Web lists-archives.com

Re: [Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon




On 9/21/18 10:38 AM, Rowland Penny via samba wrote:
On 21 Sep 2018 10:10:22 -0400
Konstantin Boyandin via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hello Louis,

In fact, the shares mentioned in my original messages are used in
Windows-only.

The accounts, however, are used in both Windows and Unix-type
environments (we have quite a zoo of OSes in active use); so we
actually use the Posix part of accounts for attributes and Kerberos
component to authenticate in all non-Windows use.

So my primary intent is to make the homes/profiles shares most
convenient and secure from Windows viewpoint.


Lets be honest about this, the sysvol, netlogon and profiles shares are
only used by Windows clients (unless somebody knows differently). This
means that no Unix client needs to be able to connect to them, so the
best way to set the required permissions is to set them from Windows
and add 'acl_xattr:ignore system acls = yes' to each share.


If someone is using SSSD (not a Samba provided module) instead of winbind and is using its GPO support [1], those Linux clients must be reading sysvol, but not in a direct way in in which 'acl_xattr:ignore system acls = yes' can affect them

[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-gpo

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba