[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon

Robert Marcano robert at marcanoonline.com
Fri Sep 21 15:47:47 UTC 2018

On 9/21/18 10:38 AM, Rowland Penny via samba wrote:
> On 21 Sep 2018 10:10:22 -0400
> Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
>> Hello Louis,
>> In fact, the shares mentioned in my original messages are used in
>> Windows-only.
>> The accounts, however, are used in both Windows and Unix-type
>> environments (we have quite a zoo of OSes in active use); so we
>> actually use the Posix part of accounts for attributes and Kerberos
>> component to authenticate in all non-Windows use.
>> So my primary intent is to make the homes/profiles shares most
>> convenient and secure from Windows viewpoint.
> Lets be honest about this, the sysvol, netlogon and profiles shares are
> only used by Windows clients (unless somebody knows differently). This
> means that no Unix client needs to be able to connect to them, so the
> best way to set the required permissions is to set them from Windows
> and add 'acl_xattr:ignore system acls = yes' to each share.

If someone is using SSSD (not a Samba provided module) instead of 
winbind and is using its GPO support [1], those Linux clients must be 
reading sysvol, but not in a direct way in in which 'acl_xattr:ignore 
system acls = yes' can affect them


> Rowland

More information about the samba mailing list