Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Samba4: Folder Redirection GPO not working with Windows 7
462 views
Skip to first unread message
steve
Oct 6, 2012, 11:20:01 AM10/6/12
to
Hi
I have folder redirection working fine in XP. I see that W7 has taken
the same configuration as I made in XP. Here is a screenshot:
http://dl.dropbox.com/u/45150875/gpo.png
Unfortunately, on w7, whilst the roaming profile is correctly set, there
is no folder redirection. Nothing appears in the \\hh1\USERS folder for
the user who has logged in.
Upon opening the GPO editor as Administrator in W7, I get an error
message about AD and sysvol permissions:
'The permissions for this GPO in the SYSVOL folder are inconsistent with
those in ctive Directory. (...) To change the SYSVOL permissions to
those in Active Directory, click OK.'
Clicking OK gives 'Access is Denied. I then ran samba-tool ntacl
sysvolreset and restarted the GPO editor. It then opened without the
error:) The settings appear exactly as I set them on XP but are not
honoured in W7.
The share for the redirected folders says it's offline. There is an
offline tab where the security tab normally is under the share
properties. Relevant?
Can anyone help me trace what's wrong?
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I have folder redirection working fine in XP. I see that W7 has taken
the same configuration as I made in XP. Here is a screenshot:
http://dl.dropbox.com/u/45150875/gpo.png
Unfortunately, on w7, whilst the roaming profile is correctly set, there
is no folder redirection. Nothing appears in the \\hh1\USERS folder for
the user who has logged in.
Upon opening the GPO editor as Administrator in W7, I get an error
message about AD and sysvol permissions:
'The permissions for this GPO in the SYSVOL folder are inconsistent with
those in ctive Directory. (...) To change the SYSVOL permissions to
those in Active Directory, click OK.'
Clicking OK gives 'Access is Denied. I then ran samba-tool ntacl
sysvolreset and restarted the GPO editor. It then opened without the
error:) The settings appear exactly as I set them on XP but are not
honoured in W7.
The share for the redirected folders says it's offline. There is an
offline tab where the security tab normally is under the share
properties. Relevant?
Can anyone help me trace what's wrong?
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
Oct 7, 2012, 4:10:02 AM10/7/12
to
On 06/10/12 17:11, steve wrote:
> Hi
> I have folder redirection working fine in XP. I see that W7 has taken
> the same configuration as I made in XP. Here is a screenshot:
> http://dl.dropbox.com/u/45150875/gpo.png
>
> Unfortunately, on w7, whilst the roaming profile is correctly set, there
> is no folder redirection. Nothing appears in the \\hh1\USERS folder for
> the user who has logged in.
>
> Upon opening the GPO editor as Administrator in W7, I get an error
> message about AD and sysvol permissions:
>
> 'The permissions for this GPO in the SYSVOL folder are inconsistent with
> those in ctive Directory. (...) To change the SYSVOL permissions to
> those in Active Directory, click OK.'
>
> Clicking OK gives 'Access is Denied. I then ran samba-tool ntacl
> sysvolreset and restarted the GPO editor. It then opened without the
> error:) The settings appear exactly as I set them on XP but are not
> honoured in W7.
>
> The share for the redirected folders says it's offline. There is an
> offline tab where the security tab normally is under the share
> properties. Relevant?
>
> Can anyone help me trace what's wrong?
> Cheers,
> Steve
Further tests show using the windows 'set' command, that the policy is
> Hi
> I have folder redirection working fine in XP. I see that W7 has taken
> the same configuration as I made in XP. Here is a screenshot:
> http://dl.dropbox.com/u/45150875/gpo.png
>
> Unfortunately, on w7, whilst the roaming profile is correctly set, there
> is no folder redirection. Nothing appears in the \\hh1\USERS folder for
> the user who has logged in.
>
> Upon opening the GPO editor as Administrator in W7, I get an error
> message about AD and sysvol permissions:
>
> 'The permissions for this GPO in the SYSVOL folder are inconsistent with
> those in ctive Directory. (...) To change the SYSVOL permissions to
> those in Active Directory, click OK.'
>
> Clicking OK gives 'Access is Denied. I then ran samba-tool ntacl
> sysvolreset and restarted the GPO editor. It then opened without the
> error:) The settings appear exactly as I set them on XP but are not
> honoured in W7.
>
> The share for the redirected folders says it's offline. There is an
> offline tab where the security tab normally is under the share
> properties. Relevant?
>
> Can anyone help me trace what's wrong?
> Cheers,
> Steve
only being applied to Administrator. IOW, 'APPDATA' is being redirected
to the server. Everyone else still has the local Roaming folder for appdata.
I have run gpupdate /force but still no folder redirection for users.
Thanks,
Andrew Bartlett
Oct 7, 2012, 5:00:02 AM10/7/12
to
GPO.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
steve
Oct 7, 2012, 7:00:02 AM10/7/12
to
I did a wireshark of a user called steve2 logging on and off:
http://dl.dropbox.com/u/45150875/logon
The folder to which the gpo should redirect to, \\hh1\USERS, is
mentioned only once, all the other SMB2 traces refer to the steve2.V2
profile folder. I have Application Data redirected to \\hh1\USERS
'set' shows APPDATA is still local to the client.
The gpo works fine on XP but fails for all users other than
Administrator on W7. 'set' for Administrator shows the redirection to
the server share at \\hh1\USERS\Administrator\Application Data. For
Administrator nothing is written to the share, but I think this is
because Administrator does not have a uidNumber nor gidNumber.
Any help most gretfuly received.
Cheers,
Steve
This works fine on XP but fails on W7.
steve
Oct 7, 2012, 11:10:03 AM10/7/12
to
Getting a bit closer:
The share \\hh1\USERS is not accessible by users, neither can I set the
security on it as Administrator because the security tab has been
replaced by 'offline files'. The underlying POSIX share is /home2/USERS
and it is 0777, global RW.
Summary: In W7, users cannot access the share. Question: how can I
remove the offline files and get a security tab back?
THanks,
Steve
Rowland Penny
Oct 7, 2012, 11:20:01 AM10/7/12
to
http://www.sevenforums.com/tutorials/48829-offline-files-enable-disable-use.html
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
steve
Oct 7, 2012, 11:40:02 AM10/7/12
to
Thanks for that. I've now got a security tab back. But still no folder
redirection:(
Not given up yet.
Cheers,
Steve
steve
Oct 7, 2012, 12:10:01 PM10/7/12
to
On 07/10/12 17:37, steve wrote:
> On 07/10/12 17:14, Rowland Penny wrote:
>> On 07/10/12 16:02, steve wrote:
>>> On 07/10/12 12:58, steve wrote:
>>>> On 07/10/12 10:52, Andrew Bartlett wrote:
>>>>> On Sun, 2012-10-07 at 10:07 +0200, steve wrote:
>>>>>> On 06/10/12 17:11, steve wrote:
>
>>>
>> Hi Steve, a quick google finds:
>> http://www.sevenforums.com/tutorials/48829-offline-files-enable-disable-use.html
>>
>>
>
> Hi Rowland
> Thanks for that. I've now got a security tab back. But still no folder
> redirection:(
>
Having the security tab back on \\hh1\USERS now gives everyone
> On 07/10/12 17:14, Rowland Penny wrote:
>> On 07/10/12 16:02, steve wrote:
>>> On 07/10/12 12:58, steve wrote:
>>>> On 07/10/12 10:52, Andrew Bartlett wrote:
>>>>> On Sun, 2012-10-07 at 10:07 +0200, steve wrote:
>>>>>> On 06/10/12 17:11, steve wrote:
>
>>>
>> Hi Steve, a quick google finds:
>> http://www.sevenforums.com/tutorials/48829-offline-files-enable-disable-use.html
>>
>>
>
> Hi Rowland
> Thanks for that. I've now got a security tab back. But still no folder
> redirection:(
>
permission to enter and create files in the share and now Administrator
has his Application Data redirected to the share. He has a file under
\\hh1\USERS as per the GPO.
However, ordinary users, whilst able to read and write the share do not
have their Application Data redirected.
Still works fine for all users with XP but not W7.
Matthieu Patou
Oct 7, 2012, 9:00:01 PM10/7/12
to
Steve
will use smb 2.x by default when XP can do smb/cifs.
So you have to carefully look at the SMB2 trace between your client and
the samba server when doing it with an admininistrator (which works if I
understood your emails) and a "normal" user.
Most probably our fileserver either deny someting to simple users or
didn't answer correctly. For this you'll need to use wireshark.
Once you have more information we might be able to help you, providing
information + traces (if no sensitive information) might help even more.
Matthieu.
--
Matthieu Patou
Samba Team
http://samba.org
>> Hi Rowland
>> Thanks for that. I've now got a security tab back. But still no folder
>> redirection:(
>>
>
> Having the security tab back on \\hh1\USERS now gives everyone
> permission to enter and create files in the share and now
> Administrator has his Application Data redirected to the share. He has
> a file under \\hh1\USERS as per the GPO.
>
> However, ordinary users, whilst able to read and write the share do
> not have their Application Data redirected.
>
> Still works fine for all users with XP but not W7.
>
Obviously the biggest change between XP and Seven is the fact that seven
>> Thanks for that. I've now got a security tab back. But still no folder
>> redirection:(
>>
>
> Having the security tab back on \\hh1\USERS now gives everyone
> permission to enter and create files in the share and now
> Administrator has his Application Data redirected to the share. He has
> a file under \\hh1\USERS as per the GPO.
>
> However, ordinary users, whilst able to read and write the share do
> not have their Application Data redirected.
>
> Still works fine for all users with XP but not W7.
>
will use smb 2.x by default when XP can do smb/cifs.
So you have to carefully look at the SMB2 trace between your client and
the samba server when doing it with an admininistrator (which works if I
understood your emails) and a "normal" user.
Most probably our fileserver either deny someting to simple users or
didn't answer correctly. For this you'll need to use wireshark.
Once you have more information we might be able to help you, providing
information + traces (if no sensitive information) might help even more.
Matthieu.
--
Matthieu Patou
Samba Team
http://samba.org
steve
Oct 8, 2012, 3:40:02 AM10/8/12
to
On 08/10/12 02:56, Matthieu Patou wrote:
> Steve
>>> Hi Rowland
>>> Thanks for that. I've now got a security tab back. But still no folder
>>> redirection:(
>>>
>>
>> Having the security tab back on \\hh1\USERS now gives everyone
>> permission to enter and create files in the share and now
>> Administrator has his Application Data redirected to the share. He has
>> a file under \\hh1\USERS as per the GPO.
>>
>> However, ordinary users, whilst able to read and write the share do
>> not have their Application Data redirected.
>>
>> Still works fine for all users with XP but not W7.
>>
> Obviously the biggest change between XP and Seven is the fact that seven
> will use smb 2.x by default when XP can do smb/cifs.
> So you have to carefully look at the SMB2 trace between your client and
> the samba server when doing it with an admininistrator (which works if I
> understood your emails) and a "normal" user.
> Most probably our fileserver either deny someting to simple users or
> didn't answer correctly. For this you'll need to use wireshark.
>
> Once you have more information we might be able to help you, providing
> information + traces (if no sensitive information) might help even more.
>
> Matthieu.
>
>
Hi Mattieu
> Steve
>>> Hi Rowland
>>> Thanks for that. I've now got a security tab back. But still no folder
>>> redirection:(
>>>
>>
>> Having the security tab back on \\hh1\USERS now gives everyone
>> permission to enter and create files in the share and now
>> Administrator has his Application Data redirected to the share. He has
>> a file under \\hh1\USERS as per the GPO.
>>
>> However, ordinary users, whilst able to read and write the share do
>> not have their Application Data redirected.
>>
>> Still works fine for all users with XP but not W7.
>>
> Obviously the biggest change between XP and Seven is the fact that seven
> will use smb 2.x by default when XP can do smb/cifs.
> So you have to carefully look at the SMB2 trace between your client and
> the samba server when doing it with an admininistrator (which works if I
> understood your emails) and a "normal" user.
> Most probably our fileserver either deny someting to simple users or
> didn't answer correctly. For this you'll need to use wireshark.
>
> Once you have more information we might be able to help you, providing
> information + traces (if no sensitive information) might help even more.
>
> Matthieu.
>
>
Thanks for the offer of help.
Summary:
1. The Folder redirection GPO works fine for all users with XP and with
Administrator on W7.
2. The folder redirection GPO dopes not work for ordinary domain users
on W7.
3. I have run samba-tool ntacl sysvolreset
Here is a screenshot of the GPO:
http://dl.dropbox.com/u/45150875/gpo.png
Here is smb.conf:
[global]
workgroup = MARINA
realm = hh3.site
netbios name = HH1
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winb
dns forwarder = 192.168.1.1
idmap_ldb:use rfc2307 = Yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[profiles]
path = /home2/profiles
read only = No
create mask = 0700
[USERS]
path = /home2/USERS
read only = No
Here is the wireshark of Administrator logon and logoff:
http://dl.dropbox.com/u/45150875/logonadmin
Here is the wireshark of a domain user, steve2, logon and logoff:
http://dl.dropbox.com/u/45150875/logonuser
In the user trace, there is no reference to the redirected folder on the
server and none is created. The user seems unaware of the gpo.
TIA for any time you can give.
Cheers,
Steve
steve
Oct 8, 2012, 12:30:02 PM10/8/12
to
On 08/10/12 17:40, m...@matws.net wrote:
> Ok can you check that this simple user can go in the \\server\sysvol folder and then access all the files under <dnsnamedomain>/policies and cross check that this gpo is really applied by setting in the same gpo a rule for the wallpaper or something else visible.
>
Hi
I set the wallpaper in the same gpo:
http://dl.dropbox.com/u/45150875/gpowallpaper.png
This popup appears each time Administrator starts the GPO editor:
http://dl.dropbox.com/u/45150875/sysvolerror.png
Clicking OK gives 'Access is denied'. Same error whether I have run
samba-tool ntacl sysvolreset or not. The GPO is created however.
Results:
1. Ordinary users can read anything in the sysvol share
2. The wallpaper GPO is ignored both for W7 Administrator and for W7 users.
note: The wallpaper GPO doesn't work on XP either but I don't think it
was implemented then.
> Ok can you check that this simple user can go in the \\server\sysvol folder and then access all the files under <dnsnamedomain>/policies and cross check that this gpo is really applied by setting in the same gpo a rule for the wallpaper or something else visible.
>
Hi
I set the wallpaper in the same gpo:
http://dl.dropbox.com/u/45150875/gpowallpaper.png
This popup appears each time Administrator starts the GPO editor:
http://dl.dropbox.com/u/45150875/sysvolerror.png
Clicking OK gives 'Access is denied'. Same error whether I have run
samba-tool ntacl sysvolreset or not. The GPO is created however.
Results:
1. Ordinary users can read anything in the sysvol share
2. The wallpaper GPO is ignored both for W7 Administrator and for W7 users.
note: The wallpaper GPO doesn't work on XP either but I don't think it
was implemented then.
m...@matws.net
Oct 9, 2012, 12:20:01 AM10/9/12
to
Ok can you check that this simple user can go in the \\server\sysvol folder and then access all the files under <dnsnamedomain>/policies and cross check that this gpo is really applied by setting in the same gpo a rule for the wallpaper or something else visible.
steve
Oct 9, 2012, 11:40:02 AM10/9/12
to
On 08/10/12 18:23, steve wrote:
> On 08/10/12 17:40, m...@matws.net wrote:
>> Ok can you check that this simple user can go in the \\server\sysvol
>> folder and then access all the files under <dnsnamedomain>/policies
>> and cross check that this gpo is really applied by setting in the same
>> gpo a rule for the wallpaper or something else visible.
>>
>
> Hi
> I set the wallpaper in the same gpo:
> http://dl.dropbox.com/u/45150875/gpowallpaper.png
>
> This popup appears each time Administrator starts the GPO editor:
> http://dl.dropbox.com/u/45150875/sysvolerror.png
>
> Clicking OK gives 'Access is denied'. Same error whether I have run
> samba-tool ntacl sysvolreset or not. The GPO is created however.
>
> Results:
> 1. Ordinary users can read anything in the sysvol share
> 2. The wallpaper GPO is ignored both for W7 Administrator and for W7 users.
>
> note: The wallpaper GPO doesn't work on XP either but I don't think it
> was implemented then.
>
> Cheers,
> Steve
>
Hi
> On 08/10/12 17:40, m...@matws.net wrote:
>> Ok can you check that this simple user can go in the \\server\sysvol
>> folder and then access all the files under <dnsnamedomain>/policies
>> and cross check that this gpo is really applied by setting in the same
>> gpo a rule for the wallpaper or something else visible.
>>
>
> Hi
> I set the wallpaper in the same gpo:
> http://dl.dropbox.com/u/45150875/gpowallpaper.png
>
> This popup appears each time Administrator starts the GPO editor:
> http://dl.dropbox.com/u/45150875/sysvolerror.png
>
> Clicking OK gives 'Access is denied'. Same error whether I have run
> samba-tool ntacl sysvolreset or not. The GPO is created however.
>
> Results:
> 1. Ordinary users can read anything in the sysvol share
> 2. The wallpaper GPO is ignored both for W7 Administrator and for W7 users.
>
> note: The wallpaper GPO doesn't work on XP either but I don't think it
> was implemented then.
>
> Cheers,
> Steve
>
I updated today tothe latest from master:
Version 4.1.0pre1-GIT-e65a24bed
and ran:
samba-tool ntacl sysvolreset --use-s3fs
Now no user can enter sysvol:
getfacl sysvol/
# file: sysvol/
# owner: root
# group: wheel
# flags: s--
user::rwx
user:root:rwx
group::r--
group:wheel:r--
group:3000000:r--
group:3000001:r--
group:3000002:r--
mask::rwx
other::---
Any ideas how I can get domain users to enter and read the gpo's? I've
tried with 0755 but windows doesn't seem to know about it. Any attempt
to set the ACL on windows fils. Is it possible to set the ACL from
windows 7 on s3fs?
steve
Oct 9, 2012, 12:00:01 PM10/9/12
to
On 09/10/12 17:36, steve wrote:
> On 08/10/12 18:23, steve wrote:
>> On 08/10/12 17:40, m...@matws.net wrote:
> samba-tool ntacl sysvolreset --use-s3fs
>
> Now no user can enter sysvol:
> getfacl sysvol/
> # file: sysvol/
> # owner: root
> # group: wheel
> # flags: s--
> user::rwx
> user:root:rwx
> group::r--
> group:wheel:r--
> group:3000000:r--
> group:3000001:r--
> group:3000002:r--
> mask::rwx
> other::---
>
Using wbinfo:
> On 08/10/12 18:23, steve wrote:
>> On 08/10/12 17:40, m...@matws.net wrote:
> samba-tool ntacl sysvolreset --use-s3fs
>
> Now no user can enter sysvol:
> getfacl sysvol/
> # file: sysvol/
> # owner: root
> # group: wheel
> # flags: s--
> user::rwx
> user:root:rwx
> group::r--
> group:wheel:r--
> group:3000000:r--
> group:3000001:r--
> group:3000002:r--
> mask::rwx
> other::---
>
3000000 BUILTIN\Server Operators 4
3000001 NT AUTHORITY\SYSTEM 5
3000002 NT AUTHORITY\Authenticated Users 5
but Authenticated Users do not get read access. . .
Ludek Finstrle
Oct 9, 2012, 3:30:02 PM10/9/12
to
Hello steve,
Tue, Oct 09, 2012 at 05:54:48PM +0200, steve napsal(a):
Luf
Tue, Oct 09, 2012 at 05:54:48PM +0200, steve napsal(a):
> On 09/10/12 17:36, steve wrote:
> >On 08/10/12 18:23, steve wrote:
> >>On 08/10/12 17:40, m...@matws.net wrote:
>
> >samba-tool ntacl sysvolreset --use-s3fs
> >
> >Now no user can enter sysvol:
> >getfacl sysvol/
> ># file: sysvol/
> ># owner: root
> ># group: wheel
> ># flags: s--
> >user::rwx
> >user:root:rwx
> >group::r--
> >group:wheel:r--
> >group:3000000:r--
> >group:3000001:r--
> >group:3000002:r--
> >mask::rwx
> >other::---
> >
>
> Using wbinfo:
> 3000000 BUILTIN\Server Operators 4
> 3000001 NT AUTHORITY\SYSTEM 5
> 3000002 NT AUTHORITY\Authenticated Users 5
>
> but Authenticated Users do not get read access. . .
maybe I'm wrong but in unix world you need x bit to be able to go into the directory.
> >On 08/10/12 18:23, steve wrote:
> >>On 08/10/12 17:40, m...@matws.net wrote:
>
> >samba-tool ntacl sysvolreset --use-s3fs
> >
> >Now no user can enter sysvol:
> >getfacl sysvol/
> ># file: sysvol/
> ># owner: root
> ># group: wheel
> ># flags: s--
> >user::rwx
> >user:root:rwx
> >group::r--
> >group:wheel:r--
> >group:3000000:r--
> >group:3000001:r--
> >group:3000002:r--
> >mask::rwx
> >other::---
> >
>
> Using wbinfo:
> 3000000 BUILTIN\Server Operators 4
> 3000001 NT AUTHORITY\SYSTEM 5
> 3000002 NT AUTHORITY\Authenticated Users 5
>
> but Authenticated Users do not get read access. . .
Luf
steve
Oct 10, 2012, 4:00:02 AM10/10/12
to
OK, this was the clue I needed.
I set the ACE's to r-x:
setfacl -Rm g:3000000:rx sysvol/
setfacl -Rm g:3000001:rx sysvol/
setfacl -Rm g:3000002:rx sysvol/
setfacl -Rm g::rx sysvol/
setfacl -Rm g:wheel:rx sysvol/
and same for the default ACE's:
setfacl -d -Rm g:3000000:rx sysvol/
(...)
The ACE's now look like this:
getfacl sysvol
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: wheel
# flags: s--
user::rwx
user:root:r-x
# group: wheel
# flags: s--
user::rwx
group::r-x
group:wheel:r-x
group:3000000:r-x
group:3000001:r-x
group:3000002:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:3000001:r-x
default:group:3000002:r-x
default:mask::r-x
default:other::---
Conclusion: The sysvol ACL's are not set correctly after running:
samba-tool ntacl sysvolreset
because e.g. authenticated users cannot get into the share to read the GPO's
Maybe this is just with my distro, openSUSE as others have not reported
any problems.
Could a dev have a look at it? I'm sure I've not set the sysvol ACL's
correctly but at least now folder redirection works.
Cheers,
Steve
0 new messages