Web lists-archives.com

[Samba] Samba 4: 'Access denied' error when accessing user profile during logon




Hello,

After joining Windows 7 to a Samba 4 (AD), when logging on I experience 'Access denied' error accessing user profile. As a result, Windows creates temporary profile for the domain user (the profile is deleted upon logoff).

The roaming profiles directory has been created according to instructions in

https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

Note: the home directory (also shared by the AD DC) is accessible without problem, user can create/delete/whatever objects in it without problems.

For every domain user 'username' profilePath has been set to \\DC\profiles\username , using ldbmodify, i.e. via a string

profilePath: \\DC\profiles\username

in corresponding LDIF.

Technical details:

OS: Ubuntu 18.04.1, Samba version (package) 4.7.6+dfsg~ubuntu-0ubuntu2.2, latest in official repository.

# samba-tool testparm
[global]
	bind interfaces only = Yes
	interfaces = lo ens3
	log file = /var/log/samba/log.%m
	log level = 3
	map to guest = Bad User
	max log size = 1000
	netbios name = DC
	obey pam restrictions = Yes
	pam password change = Yes
	panic action = /usr/share/samba/panic-action %d
	passdb backend = tdbsam
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	passwd program = /usr/bin/passwd %u
	realm = AD-LAN.COM
	server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
	server string = AD-LAN.COM domain controller
	template homedir = /home/%u
	template shell = /bin/bash
	tls cafile = tls/ca.pem
	tls certfile = tls/cert.pem
	tls enabled = Yes
	tls keyfile = tls/key.pem
	unix password sync = Yes
	usershare allow guests = Yes
	winbind enum groups = Yes
	winbind enum users = Yes
	winbind nss info = rfc2307
	workgroup = AD-LAN
	acl:search = no
	idmap_ldb:use rfc2307 = yes

[netlogon]
	comment = Network Logon Service
	path = /var/lib/samba/sysvol/ad-lan.com/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

[profiles]
	browseable = No
	comment = Users profiles
	csc policy = disable
	force create mode = 0600
	force directory mode = 0700
	path = /srv/samba/profiles/
	read only = No
	store dos attributes = Yes
	vfs objects = acl_xattr

[users]
	force create mode = 0600
	force directory mode = 0700
	path = /srv/samba/users/
	read only = No

[printers]
	browseable = No
	comment = All Printers
	create mask = 0700
	path = /var/spool/samba
	printable = Yes

[print$]
	comment = Printer Drivers
	path = /var/lib/samba/printers

## In Samba log files matching the computer's IP:
# cat /var/log/samba/log.10.11.12.153

[...]
[2018/09/20 10:15:57.475422, 3] ../source3/smbd/msdfs.c:1008(get_referred_path) get_referred_path: |profiles| in dfs path \DC\profiles is not a dfs root. [2018/09/20 10:15:57.475451, 3] ../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:309
[2018/09/20 10:15:57.475858,  3] ../lib/util/access.c:365(allow_access)
  Allowed connection from 10.11.12.153 (10.11.12.153)
[2018/09/20 10:15:57.475912, 3] ../source3/smbd/service.c:595(make_connection_snum)
  Connect path is '/srv/samba/profiles/' for service [profiles]
[2018/09/20 10:15:57.475938, 3] ../source3/smbd/vfs.c:113(vfs_init_default)
  Initialising default vfs hooks
[2018/09/20 10:15:57.475946, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2018/09/20 10:15:57.475954, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [acl_xattr]
[2018/09/20 10:15:57.475966, 2] ../source3/modules/vfs_acl_xattr.c:236(connect_acl_xattr) connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service profiles [2018/09/20 10:15:57.476109, 2] ../source3/smbd/service.c:841(make_connection_snum) 10.11.12.153 (ipv4:10.11.12.153:61964) connect to service profiles initially as user AD-LAN\mbo (uid=1000, gid=513) (pid 7848)
[...]

I would appreciate pieces of advice on what causes the mentioned "Access denied" problem and how to handle it.

Sincerely,
Konstantin

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba