[Samba] Sometimes Roaming Profile loose rights to restart shutdown...
L.P.H. van Belle
belle at bazuin.nl
Thu Nov 14 14:18:15 UTC 2019
Ow and some might see i use different setting as shown on the wiki.
Yes, i use Everyone on the share with full control and the wiki not.
Even i have everyone, nobody (as in guests) can write as guess on the server. You still need to be domain verified due to the folder rights.
Because of the rights on /home/samba/profiles in this setup.
There are more options that work fine, but i advice to start with Everyone on share.
That simplifies a lot..
Then when everything works, you can try to tighten security even more.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> L.P.H. van Belle via samba
> Verzonden: donderdag 14 november 2019 15:00
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Sometimes Roaming Profile loose rights
> to restart shutdown...
>
> Hai,
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > admins aixtema via samba
> > Verzonden: donderdag 14 november 2019 14:02
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Sometimes Roaming Profile loose rights to
> > restart shutdown...
> >
> > Hi,
> > sometimes my Roaming Profile gets buggy and i cant use the Reboot
> > Shutdown ... function all other works.
> > When i make a new users.v6 folder the Profile works again very well.
> >
> > I tried all GPOs i found for energy settings but nothing
> helps if the
> > Profile is broken. Only delete and make a new one works
> >
> > Samba 4.11.2
> > Win10 1803-1903
> >
> > any ideas? or Workarounds?
>
> Same as the previous message on the list. Your rights setup
> is incorrect.
> Share security : everyone full.
> Folder security : Creater Onwer - Special, only sub folders and files
> Adminstrator - Full control, This
> folder and subfolders and files.
> BUILTIN\Administrators special, only
> this folder.
>
> I suggest setup as show.
>
> [profiles]
> browseable = yes
> path = /your_path_too/profiles
> read only = no
> acl_xattr:ignore system acl = yes
> Why not use the better windows mapping in profiles if its
> only use by windows.
>
> man smb.conf and read about acl_xattr:ignore system acl
>
> Restart samba
>
> Then read :
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
> #The_Windows_Roaming_Profile_Versions
>
> And apply exactly as shown, that should work.
> DO NOTE, previous rights needs to set again, from within windows.
> Or, use setfact and setup like this.
>
> drwxrwx--T+ 110 root root 4096 Nov 11 14:42 profiles
>
> getfacl profiles/
> # file: profiles/
> # owner: root
> # group: root
> # flags: --t
> user::rwx
> user:root:rwx
> group::---
> group:root:---
> group:domain\040users:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:root:---
> default:mask::rwx
> default:other::---
>
>
> drwxrwx---+ 27 username domain users 4096 Oct 18 18:42 username.V6
> getfacl profiles/username.V6/
> # file: profiles/username.V6/
> # owner: username
> # group: domain\040users
> user::rwx
> user:username:rwx
> group::---
> group:2005:rwx
> group:domain\040users:---
> mask::rwx
> other::---
> default:user::rwx
> default:user:username:rwx
> default:group::---
> default:group:2005:rwx
> default:group:domain\040users:---
> default:mask::rwx
> default:other::---
>
> Verify this, i have 2005, you GID number might be different
>
> wbinfo -Y S-1-5-18
> 2005
>
> wbinfo -G 2005
> S-1-5-18
>
> wbinfo -s S-1-5-18
> NT Authority\SYSTEM 5
>
>
> If not need more info, mail the list again.
> But above works for me since samba 4.6 or so.
> Win7-win10 upto 1903
>
>
>
>
> Greetz,
>
> Louis
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list