[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
Robert Marcano
robert at marcanoonline.com
Fri Sep 21 15:47:47 UTC 2018
On 9/21/18 10:38 AM, Rowland Penny via samba wrote:
> On 21 Sep 2018 10:10:22 -0400
> Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
>
>> Hello Louis,
>>
>> In fact, the shares mentioned in my original messages are used in
>> Windows-only.
>>
>> The accounts, however, are used in both Windows and Unix-type
>> environments (we have quite a zoo of OSes in active use); so we
>> actually use the Posix part of accounts for attributes and Kerberos
>> component to authenticate in all non-Windows use.
>>
>> So my primary intent is to make the homes/profiles shares most
>> convenient and secure from Windows viewpoint.
>>
>
> Lets be honest about this, the sysvol, netlogon and profiles shares are
> only used by Windows clients (unless somebody knows differently). This
> means that no Unix client needs to be able to connect to them, so the
> best way to set the required permissions is to set them from Windows
> and add 'acl_xattr:ignore system acls = yes' to each share.
>
If someone is using SSSD (not a Samba provided module) instead of
winbind and is using its GPO support [1], those Linux clients must be
reading sysvol, but not in a direct way in in which 'acl_xattr:ignore
system acls = yes' can affect them
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-gpo
> Rowland
>
More information about the samba
mailing list