[Samba] csc policy

L.P.H. van Belle belle at bazuin.nl
Tue Jun 25 14:29:19 UTC 2019

Hai Christion, 

So yes, i told you this once before it better to setup the windows acl. 
And yes, but these days in win10 everything is more picky on correct settings. 

Set/verify you profile share again, but setup windows ACL's. not POSIX acls. 
See:  https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles 

Goto : Setup : Using Windows ACLs 

And dont look below this line on the wiki:   Using POSIX ACLs on a Unix domain member  
Just dont. 

And  be carefull you can/might reset everything on the share. 
And Verify that permission inheritance is disabled on the root of the share

If that still gives problems, try adding this setting in the profiles share. 
        acl_xattr:ignore system acls = yes 

And setup the share again, this is a must after you set this parameter. 

Personaly, i still use that parameter on profiles and the users share. 
A bit to avoid windows acl problem and why not set it if these shares are only use for windows clients. 
Note, this is a inheritance of old samba version with bug, this solved it all. 
And im now using it about 3 years without problems on my profiles, just saying, i really suggest you test it. 




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Christian Naumer via samba
> Verzonden: dinsdag 25 juni 2019 11:15
> Aan: Thamm, Russell via samba
> Onderwerp: [Samba] csc policy
> Hello you all,
> we are in the process of upgrading to windows 10 on all our
> workstations. We see one problem with redirected folders. We redirect
> Appdata to a network share.
> [profdata]
>         comment = Profile Data Share
>         path = /srv/profdata
>         csc policy = disable
>         hide files =
> /?esktop.ini/ntuser.ini/NTUSER.*/?humbs.db/$RECYCLE.BIN/
> This worked great (although slow) with terminal servers on 
> Win2008R2 and
> Windows 7. Now the clients on win10 experience error in 
> Thunderbird and
> Firefox. THe files  cert9.db and cert8.db sometimes can not be read (a
> pop up shows with unknown certificates etc) If you close the program
> everything works again. Only Firefox and Thunderbird are effected.
> Chrome has no Problem.
> My questions are:
> Has anybody had the same Problem?
> Is "csc policy = disable" still recommended for profile 
> shares as stated
> in the WIKI and is it also recommended for redicrected 
> folders like this?
> How do you guys handle csc policy for other shares. We always have it
> disabled.
> Regards
> Christian
> -- 
> Dr. Christian Naumer
> Research Scientist
> Plattform-Koordinator Bioprozesstechnik
> B.R.A.I.N Aktiengesellschaft
> Darmstaedter Str. 34-36, D-64673 Zwingenberg
> e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
> fon +49-6251-9331-30  /   fax +49-6251-9331-11
> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
> Registergericht AG Darmstadt, HRB 24758
> Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
> Ludger Roedder
> Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list