Problems with samba and profile syncing from various windows versions

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

Problems with samba and profile syncing from various windows versions

Samba - General mailing list
Hi!

I've got an old samba installation, now thanks to you all - successfully
upgraded to ubuntu 16.04. Samba is the packaged version
4.3.11+dfsg-0ubuntu0.16.04.6.

The problem I have is that for some users their profiles do not sync
properly. They seem to upload onto the server, and then at the next logon
some files that were deleted by the user come back. It is more per user
basis or per workstation basis - this is hard to diagnose right now. For
most of the users everything works very fine. The problem can pop up on a
windows 10 workstation, 7 or even an XP (yes, we have some crap like this
still running).

I cannot seem to find anything relevant in the logs. My smb.conf goes
below. The profiles go into [profiles].

Question: How can I analyse and diagnose such issue? What should I look at?
Are windows workstations to blame or some setting on the server?

smb.conf:

[global]
workgroup = CUT
realm = CUT
netbios name = CUT
server role = active directory domain controller
dns forwarder = 192.168.0.252
max open files = 57000


full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = NOTICE

log level = 1
tls enabled  = yes
tls keyfile  = /var/lib/samba/private/tls/key.pem
tls certfile = /var/lib/samba/private/tls/cert.pem
tls cafile   = /var/lib/samba/private/tls/ca.pem
tls verify peer = no_check
ldap server require strong auth = no

winbind enum groups = yes
winbind enum users = yes


[netlogon]
  path = /var/local/samba/var/lib/samba/netlogon
read only = No
guest ok = yes

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[profiles]
 path = /var/local/samba/var/lib/samba/profiles
 read only = no
 browseable = no
 create mask = 0600
 directory mask = 0700
 profile acls = yes
        vfs objects = full_audit

[and then come lot's of different shares]
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problems with samba and profile syncing from various windows versions

Samba - General mailing list
On Wed, 3 May 2017 09:15:30 +0200
Jakub Kulesza via samba <[hidden email]> wrote:

>
> [profiles]
>  path = /var/local/samba/var/lib/samba/profiles
>  read only = no
>  browseable = no
>  create mask = 0600
>  directory mask = 0700
>  profile acls = yes
>         vfs objects = full_audit
>

Sorry, but this doesn't work on a Samba AD DC, you will have to use
windows ACL's, see here:

https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Samba-wiki info about profiles and SYSTEM account.

Samba - General mailing list
Hai,

I just saw the new site for the profiles :-) didnt notice that.
Looks nice.

Now i saw the link to :
https://wiki.samba.org/index.php/The_SYSTEM_Account 
This is very very disturbing....

Especially these lines:
"The SYSTEM account is never sent to a remote host to authenticate and for this reason never used to access a remote file system"

"For this reasons, you can omit the SYSTEM account in file system ACLs on Samba shares."
Now this is not ok in my believe.

And the funny part, first reference link.
https://support.microsoft.com/en-us/help/120929/how-the-system-account-is-used-in-windows 
Which states :

. On the other hand, the system account does show up on an NTFS volume in File Manager in the Permissions portion of the Security menu.
By default, the system account is granted full control to all files on an NTFS volume.
And ...    
>>>    The system account's permissions can be removed from a file but it is not recommended.

The last line on the wiki.
>  For this reasons, you can omit the SYSTEM account in file system ACLs on Samba shares.  

Now when it goes wrong if you remove SYSTEM from the samba shares...

Example 1:
Try to do the following.
Add the Administrators security group to roaming user profiles in Computer Configuration \ Administrative Templates \ System \ User Profiles

This happens.
 When a new roaming profile directory is created, Windows disables permission inheritance and grants SYSTEM and the profile’s user account full control.
.... Grants who... Yes SYSTEM!

Example 2
If you see something like:
The Application Event Viewer indicates errors that the MSI package installation failed with an error ‘Package source not located’.

1) On the target computer, log in as an administrator.
2) Schedule an AT job for 1 minute ahead of the current time to launch a command prompt as NT Authority\System:
a. C:\> at 1:00pm /interactive cmd.exe
3) After the command prompt window to appear, you will have "NT Authority\System access."
4) Attempt to list the contents of the share using the UNC path:
a. C:\> dir \\server\share   - You should receive a directory listing of the files on the share

Remove system and this wont work.

Example 3.
A program that runs under the NT Authority\System, but the software is on a samba share.
For example, software updaters with packages. My zarafa updater runs as user SYSTEM.
My packages are on the samba shares.. ...


Example 4.
Last one, lunch time.
Install a virusscanner, ( which mostly runs as system ) and set it to scan you network shares.


Anyone else comments on above. I dont know everything so shoot me if im wrong here.
But removing user SYSTEM from the shares is really bad advice,
Yes, its an option, but NOT for sysvol and profiles or shares where you deploy files.


Greetz,

Louis


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba-wiki info about profiles and SYSTEM account.

Samba - General mailing list
Hi Louis,

it seems we are both right:

I talked with Volker about the necessity of SYSTEM in ACLs on a Samba
server: From Samba side, SYSTEM is not required in ACLs. It's important
that the domain user or machine account, that is used to authenticate to
the share, is able to access the content.

SYSTEM is a local security principal on the client and not sent over the
network to authenticate. When a local service on a domain member uses
SYSTEM to access a domain network share, it authenticates as
computername$. To access the content, it is necessary that this machine
account is allowed to access the content. For example, because it is
listed explicitely, as member of a group, or allowed by a general
principal, such as "Authenticated Users". If the local SYSTEM account
accesses the server using the computername$ account, the SYSTEM account
in the ACLs is not used on the server to validate if computername$ is
allowed to access the content - computername$ must somehow have access.

On the other side, there are be some Windows services that may require
that some ACLs are present on the remote server. For example, a service
might not work if the ACLs on the remote server do not contain the
SYSTEM account - even if it is not used on the server to access the
content itself. This is what you discovered.

I will update the docs accordingly.

Regards,
Marc




Am 03.05.2017 um 12:22 schrieb L.P.H. van Belle via samba:

> Hai,
>
> I just saw the new site for the profiles :-) didnt notice that.
> Looks nice.
>
> Now i saw the link to :
> https://wiki.samba.org/index.php/The_SYSTEM_Account
> This is very very disturbing....
>
> Especially these lines:
> "The SYSTEM account is never sent to a remote host to authenticate and for this reason never used to access a remote file system"
>
> "For this reasons, you can omit the SYSTEM account in file system ACLs on Samba shares."
> Now this is not ok in my believe.
>
> And the funny part, first reference link.
> https://support.microsoft.com/en-us/help/120929/how-the-system-account-is-used-in-windows
> Which states :
>
> . On the other hand, the system account does show up on an NTFS volume in File Manager in the Permissions portion of the Security menu.
> By default, the system account is granted full control to all files on an NTFS volume.
> And ...
>>>>     The system account's permissions can be removed from a file but it is not recommended.
>
> The last line on the wiki.
>>   For this reasons, you can omit the SYSTEM account in file system ACLs on Samba shares.
>
> Now when it goes wrong if you remove SYSTEM from the samba shares...
>
> Example 1:
> Try to do the following.
> Add the Administrators security group to roaming user profiles in Computer Configuration \ Administrative Templates \ System \ User Profiles
>
> This happens.
>   When a new roaming profile directory is created, Windows disables permission inheritance and grants SYSTEM and the profile’s user account full control.
> .... Grants who... Yes SYSTEM!
>
> Example 2
> If you see something like:
> The Application Event Viewer indicates errors that the MSI package installation failed with an error ‘Package source not located’.
>
> 1) On the target computer, log in as an administrator.
> 2) Schedule an AT job for 1 minute ahead of the current time to launch a command prompt as NT Authority\System:
> a. C:\> at 1:00pm /interactive cmd.exe
> 3) After the command prompt window to appear, you will have "NT Authority\System access."
> 4) Attempt to list the contents of the share using the UNC path:
> a. C:\> dir \\server\share   - You should receive a directory listing of the files on the share
>
> Remove system and this wont work.
>
> Example 3.
> A program that runs under the NT Authority\System, but the software is on a samba share.
> For example, software updaters with packages. My zarafa updater runs as user SYSTEM.
> My packages are on the samba shares.. ...
>
>
> Example 4.
> Last one, lunch time.
> Install a virusscanner, ( which mostly runs as system ) and set it to scan you network shares.
>
>
> Anyone else comments on above. I dont know everything so shoot me if im wrong here.
> But removing user SYSTEM from the shares is really bad advice,
> Yes, its an option, but NOT for sysvol and profiles or shares where you deploy files.
>
>
> Greetz,
>
> Louis
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba-wiki info about profiles and SYSTEM account.

Samba - General mailing list
Hai Marc,

Great to have that clear now.

Now, ... Sorry about this one but.. Ping;.... ;-)
https://bugzilla.samba.org/show_bug.cgi?id=12257   Windows 10 unable to update group policy.
https://bugzilla.samba.org/show_bug.cgi?id=12263   unable to edit / create GPO  

Fixed when you apply system on the sysvol folder.  ;-)
2 bugs less ;-)


Greetz,

Louis

> -----Oorspronkelijk bericht-----
> Van: Marc Muehlfeld [mailto:[hidden email]]
> Verzonden: woensdag 3 mei 2017 15:44
> Aan: L.P.H. van Belle; samba
> Onderwerp: Re: [Samba] Samba-wiki info about profiles and
> SYSTEM account.
>
> Hi Louis,
>
> it seems we are both right:
>
> I talked with Volker about the necessity of SYSTEM in ACLs on a Samba
> server: From Samba side, SYSTEM is not required in ACLs. It's
> important that the domain user or machine account, that is
> used to authenticate to the share, is able to access the content.
>
> SYSTEM is a local security principal on the client and not
> sent over the network to authenticate. When a local service
> on a domain member uses SYSTEM to access a domain network
> share, it authenticates as computername$. To access the
> content, it is necessary that this machine account is allowed
> to access the content. For example, because it is listed
> explicitely, as member of a group, or allowed by a general
> principal, such as "Authenticated Users". If the local SYSTEM
> account accesses the server using the computername$ account,
> the SYSTEM account in the ACLs is not used on the server to
> validate if computername$ is allowed to access the content -
> computername$ must somehow have access.
>
> On the other side, there are be some Windows services that
> may require that some ACLs are present on the remote server.
> For example, a service might not work if the ACLs on the
> remote server do not contain the SYSTEM account - even if it
> is not used on the server to access the content itself. This
> is what you discovered.
>
> I will update the docs accordingly.
>
> Regards,
> Marc
>
>
>
>
> Am 03.05.2017 um 12:22 schrieb L.P.H. van Belle via samba:
> > Hai,
> >
> > I just saw the new site for the profiles :-) didnt notice that.
> > Looks nice.
> >
> > Now i saw the link to :
> > https://wiki.samba.org/index.php/The_SYSTEM_Account
> > This is very very disturbing....
> >
> > Especially these lines:
> > "The SYSTEM account is never sent to a remote host to
> authenticate and for this reason never used to access a
> remote file system"
> >
> > "For this reasons, you can omit the SYSTEM account in file
> system ACLs on Samba shares."
> > Now this is not ok in my believe.
> >
> > And the funny part, first reference link.
> >
> https://support.microsoft.com/en-us/help/120929/how-the-system-account
> > -is-used-in-windows
> > Which states :
> >
> > . On the other hand, the system account does show up on an
> NTFS volume in File Manager in the Permissions portion of the
> Security menu.
> > By default, the system account is granted full control to
> all files on an NTFS volume.
> > And ...
> >>>>     The system account's permissions can be removed from
> a file but it is not recommended.
> >
> > The last line on the wiki.
> >>   For this reasons, you can omit the SYSTEM account in
> file system ACLs on Samba shares.
> >
> > Now when it goes wrong if you remove SYSTEM from the samba shares...
> >
> > Example 1:
> > Try to do the following.
> > Add the Administrators security group to roaming user profiles in
> > Computer Configuration \ Administrative Templates \ System \ User
> > Profiles
> >
> > This happens.
> >   When a new roaming profile directory is created, Windows
> disables permission inheritance and grants SYSTEM and the
> profile’s user account full control.
> > .... Grants who... Yes SYSTEM!
> >
> > Example 2
> > If you see something like:
> > The Application Event Viewer indicates errors that the MSI
> package installation failed with an error ‘Package source not
> located’.
> >
> > 1) On the target computer, log in as an administrator.
> > 2) Schedule an AT job for 1 minute ahead of the current
> time to launch a command prompt as NT Authority\System:
> > a. C:\> at 1:00pm /interactive cmd.exe
> > 3) After the command prompt window to appear, you will
> have "NT Authority\System access."
> > 4) Attempt to list the contents of the share using the UNC path:
> > a. C:\> dir \\server\share   - You should receive a
> directory listing of the files on the share
> >
> > Remove system and this wont work.
> >
> > Example 3.
> > A program that runs under the NT Authority\System, but the
> software is on a samba share.
> > For example, software updaters with packages. My zarafa
> updater runs as user SYSTEM.
> > My packages are on the samba shares.. ...
> >
> >
> > Example 4.
> > Last one, lunch time.
> > Install a virusscanner, ( which mostly runs as system ) and
> set it to scan you network shares.
> >
> >
> > Anyone else comments on above. I dont know everything so
> shoot me if im wrong here.
> > But removing user SYSTEM from the shares is really bad advice, Yes,
> > its an option, but NOT for sysvol and profiles or shares
> where you deploy files.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problems with samba and profile syncing from various windows versions

Samba - General mailing list
In reply to this post by Samba - General mailing list
Thanks for pointing this out.

I have read that again, now my profiles do not have "vfs objects =
full_audit" and disabled the csc policy. I have verified that I have set up
my profiles share properly and that it has all the right entitlements. I
have reset the entitlements for the users that have issues (as
Administrator right click on the folder and do the dance there with
Windows). We'll see tomorrow.

Is "profile acls" required anymore on Samba 4.3? What effect will it have
on Windows 10?


2017-05-03 9:52 GMT+02:00 Rowland Penny <[hidden email]>:

> On Wed, 3 May 2017 09:15:30 +0200
> Jakub Kulesza via samba <[hidden email]> wrote:
>
> >
> > [profiles]
> >  path = /var/local/samba/var/lib/samba/profiles
> >  read only = no
> >  browseable = no
> >  create mask = 0600
> >  directory mask = 0700
> >  profile acls = yes
> >         vfs objects = full_audit
> >
>
> Sorry, but this doesn't work on a Samba AD DC, you will have to use
> windows ACL's, see here:
>
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
>
> Rowland
>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problems with samba and profile syncing from various windows versions

Samba - General mailing list
In reply to this post by Samba - General mailing list
Small sidenote in regards to the wiki, there is also an V6 since windows
10 aniversary.

https://technet.microsoft.com/en-us/library/jj649079%28v=ws.11%29.aspx


Am 03.05.2017 um 09:52 schrieb Rowland Penny via samba:

> On Wed, 3 May 2017 09:15:30 +0200
> Jakub Kulesza via samba <[hidden email]> wrote:
>
>> [profiles]
>>   path = /var/local/samba/var/lib/samba/profiles
>>   read only = no
>>   browseable = no
>>   create mask = 0600
>>   directory mask = 0700
>>   profile acls = yes
>>          vfs objects = full_audit
>>
> Sorry, but this doesn't work on a Samba AD DC, you will have to use
> windows ACL's, see here:
>
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
>
> Rowland
>
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problems with samba and profile syncing from various windows versions

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, 3 May 2017 22:48:06 +0200
Jakub Kulesza via samba <[hidden email]> wrote:

> Thanks for pointing this out.
>
> I have read that again, now my profiles do not have "vfs objects =
> full_audit" and disabled the csc policy. I have verified that I have
> set up my profiles share properly and that it has all the right
> entitlements. I have reset the entitlements for the users that have
> issues (as Administrator right click on the folder and do the dance
> there with Windows). We'll see tomorrow.
>
> Is "profile acls" required anymore on Samba 4.3? What effect will it
> have on Windows 10?
>

On a Samba AD DC, no, you must use windows ACLs, but, on a Unix domain
member, you can use the old way i.e. 'create mask' etc

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problems with samba and profile syncing from various windows versions

Samba - General mailing list
On Thu, 4 May 2017 09:07:11 +0200
Arnaud FLORENT <[hidden email]> wrote:

> Le 04/05/2017 à 08:45, Rowland Penny via samba a écrit :
> > On Wed, 3 May 2017 22:48:06 +0200
> > Jakub Kulesza via samba <[hidden email]> wrote:
> >
> >> Thanks for pointing this out.
> >>
> >> I have read that again, now my profiles do not have "vfs objects =
> >> full_audit" and disabled the csc policy. I have verified that I
> >> have set up my profiles share properly and that it has all the
> >> right entitlements. I have reset the entitlements for the users
> >> that have issues (as Administrator right click on the folder and
> >> do the dance there with Windows). We'll see tomorrow.
> >>
> >> Is "profile acls" required anymore on Samba 4.3? What effect will
> >> it have on Windows 10?
> >>
> > On a Samba AD DC, no, you must use windows ACLs, but, on a Unix
> > domain member, you can use the old way i.e. 'create mask' etc
> >
> > Rowland
> >  
> >
> Could you explain why  the old way can not be used please?
>
> why only shares using extended ACLs are supported on a Samba AD DC?
>
> extended ACL support is automatically enabled globally
> but there may be a way to disable it for a specific share?

You answered your question yourself ;-)

Extended ACL support is automatically enabled globally and you cannot
turn it off.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problems with samba and profile syncing from various windows versions

Samba - General mailing list
On Thu, 4 May 2017 09:39:17 +0200
Arnaud FLORENT <[hidden email]> wrote:

>
>
> Le 04/05/2017 à 09:36, Rowland Penny a écrit :
> > On Thu, 4 May 2017 09:07:11 +0200
> > Arnaud FLORENT <[hidden email]> wrote:
> >
> >> Le 04/05/2017 à 08:45, Rowland Penny via samba a écrit :
> >>> On Wed, 3 May 2017 22:48:06 +0200
> >>> Jakub Kulesza via samba <[hidden email]> wrote:
> >>>
> >>>> Thanks for pointing this out.
> >>>>
> >>>> I have read that again, now my profiles do not have "vfs objects
> >>>> = full_audit" and disabled the csc policy. I have verified that I
> >>>> have set up my profiles share properly and that it has all the
> >>>> right entitlements. I have reset the entitlements for the users
> >>>> that have issues (as Administrator right click on the folder and
> >>>> do the dance there with Windows). We'll see tomorrow.
> >>>>
> >>>> Is "profile acls" required anymore on Samba 4.3? What effect will
> >>>> it have on Windows 10?
> >>>>
> >>> On a Samba AD DC, no, you must use windows ACLs, but, on a Unix
> >>> domain member, you can use the old way i.e. 'create mask' etc
> >>>
> >>> Rowland
> >>>    
> >>>
> >> Could you explain why  the old way can not be used please?
> >>
> >> why only shares using extended ACLs are supported on a Samba AD DC?
> >>
> >> extended ACL support is automatically enabled globally
> >> but there may be a way to disable it for a specific share?
> > You answered your question yourself ;-)
> >
> > Extended ACL support is automatically enabled globally and you
> > cannot turn it off.
> >
> > Rowland
> >
> >
> nt acl =no
> seems to work
>
> am i wrong to use this?

YES!

> what kind of errors may occurs?

The AD DC relies on NT ACLs, you need to accept that you must use
Windows ACLs on a Samba AD DC if you use it as a fileserver. If you
must use the old way of doing things, set up a Unix domain member and
use this as a fileserver instead.

If you go here:

https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

Under the heading 'Using POSIX ACLs', you will find an info box
containing this:

 When setting up the share on a Samba Active Directory (AD) domain
 controller (DC), you cannot use POSIX ACLs. On an Samba DC, only
 shares using extended ACLs are supported. For further details, see
 Enable Extended ACL Support in the smb.conf File. To set up the share
 on a Samba AD DC, see Setting up the Profiles Share on the Samba File
 Server - Using Windows ACLs.

This wasn't written for no reason.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problems with samba and profile syncing from various windows versions

Samba - General mailing list


Le 04/05/2017 à 10:01, Rowland Penny a écrit :

> On Thu, 4 May 2017 09:39:17 +0200
> Arnaud FLORENT <[hidden email]> wrote:
>
>>
>> Le 04/05/2017 à 09:36, Rowland Penny a écrit :
>>> On Thu, 4 May 2017 09:07:11 +0200
>>> Arnaud FLORENT <[hidden email]> wrote:
>>>
>>>> Le 04/05/2017 à 08:45, Rowland Penny via samba a écrit :
>>>>> On Wed, 3 May 2017 22:48:06 +0200
>>>>> Jakub Kulesza via samba <[hidden email]> wrote:
>>>>>
>>>>>> Thanks for pointing this out.
>>>>>>
>>>>>> I have read that again, now my profiles do not have "vfs objects
>>>>>> = full_audit" and disabled the csc policy. I have verified that I
>>>>>> have set up my profiles share properly and that it has all the
>>>>>> right entitlements. I have reset the entitlements for the users
>>>>>> that have issues (as Administrator right click on the folder and
>>>>>> do the dance there with Windows). We'll see tomorrow.
>>>>>>
>>>>>> Is "profile acls" required anymore on Samba 4.3? What effect will
>>>>>> it have on Windows 10?
>>>>>>
>>>>> On a Samba AD DC, no, you must use windows ACLs, but, on a Unix
>>>>> domain member, you can use the old way i.e. 'create mask' etc
>>>>>
>>>>> Rowland
>>>>>    
>>>>>
>>>> Could you explain why  the old way can not be used please?
>>>>
>>>> why only shares using extended ACLs are supported on a Samba AD DC?
>>>>
>>>> extended ACL support is automatically enabled globally
>>>> but there may be a way to disable it for a specific share?
>>> You answered your question yourself ;-)
>>>
>>> Extended ACL support is automatically enabled globally and you
>>> cannot turn it off.
>>>
>>> Rowland
>>>
>>>
>> nt acl =no
>> seems to work
>>
>> am i wrong to use this?
> YES!
>
>> what kind of errors may occurs?
> The AD DC relies on NT ACLs, you need to accept that you must use
> Windows ACLs on a Samba AD DC if you use it as a fileserver. If you
> must use the old way of doing things, set up a Unix domain member and
> use this as a fileserver instead.
>
> If you go here:
>
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
>
> Under the heading 'Using POSIX ACLs', you will find an info box
> containing this:
>
>   When setting up the share on a Samba Active Directory (AD) domain
>   controller (DC), you cannot use POSIX ACLs. On an Samba DC, only
>   shares using extended ACLs are supported. For further details, see
>   Enable Extended ACL Support in the smb.conf File. To set up the share
>   on a Samba AD DC, see Setting up the Profiles Share on the Samba File
>   Server - Using Windows ACLs.
>
> This wasn't written for no reason.
>
> Rowland
Thank you Rowloand

so my next question is

is there a way to setup the share and windows acl only from server
command line?



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problems with samba and profile syncing from various windows versions

Samba - General mailing list
On Thu, 4 May 2017 10:22:30 +0200
Arnaud FLORENT <[hidden email]> wrote:

>
> so my next question is
>
> is there a way to setup the share and windows acl only from server
> command line?
>

I personally do not know of a way that will work exactly as setting
the ACLs from Windows. You could try using setfacl and setattr, but,
as I have never tried it, I do not know exactly how to do this,
perhaps someone else does ;-)

Rowland
 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problems with samba and profile syncing from various windows versions

Samba - General mailing list
In reply to this post by Samba - General mailing list
A way to do this is for the ACL, copy the default create a file from it and use that.
For the share right, i dont know, havent tried that.

getfact path_to_sysvol

You get something like this :  

getfacl /var/lib/samba/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---


Create a file with the needed content.
Then  setfacl -M FILE-ACL.txt -R /var/lib/samba/sysvol
Change path to sysvol if needed.

Important one.
You need to find the id for user SYSTEM, in above example, 3000002 is for me SYSTEM.
There are mostly 2 numeric id's and only one with RWX rights. Thats system.
Most things work without system, i recommend you set it.

But preffered is to do this from within windows.
Just join a pc to the domain and login with a user with "Domain Admins" rights.
And setup as the wiki shows.




Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Arnaud FLORENT via samba
> Verzonden: donderdag 4 mei 2017 10:22
> Aan: Rowland Penny; [hidden email]
> Onderwerp: Re: [Samba] Problems with samba and profile
> syncing from various windows versions
>
>
>
> Le 04/05/2017 à 10:01, Rowland Penny a écrit :
> > On Thu, 4 May 2017 09:39:17 +0200
> > Arnaud FLORENT <[hidden email]> wrote:
> >
> >>
> >> Le 04/05/2017 à 09:36, Rowland Penny a écrit :
> >>> On Thu, 4 May 2017 09:07:11 +0200
> >>> Arnaud FLORENT <[hidden email]> wrote:
> >>>
> >>>> Le 04/05/2017 à 08:45, Rowland Penny via samba a écrit :
> >>>>> On Wed, 3 May 2017 22:48:06 +0200
> >>>>> Jakub Kulesza via samba <[hidden email]> wrote:
> >>>>>
> >>>>>> Thanks for pointing this out.
> >>>>>>
> >>>>>> I have read that again, now my profiles do not have
> "vfs objects
> >>>>>> = full_audit" and disabled the csc policy. I have
> verified that I
> >>>>>> have set up my profiles share properly and that it has all the
> >>>>>> right entitlements. I have reset the entitlements for
> the users
> >>>>>> that have issues (as Administrator right click on the
> folder and
> >>>>>> do the dance there with Windows). We'll see tomorrow.
> >>>>>>
> >>>>>> Is "profile acls" required anymore on Samba 4.3? What
> effect will
> >>>>>> it have on Windows 10?
> >>>>>>
> >>>>> On a Samba AD DC, no, you must use windows ACLs, but, on a Unix
> >>>>> domain member, you can use the old way i.e. 'create mask' etc
> >>>>>
> >>>>> Rowland
> >>>>>    
> >>>>>
> >>>> Could you explain why  the old way can not be used please?
> >>>>
> >>>> why only shares using extended ACLs are supported on a
> Samba AD DC?
> >>>>
> >>>> extended ACL support is automatically enabled globally but there
> >>>> may be a way to disable it for a specific share?
> >>> You answered your question yourself ;-)
> >>>
> >>> Extended ACL support is automatically enabled globally and you
> >>> cannot turn it off.
> >>>
> >>> Rowland
> >>>
> >>>
> >> nt acl =no
> >> seems to work
> >>
> >> am i wrong to use this?
> > YES!
> >
> >> what kind of errors may occurs?
> > The AD DC relies on NT ACLs, you need to accept that you must use
> > Windows ACLs on a Samba AD DC if you use it as a fileserver. If you
> > must use the old way of doing things, set up a Unix domain
> member and
> > use this as a fileserver instead.
> >
> > If you go here:
> >
> > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
> >
> > Under the heading 'Using POSIX ACLs', you will find an info box
> > containing this:
> >
> >   When setting up the share on a Samba Active Directory (AD) domain
> >   controller (DC), you cannot use POSIX ACLs. On an Samba DC, only
> >   shares using extended ACLs are supported. For further details, see
> >   Enable Extended ACL Support in the smb.conf File. To set
> up the share
> >   on a Samba AD DC, see Setting up the Profiles Share on
> the Samba File
> >   Server - Using Windows ACLs.
> >
> > This wasn't written for no reason.
> >
> > Rowland
> Thank you Rowloand
>
> so my next question is
>
> is there a way to setup the share and windows acl only from
> server command line?
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problems with samba and profile syncing from various windows versions

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 04.05.2017 um 10:22 schrieb Arnaud FLORENT via samba:
> is there a way to setup the share and windows acl only from server
> command line?

Yes: smbcacls. It's really cool, but nobody seems to know it. :-)

The problem is, that we have (almost) no documentation about it. The
only doc we have (man page), is really incomplete.

I recently started writing documentation about it. However, smbacls is
currently not very user-friendly if you want to set fine-granular
Windows ALCs. For this reason I decited to temporarily stop writing the
documentation. Users won't use the tool if they have to add up multiple
hex values to set fine-granular ACLs.

That's why I recommend you to set the ACLs on a Windows machine at the
moment. It's nothing you often change after you set it up.


Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problems with samba and profile syncing from various windows versions

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 03.05.2017 um 23:06 schrieb Achim Gottinger via samba:
> Small sidenote in regards to the wiki, there is also an V6 since windows
> 10 aniversary.
>
> https://technet.microsoft.com/en-us/library/jj649079%28v=ws.11%29.aspx

Oh no, not again a new profile version. :-)

I will update the docs. Thanks for bringing this up.


Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problems with samba and profile syncing from various windows versions

Samba - General mailing list
I owe you an update.

The problem is still there. We've also seen that some windows desktops have
issues in syncing the time with time.windows.com and are off by 2 minutes.
We're fighting with this.

The issue is that sometimes for some users syncing DELETED files only does
not work. Renamed, new, changed content works 100%. It happens sometimes
and we did not see how occurrence of this might relate to anything. A user
might have this issue one day and the other it is working fine. It happens
1 time per week for some users, for some it does not happen at all. Users
do not log in to multiple machines at once. User observes this just by
something popping up on the deskop that has been deleted the day before.

Most of the desktops are Windows 10 with all updates turned on.

Any ideas what I can look into?

2017-05-04 11:28 GMT+02:00 Marc Muehlfeld via samba <[hidden email]>:

> Am 03.05.2017 um 23:06 schrieb Achim Gottinger via samba:
>
>> Small sidenote in regards to the wiki, there is also an V6 since windows
>> 10 aniversary.
>>
>> https://technet.microsoft.com/en-us/library/jj649079%28v=ws.11%29.aspx
>>
>
> Oh no, not again a new profile version. :-)
>
> I will update the docs. Thanks for bringing this up.
>
>
> Regards,
> Marc
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problems with samba and profile syncing from various windows versions

Samba - General mailing list
Hai,

Why use time.windows.com, are you pc's not domain joined?
Because if they are join you sync time with the AD DC(s) throught the AD by default.
Works here Win 7 32/64bit up to win 10 32/64bit build 1607.


Setup the following, on you DC's.
Setup ntp and configure ntp.conf
The go here and choose a stratum 1 ntp server. ( more curate )
http://support.ntp.org/bin/view/Servers/StratumOneTimeServers 

By default a pool of servers is used which can cause an time difference.

If you login as admin on a pc and check the eventlog of windows.
System events, eventid 37  source Time-serice.
You should see. There that the pc syncs time with one of the dc's.

So its also very very important to keep the ntp.conf over all DC's the same.
And make sure all you devices point to the DC.s for time.

I suggest reviewing : https://wiki.samba.org/index.php/Time_Synchronisation  also.
Because if above isnt working, setup GPO (on the link) part
- Setting User Defined Time Sources and Options
But if everything is configured correctly, this should not be needed.


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Jakub Kulesza via samba
> Verzonden: woensdag 10 mei 2017 11:31
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Problems with samba and profile
> syncing from various windows versions
>
> I owe you an update.
>
> The problem is still there. We've also seen that some windows
> desktops have issues in syncing the time with
> time.windows.com and are off by 2 minutes.
> We're fighting with this.
>
> The issue is that sometimes for some users syncing DELETED
> files only does not work. Renamed, new, changed content works
> 100%. It happens sometimes and we did not see how occurrence
> of this might relate to anything. A user might have this
> issue one day and the other it is working fine. It happens
> 1 time per week for some users, for some it does not happen
> at all. Users do not log in to multiple machines at once.
> User observes this just by something popping up on the deskop
> that has been deleted the day before.
>
> Most of the desktops are Windows 10 with all updates turned on.
>
> Any ideas what I can look into?
>
> 2017-05-04 11:28 GMT+02:00 Marc Muehlfeld via samba
> <[hidden email]>:
>
> > Am 03.05.2017 um 23:06 schrieb Achim Gottinger via samba:
> >
> >> Small sidenote in regards to the wiki, there is also an V6 since
> >> windows 10 aniversary.
> >>
> >>
> https://technet.microsoft.com/en-us/library/jj649079%28v=ws.11%29.asp
> >> x
> >>
> >
> > Oh no, not again a new profile version. :-)
> >
> > I will update the docs. Thanks for bringing this up.
> >
> >
> > Regards,
> > Marc
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problems with samba and profile syncing from various windows versions

Samba - General mailing list
On Wed, May 10, 2017 at 4:39 AM, L.P.H. van Belle via samba <
[hidden email]> wrote:

> I suggest reviewing : https://wiki.samba.org/index.
> php/Time_Synchronisation  also.
> Because if above isnt working, setup GPO (on the link) part
> - Setting User Defined Time Sources and Options
> But if everything is configured correctly, this should not be needed.
>

For me, I did not need to set a Group Policy, but I did need to add the
line for "ntpsigndsocket" to the ntpd.conf file, as shown in the wiki.
Without that, Windows workstations would not sync to the AD DC.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problems with samba and profile syncing from various windows versions

Samba - General mailing list
small update. We've got the time synced right. The desktops and server are
in sync. But the problems persist. There are days where multiple users
report that deleted files come back.

I suspect some issues either in the Windows itself or in the network. I
guess that looking into the windows desktop logs is the way to go now.
Which logs in the event viewer show most relevant information for profile
syncing?

2017-05-10 20:49 GMT+02:00 Mark Nienberg via samba <[hidden email]>:

> On Wed, May 10, 2017 at 4:39 AM, L.P.H. van Belle via samba <
> [hidden email]> wrote:
>
> > I suggest reviewing : https://wiki.samba.org/index.
> > php/Time_Synchronisation  also.
> > Because if above isnt working, setup GPO (on the link) part
> > - Setting User Defined Time Sources and Options
> > But if everything is configured correctly, this should not be needed.
> >
>
> For me, I did not need to set a Group Policy, but I did need to add the
> line for "ntpsigndsocket" to the ntpd.conf file, as shown in the wiki.
> Without that, Windows workstations would not sync to the AD DC.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba