yes, thats correct, but only when you access it from a \\server\share 
> The setting :  acl_xattr:default acl style = posix  helps also. 
> 
> Maybe a misunderstanding but i dont think so, you correct me.. 
> Yes, your right about the vfs_acl_xattr. 
> 
> Why i set both. 
> User1 is working on windows, saves a file on a share
> \\server\share\file.   ( uses vfs_acl_xattr ) User2 is working on
> linux, login with ssh, no shares used, and uses the same
> file. /home/path/folder/file ( and does not use vfs_acl_xattr ) Here
> default acl style = posix is doing its work for the 2 users.
> ( mainly the windows users ) 
> 
> At least thats how i did understand the implementation of these
> settings. This is why i did setup like this, so windows/linux users
> see (almost) the same rights. At least thats how i see it, in the
> network here. And it works great. 
> 
> Think in the GPO rights.  Only used by windows. 
> If you use the syvol and netlogon share realy only for windows then
> the setting : acl_xattr:default acl style = windows   is te best. 
> But touching the linux acls in from within linux, is a no go. That
> kills you sysvol. That did happen in 4.5.x and before, i havent
> tested that in 4.6+ since i dont have any GPO or sysvol problems.
> 
> I think in ( so people understand better why i set some things )
> 1) windows only users ( note, a computer is a user dont forget that.
> ) 2) linux only users
> 3) windows and linux users
> 4) server services. 
> 5) mixed the above. 
> 
> Based on the use of one of these 5 above i setup a share. 
> Thats key, setup a share, for the way how you use it and avoid
> problem. 
> 

Ah, you then went and mentioned Unix clients ;-)

If you connect to a share via Samba and 'acl_xattr:ignore system
acls' is set to 'yes', the permissions set in the EA will be used. 

If you connect to the directory via the OS (logged in to the computer),
the system ACLs will be used and these can different from the ACLs
stored in the EA.

Rowland



More information about the samba mailing list