Web lists-archives.com

[Samba] Samba 4: 'Access denied' error when accessing user profile during logon


After joining Windows 7 to a Samba 4 (AD), when logging on I experience 'Access denied' error accessing user profile. As a result, Windows creates temporary profile for the domain user (the profile is deleted upon logoff).

The roaming profiles directory has been created according to instructions in


Note: the home directory (also shared by the AD DC) is accessible without problem, user can create/delete/whatever objects in it without problems.

For every domain user 'username' profilePath has been set to \\DC\profiles\username , using ldbmodify, i.e. via a string

profilePath: \\DC\profiles\username

in corresponding LDIF.

Technical details:

OS: Ubuntu 18.04.1, Samba version (package) 4.7.6+dfsg~ubuntu-0ubuntu2.2, latest in official repository.

# samba-tool testparm
	bind interfaces only = Yes
	interfaces = lo ens3
	log file = /var/log/samba/log.%m
	log level = 3
	map to guest = Bad User
	max log size = 1000
	netbios name = DC
	obey pam restrictions = Yes
	pam password change = Yes
	panic action = /usr/share/samba/panic-action %d
	passdb backend = tdbsam
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	passwd program = /usr/bin/passwd %u
	realm = AD-LAN.COM
	server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
	server string = AD-LAN.COM domain controller
	template homedir = /home/%u
	template shell = /bin/bash
	tls cafile = tls/ca.pem
	tls certfile = tls/cert.pem
	tls enabled = Yes
	tls keyfile = tls/key.pem
	unix password sync = Yes
	usershare allow guests = Yes
	winbind enum groups = Yes
	winbind enum users = Yes
	winbind nss info = rfc2307
	workgroup = AD-LAN
	acl:search = no
	idmap_ldb:use rfc2307 = yes

	comment = Network Logon Service
	path = /var/lib/samba/sysvol/ad-lan.com/scripts
	read only = No

	path = /var/lib/samba/sysvol
	read only = No

	browseable = No
	comment = Users profiles
	csc policy = disable
	force create mode = 0600
	force directory mode = 0700
	path = /srv/samba/profiles/
	read only = No
	store dos attributes = Yes
	vfs objects = acl_xattr

	force create mode = 0600
	force directory mode = 0700
	path = /srv/samba/users/
	read only = No

	browseable = No
	comment = All Printers
	create mask = 0700
	path = /var/spool/samba
	printable = Yes

	comment = Printer Drivers
	path = /var/lib/samba/printers

## In Samba log files matching the computer's IP:
# cat /var/log/samba/log.

[2018/09/20 10:15:57.475422, 3] ../source3/smbd/msdfs.c:1008(get_referred_path) get_referred_path: |profiles| in dfs path \DC\profiles is not a dfs root. [2018/09/20 10:15:57.475451, 3] ../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:309
[2018/09/20 10:15:57.475858,  3] ../lib/util/access.c:365(allow_access)
  Allowed connection from (
[2018/09/20 10:15:57.475912, 3] ../source3/smbd/service.c:595(make_connection_snum)
  Connect path is '/srv/samba/profiles/' for service [profiles]
[2018/09/20 10:15:57.475938, 3] ../source3/smbd/vfs.c:113(vfs_init_default)
  Initialising default vfs hooks
[2018/09/20 10:15:57.475946, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2018/09/20 10:15:57.475954, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [acl_xattr]
[2018/09/20 10:15:57.475966, 2] ../source3/modules/vfs_acl_xattr.c:236(connect_acl_xattr) connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service profiles [2018/09/20 10:15:57.476109, 2] ../source3/smbd/service.c:841(make_connection_snum) (ipv4: connect to service profiles initially as user AD-LAN\mbo (uid=1000, gid=513) (pid 7848)

I would appreciate pieces of advice on what causes the mentioned "Access denied" problem and how to handle it.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba