On Tue, 2012-12-18 at 08:52 -0500, Adam Tauno Williams wrote: > On Tue, 2012-12-18 at 02:45 +1100, Stephen Jones wrote: > > The problem is your smb.conf [profiles]. The only options you need are > > the path and read only = no. Control access from Windows with an ACL > > applied to the profiles share security properties rather than forcing > > permissions from Samba. S4 is different from S3. I'm not sure if those > > mask options work in S4 but, if they do, those values will deny all > > access set through extended ACLs because those are applied through the > > group class. > > Fix smb.conf > Ok, did that.
I have to call it a success at this point. We have transition our domain from S3/NT4/LDAPSAM to S4/AD. All the basic domain functionality appears to be working. There are a couple things to nail down but user profiles, logon scripts, authentication, and group policies appear to be working as expected. All in all that wasn't nearly as gnarly as I expected. Only remaining issues are - No DNS auto-registration for Samba hosts, internal DNS <https://lists.samba.org/archive/samba/2012-December/170566.html> Currently I work around this by just manually adding the host entry with samba-tool. - Caching enabled on roaming profile share; cannot disable. <https://lists.samba.org/archive/samba/2012-December/170578.html> - Lots of NTLMSSP NTLM2 errors <https://lists.samba.org/archive/samba/2012-December/170558.html> I need to try to figure out which hosts these are coming from. - WINS Hook not working (or not supported) <https://lists.samba.org/archive/samba/2012-December/170572.html> We use WINS hook to generate reverse DNS entries, since we have an application that requires those [ugly though it may be]. I may have to find another way to do this. - Since we migrated from LDAPSAM we use RFC2307, which is a little weird and not all of the properties map through winbind. TIP: For anyone else migrating - make sure you login scripts on the netlogon share show Read + Execute permissions for Authenticated Users. Otherwise the specified logon scripts just don't execute, silently, with no notice. Under S3/NT4 it appears it didn't care so long as it could read the script. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba