[Samba] Sometimes Roaming Profile loose rights to restart shutdown...

L.P.H. van Belle belle at bazuin.nl
Thu Nov 14 14:18:15 UTC 2019 

Ow and some might see i use different setting as shown on the wiki. 

Yes, i use Everyone on the share with full control and the wiki not. 
Even i have everyone, nobody (as in guests) can write as guess on the server. You still need to be domain verified due to the folder rights. 

Because of the rights on /home/samba/profiles in this setup. 

There are more options that work fine, but i advice to start with Everyone on share. 
That simplifies a lot.. 
Then when everything works, you can try to tighten security even more. 


Greetz, 

Louis
 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> L.P.H. van Belle via samba
> Verzonden: donderdag 14 november 2019 15:00
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Sometimes Roaming Profile loose rights 
> to restart shutdown...
> 
> Hai,  
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > admins aixtema via samba
> > Verzonden: donderdag 14 november 2019 14:02
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Sometimes Roaming Profile loose rights to 
> > restart shutdown...
> > 
> > Hi,
> > sometimes my Roaming Profile gets buggy and i cant use the Reboot 
> > Shutdown ... function all other works.
> > When i make a new users.v6 folder the Profile works again very well.
> > 
> > I tried all GPOs i found for energy settings but nothing 
> helps if the 
> > Profile is broken.  Only delete and make a new one works
> > 
> > Samba 4.11.2
> > Win10 1803-1903
> > 
> > any ideas? or Workarounds?
> 
> Same as the previous message on the list. Your rights setup 
> is incorrect. 
> Share security : everyone full. 
> Folder security : Creater Onwer - Special, only sub folders and files 
> 			Adminstrator - Full control, This 
> folder and subfolders and files. 
> 			BUILTIN\Administrators	special, only 
> this folder.
> 
> I suggest setup as show. 
> 
> [profiles]
>     browseable = yes
>     path = /your_path_too/profiles
>     read only = no
>     acl_xattr:ignore system acl = yes
> Why not use the better windows mapping in profiles if its 
> only use by windows. 
> 
> man smb.conf and read about acl_xattr:ignore system acl
> 
> Restart samba 
> 
> Then read : 
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
> #The_Windows_Roaming_Profile_Versions 
> 
> And apply exactly as shown, that should work.
> DO NOTE, previous rights needs to set again, from within windows. 
> Or, use setfact and setup like this. 
> 
> drwxrwx--T+ 110 root root  4096 Nov 11 14:42 profiles
> 
> getfacl profiles/
> # file: profiles/
> # owner: root
> # group: root
> # flags: --t
> user::rwx
> user:root:rwx
> group::---
> group:root:---
> group:domain\040users:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:root:---
> default:mask::rwx
> default:other::---
> 
> 
> drwxrwx---+  27 username domain users 4096 Oct 18 18:42 username.V6
> getfacl profiles/username.V6/
> # file: profiles/username.V6/
> # owner: username
> # group: domain\040users
> user::rwx
> user:username:rwx
> group::---
> group:2005:rwx
> group:domain\040users:---
> mask::rwx
> other::---
> default:user::rwx
> default:user:username:rwx
> default:group::---
> default:group:2005:rwx
> default:group:domain\040users:---
> default:mask::rwx
> default:other::---
> 
> Verify this, i have 2005, you GID number might be different
> 
> wbinfo -Y S-1-5-18
> 2005
> 
> wbinfo -G 2005
> S-1-5-18
> 
> wbinfo -s S-1-5-18
> NT Authority\SYSTEM 5
> 
> 
> If not need more info, mail the list again. 
> But above works for me since samba 4.6 or so. 
> Win7-win10 upto 1903
> 
> 
> 
> 
> Greetz, 
> 
> Louis
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list