Web lists-archives.com

Re: [Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon




On Fri, 21 Sep 2018 11:47:47 -0400
Robert Marcano via samba <samba@xxxxxxxxxxxxxxx> wrote:

> On 9/21/18 10:38 AM, Rowland Penny via samba wrote:
> > On 21 Sep 2018 10:10:22 -0400
> > Konstantin Boyandin via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > 
> >> Hello Louis,
> >>
> >> In fact, the shares mentioned in my original messages are used in
> >> Windows-only.
> >>
> >> The accounts, however, are used in both Windows and Unix-type
> >> environments (we have quite a zoo of OSes in active use); so we
> >> actually use the Posix part of accounts for attributes and Kerberos
> >> component to authenticate in all non-Windows use.
> >>
> >> So my primary intent is to make the homes/profiles shares most
> >> convenient and secure from Windows viewpoint.
> >>
> > 
> > Lets be honest about this, the sysvol, netlogon and profiles shares
> > are only used by Windows clients (unless somebody knows
> > differently). This means that no Unix client needs to be able to
> > connect to them, so the best way to set the required permissions is
> > to set them from Windows and add 'acl_xattr:ignore system acls =
> > yes' to each share.
> > 
> 
> If someone is using SSSD (not a Samba provided module) instead of 
> winbind and is using its GPO support [1], those Linux clients must be 
> reading sysvol, but not in a direct way in in which 'acl_xattr:ignore 
> system acls = yes' can affect them
> 

Then that is an sssd problem and, as you have said, it isn't a Samba
product.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba