Hai James,
I deliberately switched the PROFILES share with the USERS share in order to >test whether or not there was something obviously wrong with either the >share definition or the permissions. I understand that one must first >press on the ok button to trigger the event.
For a USER Home dir yes, but profiles no.
You can do that but that wont help much.
Pressing OK only works as followed.
When creating a new user, and you press OK, the SYSTEM impersonates the user and the user folder is created, and should have the user as owner.
For a USER Profiles dir, its when the user logs off the "user" profile is created.
For the rights on profiles ( SHARE Rights )
You can use EVERYONE on the share, which makes it more ease to manage.
You can also change that to "Authenticated users" which makes it bit more secure.
For the rights on profiles ( FOLDER Rights )
The three (3) entries in the Security Tab being:
CREATOR OWNER - Special Permissions
Administrator - Full Control
DOmain Users - Special Permissions
Yes, this is all you need and is secure but its all about how you “want” to use things.
I'll explain what happens above.
I can enter the share because i'm in group EVERYONE. So yes the world can enter this share.
And no they cant, to access any share on the server you need to be authenticated.
And the folder rights are makeing sure that.
1) The Domain Users can enter and read and create a folder in the share Profiles.
2) CREATOR OWNER are rights that are set in the content of the created folder above. So the own always has full control.
3) The user "Administrator" ( has full control ) over all folders.
The order of setting the rights can have different results AND.
I really really do advice to set this on the profile share:
acl_xattr:ignore system acl = yes
In my opinion the profiles share should ONLY be use for profiles.
Setting acl_xattr:ignore system acl = yes helps to make a much better match on windows ACL rights.
In general always to do following in this order.
1) create the share.
2) setup the share rights ( NOT THE FOLDER RIGHTS )
3) IF you need to write some share somewhare in the share ( and subfolders include, you NEED WRITE rights.
Or "Everyone"
Or "Authenticated Users" ( and sometimes with "domain computers"
Or "Domain User" ( and sometimes with "domain computers"
Or "any group you created. “My advice only for data access, SO no profiles, no user homedirs, no prolicy folder and NO software distribution folder.”
4) apply the FOLDER RIGHTS.
1) Set the "basic" rights. ( NOT the advanced tab )
2) Now go to advanced.
3) Klik change
4) And here set what you want/need. Also Things like "SYSTEM" can be needed sometimes, which depens on you need and use )
5) now only apply the needed rights and DONT inherrit, but DO apply on top objects.
Appling on the top object set the correct rights in uderlaying folders.
For a DATA share, i advice the following.
PATH Example /home/samba/companydata
You share “companydata” with share rights, set any group, i preffer authenticated users or domain users)
That protects the share/data access.
Now on set the security (folder rights)
/home/samba/companydata
Choose one of these.
1) do you allow to have folders created by users?
2) Only “Domain Admins” and/or “Folder Admins” can create folders in “companydata”
Base on one of these set the rights.
If Administrators/Folder admins, need access on subfolders, then in the advanced tab use the “Inherrit”
That make sure that if a sub folder is created the “Domain admins/Folder admin” are automatic added to the subfolder rights.
And set PER sub folder the group access ( dont forget to ALWAYS SET: Creator GROUP”
Pff. Hope i explained this clearly now..
And yes whats on the wiki is all correct and works.
And this is not “samba’s way” but general windows way, so applies for windows and samba.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 29 juli 2016 18:12
Aan: L.P.H. van Belle
Onderwerp: Re: [Samba] Samba-4.3.11 Roaming profiles on FreeBSD10.3
Post by L.P.H. van BelleI sniped the best parts, and added comment.
//DC/PROFILES/%USERNAME% does not produce anything on the DC's
filesystem.
Correct that only dan when you first login with the user and then
logoff.
However, using the same string as a mapping for the
user's home drive works fine. In other words the directory
//DC/PROFILES/%USERNAME% is created when used as the mapping
argument.
//DC/PROFILES/%USERNAME% is created when you klik on the OK knop in
windows tool.
However, the existence of this directory does not cure anything.
If
following creation of the profile directory using the mapping
gambit
one changes the profile to use that directory then when one logs on
as
\\DC\%USERNAME% the profile cannot be found or created on the DC
for that user. If I rename the existing profile directory to
PROFILES/%USERNAME%.V2 then I do not get the temporary profile
error notice when logging in so the profile is found. But when
logging off I instead get the error notice that the roaming profile
could not be synchronised and nothing is saved on the host
filesystem.
It looks like you swapped these 2 paths.
The user folder rights are bit different then the profiles folder.
But you have to little info to be more precise.
/home/DOMAIN/users/Userfolders.
In this path. /home/DOMAIN/users/Userfolders
Share the users folder like
\\DC\users\%username and Now this folder wil be automatic created
through RSAT.
IF you assigned uid/gid ( samba AD backend ) first assign the UID/GID
THEN set the user homedir.
Wrong order can give the problem off not creating the user folders.
And for the profiles setup like this.
/home/DOMAIN/profiles/Userfolders.
And share like
\\dc\profiles\%username%
Once this is correct set, now choose.
Windows profiles acl or (l(unix) posix acl.
https://wiki.samba.org/index.php/Implementing_roaming_profiles
and it works.
Check it, if it doesnt work post the needed info.
And recheck your homedir folders
https://wiki.samba.org/index.php/User_home_drives
Greetz,
Louis
# cat /usr/local/etc/smb4.conf
# Global parameters
[global]
workgroup = BROCKLEY-2016
realm = BROCKLEY-2016.HARTE-LYNE.CA
netbios name = SAMBA-01
server role = active directory domain controller
dns forwarder = 216.185.71.33
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/db/samba4/sysvol/brockley-2016.harte-lyne.ca/scripts
read only = No
[sysvol]
path = /var/db/samba4/sysvol
read only = No
[PROFILES]
path = /var/samba4/BROCKLEY-2016/PROFILES/
read only = No
[USERS]
path = /var/samba4/BROCKLEY-2016/USERS/
read only = No
Home directories work fine and always have. Users can put files into
their home drives.
# getfacl /var/samba4/BROCKLEY-2016/USERS/
# file: /var/samba4/BROCKLEY-2016/USERS/
# owner: root
# group: BROCKLEY-2016\domain admins
user::rwx
user:root:rwx
user:3000002:rwx
user:3000003:r-x
user:BROCKLEY-2016\domain admins:rwx
group::rwx
group:3000002:rwx
group:3000003:r-x
group:BROCKLEY-2016\domain admins:rwx
mask::rwx
other::---
# ll /var/samba4/BROCKLEY-2016/USERS/testing12
total 12
drwxrwx---+ 2 BROCKLEY-2016\testing12 staff 512 Jul 29 10:14 Testing
-rwxrwx---+ 1 BROCKLEY-2016\testing12 staff 0 Jul 29 10:15
Testing.txt.txt
# wbinfo -u
BROCKLEY-2016\administrator
BROCKLEY-2016\testing11
BROCKLEY-2016\testing12
BROCKLEY-2016\krbtgt
BROCKLEY-2016\guest
I deliberately switched the PROFILES share with the USERS share in
order to test whether or not there was something obviously wrong with
either the share definition or the permissions. I understand that one
must first press on the ok button to trigger the event.
I did not set a POSIX uid for BROCKLEY-2016\testing12. I have not set
any UNIX Attributes on any of the builtin users or groups.
I have followed the instructions for setting up roaming profiles to
the best of my ability to follow them. Evidently their is some
assumed knowledge that I do not have.
To begin with. What should the share permission be? This window is
not commented upon in the Roaming profile set-up but is in the Home
directories set-up. By default the initial state for any share has
Everyone with Full Control. Is this what is meant to be left in the
Share Permissions?
In the security tab only the advanced permissions entries are shown
and the entire panel is not displayed. Are the three entities
displayed the ONLY members that are to be present?
There is a check-box in the advanced Security settings called 'Include
inheritable permissions from this object's parent' that is enabled by
default. There is no mention of this on the roaming page.
When I perform exactly the steps listed in the roaming profiles I get
a warning that I am changing the root properties and asking if I want
to proceed. Again no mention of this.
Assuming that the three entities shown in the advanced tab are all
that are meant to be present I deleted the others. Again, there are
no instructions to do this but neither is there any mention of the
other entities existence.
CREATOR OWNER - Special Permissions
Administrator - Full Control
DOmain Users - Special Permissions
Is this correct? Should any other entries should be present?
Everyone - Full Control
So, what am I to make of this? It does not strike me as being correct
but there are no mention of it. However, if it is left in place then
profile directories are created and if it is removed profiles are not.
So it appears necessary. But what are its implications and why are
they not discussed? If Everyone has Full Control of the PROFILES
share then of course everything is permitted by anyone on anything.
The security permissions notwithstanding. Or does Everyone - Full
Control not mean what it appears to mean?
If I look at the example on
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs there the
Share Permissions have only Domain Admins and they do not have Full
Control. The instructions on
https://wiki.samba.org/index.php/Implementing_roaming_profiles say
Setup a share named "Profiles" according to the documentation
Shares with Windows ACLs
Set the following ACLs on the root of the Profiles share according
to Set ACLs on the root of a share
How much of the instruction on the references apply to roaming
profiles? Do I remove Everyone - Full Control from the Share
Permissions and replace it with Domain Admins - Change and Read as
shown in the references? Because that is what I did to begin with and
evidently that is enough to break roaming profiles.
As I wrote earlier my experience with MS-Windows in general, and AD-DC
in particular, is terribly out of date and quite limited in any case.
So perhaps what this apparent contradiction means is very different
than what I believe it should.
None of this is meant as any criticism of either the software or the
documentation. I am simply describing my experience with it based on
my existing knowledge.
However, if Everyone - Full Control in the Share Permissions IS
required for roaming shares to work then it would be nice to have this
information explicitly set out on the wiki page. At the moment, with
Everyone -Full Control roaming profiles are correctly created and
populated. However, I cannot proceed until I know that this is
required and that I have not opened some massive security hole by
leaving it.
Sincerely,
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba