[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
Konstantin Boyandin
lists at boyandin.info
Fri Sep 21 14:10:22 UTC 2018
Hello Louis,
In fact, the shares mentioned in my original messages are used in
Windows-only.
The accounts, however, are used in both Windows and Unix-type
environments (we have quite a zoo of OSes in active use); so we actually
use the Posix part of accounts for attributes and Kerberos component to
authenticate in all non-Windows use.
So my primary intent is to make the homes/profiles shares most
convenient and secure from Windows viewpoint.
Thanks.
Sincerely,
Konstantin
On 21.09.2018 13:52, L.P.H. van Belle via samba wrote:
> Hai,
>
> Now, i did not know you used the DC for the profiles here but yes it looks
good.
>
> Small comment on point 3 and 4.
> 3) Its good, you might notice a few more rights there compaired to what i
posted,
> thats because you have your profiles on the DC but the settings are good.
>
> 4) yes, the security is ok, i like the higher security setting and try to
mimic the windows settings as much as possible.
> You can relax it a bit, but i dont recommend that.
>
> Your ready for the next step ;-)
>
> And a tip ahead.
> Settings like this apply to \\server\ ( users-home) | profiles | print$
for example.
>
> The why?, because this these shares might needs some extra windows love
;-)
> On these shares i apply the ignore systemacls to mimic the windows rights
as close as possible.
> Reason for that is simple, less problems, but this doe depend on how you
use the network.
>
> Test what applies best for you, but these shares where "normaly" only
windows connect to.
> I set the ignore systemacl's. Try it and test it.
> Shares which need "\SYSTEM" for example are best to set the ignore.
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Konstantin Boyandin via samba
>> Verzonden: vrijdag 21 september 2018 6:49
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] [SOLVED] Samba 4: 'Access denied'
>> error when accessing user profile during logon
>>
>> Thanks for the response. I followed your instructions:
>>
>> - set the "chmod 1750 /srv/samba/profiles"
>>
>> - set, after logging as AD-LAN\Administrator, the permissions for
>> \\DC\profiles :
>>
>> Creator Owner: all; applied to: Subfolders and files
>> Administrator: all; applied to: This folder, Subfolders and files
>> Domain Users: Traverse folder/Execute file,List folder/Read data,Read
>> attributes,Read extended attributes,Create files/Write data,Create
>> folders/Append data; applied to: This folder only
>>
>> Results:
>>
>> 1. Permissions mask:
>> # ls -al /srv/samba | grep profiles
>> drwxrwx--T+ 1 root AD-LAN\domain users 34 Sep 21 11:25 profiles
>>
>> 2. ACL list for [profiles]
>> # getfacl /srv/samba/profiles
>> getfacl: Removing leading '/' from absolute path names
>> # file: srv/samba/profiles
>> # owner: root
>> # group: AD-LAN\134domain\040users
>> # flags: --t
>> user::rwx
>> user:root:rwx
>> group::rwx
>> group:AD-LAN\134domain\040users:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:group::---
>> default:group:AD-LAN\134domain\040users:---
>> default:mask::rwx
>> default:other::---
>>
>> 3. When logging in without local profile/roaming profile,
>> username gets
>> a roaming profile folder created:
>> # getfacl /srv/samba/profiles/username.V2
>> getfacl: Removing leading '/' from absolute path names
>> # file: srv/samba/profiles/username.V2
>> # owner: AD-LAN\134username
>> # group: AD-LAN\134domain\040users
>> user::rwx
>> user:AD-LAN\134username:rwx
>> user:3000000:rwx
>> group::---
>> group:AD-LAN\134domain\040users:---
>> group:NT\040AUTHORITY\134system:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:AD-LAN\134username:rwx
>> default:user:3000000:rwx
>> default:group::---
>> default:group:AD-LAN\134domain\040users:---
>> default:group:NT\040AUTHORITY\134system:rwx
>> default:mask::rwx
>> default:other::---
>>
>> 4. The non-Administrator domain users cannot access profiles
>> permissions, nor they can access profiles of other users.
>>
>> Is the above fine from viewpoint of access rights?
>>
>> Sincerely,
>> Konstantin
>>
>> L.P.H. van Belle via samba ?????????? 2018-09-20 16:01:
>>> Hai,
>>>
>>> Sorry to say but..
>>>> The solution (following the default how-to directories structure):
>>>
>>> No, the solution is to setup correctly.
>>> Just do a a small test here to see if its all correct.
>>>
>>> With a windows computer, browse to \\server
>>>
>>> Right klik the profiles share, check security.
>>> If this is set correct, the user should not be able to
>> see the rights.
>>>
>>> Repaet, now as Adminsitrator.
>>> You should see the needed rights.
>>>
>>> And in my thats on \\server\profiles
>>> Creator Owner ( 1700 ) Full with Special rights ( Appy to Only
>>> subfolders and files )
>>> Administrator Full control ( Appy to This
>> Folder, subfolders and
>>> files )
>>> Domain Users Special with browse/exec, Read
>> file/folder, create/add
>>> folder ( Only this folder )
>>>
>>> And in my thats on \\server\profiles\user.v2
>>> The resulting user folders should show ( in Windows )
>>> SYSTEM Full control
>>> Username Full control
>>>
>>>
>>> Which results in ( for me ) with getfacl
>>>
>>> # file: home/samba/profiles
>>> # owner: root
>>> # group: root
>>> # flags: --t
>>> user::rwx
>>> user:root:rwx
>>> group::---
>>> group:root:---
>>> group:domain\040users:rwx
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:group::---
>>> default:group:root:---
>>> default:mask::rwx
>>> default:other::---
>>>
>>> #( Group 2005 is SYSTEM )
>>> # file: home/samba/profiles/username.V2
>>> # owner: username
>>> # group: domain\040users
>>> user::rwx
>>> user:username:rwx
>>> group::---
>>> group:2005:rwx
>>> group:domain\040users:---
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:username:rwx
>>> default:group::---
>>> default:group:2005:rwx
>>> default:group:domain\040users:---
>>> default:mask::rwx
>>> default:other::---
>>>
>>> Now, you will probely get diffent ( more relaxed ) results, which in
>>> the end might give problems for the Win pc's.
>>>
>>> Set :
>>> [profiles]
>>> browseable = yes
>>> path = /home/samba/profiles
>>> read only = no
>>> acl_xattr:ignore system acl = yes
>>>
>>> And now apply the rights again from within windows.
>>> And dont touch it with chmod again..
>>> If needed use setfacl/getfacl.
>>> If you think its complex, then read :
>>> https://serversforhackers.com/c/beyond-permissions-linux-acls
>>> Good explained.
>>>
>>> The acl_xattr:ignore system acl = yes in profiles is imo a must
>>> because,
>>> you will have much less problems with your profile folders and the
>>> rights windows expects.
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>> Konstantin Boyandin via samba
>>>> Verzonden: donderdag 20 september 2018 9:26
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: [Samba] [SOLVED] Samba 4: 'Access denied' error
>>>> when accessing user profile during logon
>>>>
>>>> Hello,
>>>>
>>>> Looks like the solution was rather simple.
>>>>
>>>> If user profile matching OS doesn't yet exist, Windows attempts to
>>>> create one under '[profiles]'. I.e., for user 'username'
>>>> Windows 7 will
>>>> attempt to create [profiledir]\username.V2
>>>>
>>>> If it can't create that directory, 'Access denied' is written
>>>> to system
>>>> event log and a temporary profile is created.
>>>>
>>>> The solution (following the default how-to directories structure):
>>>>
>>>> # chmod g+w /srv/samba/profiles
>>>>
>>>> The hint posted in
>>>>
>>>> https://windowsserveressentials.com/2011/02/25/quick-fix-acces
>>>> s-denied-to-romaing-profile-windows-7/
>>>>
>>>> Note: taking the above into account, I believe that corresponding
>>>> section (Using POSIX ACLs) should be updated in
>>>>
>>>> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
>>>>
>>>> namely, replace
>>>>
>>>> # chmod 1750 /srv/samba/profiles/
>>>>
>>>> with
>>>>
>>>> # chmod 1770 /srv/samba/profiles/
>>>>
>>>> Sincerely,
>>>> Konstantin
>>>>
>>>> Konstantin Boyandin via samba ?????????? 2018-09-20 12:25:
>>>>> Hello,
>>>>>
>>>>> After joining Windows 7 to a Samba 4 (AD), when logging on I
>>>>> experience 'Access denied' error accessing user profile. As
>>>> a result,
>>>>> Windows creates temporary profile for the domain user (the
>>>> profile is
>>>>> deleted upon logoff).
>>>>>
>>>>> [...]
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list