[Samba] Roaming Profiles only for Admin?

John H Terpstra jht at samba.org
Tue Aug 19 16:35:48 GMT 2008

On Tuesday 19 August 2008 11:06:31 Albrecht Dreß wrote:
> Hi,
> thanks a lot for all hints...
> After playing a whole afternoon with the W2Ksp4 box, I made some
> progress...
> First, I had to run "gpedit" on the 2k box, and to "activate" the
> option for not checking the ownership of roaming profile folders (key
> is Computer configuration - Administrative Templates - System - User
> Profiles; I found this hint in a posting).

Inside the NTUSER.DAT file, that you will find in the user's profile directory 
on the Samba server, is stored the SID of the user who owns the profile.  If 
for any reason the user's SID is changed the user will not longer be able to 
access that profile.

You can list the SIDs inside the NTUSER.DAT file using the Samba "profiles" 

Disabling of the profile ownership is usually a red-flag that there is a 
problem with the consistency between the user SIDs stored in NTUSER.DAT and 
the current SID reported through Samba.  This is what should be fixed, rather 
than using a sledge-hammer to get around the problem.  Work-arounds often 
have side-effects.

> Now the roaming profile is stored properly *except* for a user for
> which the attempt to store the profile failed.  Here I have to erase
> the local profile folder (in C:\Documents and Settings), then reboot
> the box, and try again - works.  Arrgh!!!  No idea what happens with XP
> and Vista.

Have you recently change the domain (workgroup) name or the machine name?  
Either will change the Domain and/or machine SID.  Check out the use of 
the "net" utility to set/record your domain and machine SIDs:

	net getdomainsid
	net setdomain sid
	net getmachinesid
	net setmachinesid
	net getlocalsid
	net setlocalsid

> Reading the man pages more closely, my impression is that the setting
> "profile acls = yes" should exactly prevent this problem.  

This parameter helps maintain sanity over the files and folders under the 
profile directory.  Only MS Windows manages the SIDs and ACLs inside the 
NTUSER.DAT file, which is what MS Windows NT4/2K/XP/Vista use to determine 
who can access the profile.

> But it apparently doesn't work as advertised.  Does anyone have more insight
> here?  It would be great if I could omit tweaking the policies on each
> and every machine I have in the network...

See above comments.

- John T.

> Am 19.08.2008 15:05:53 schrieb(en) Hoover, Tony:
> > try changing :
> > create mask = 0644
> > directory mask = 0775
> Now my working profiles setup is
> <snip>
> [profiles]
> path = /home/samba/profiles
> writeable = yes
> store dos attributes = yes
> browseable = no
> create mask = 0600
> directory mask = 0700
> guest ok = no
> csc policy = disable
> force user = %U
> valid users = %U @"Domain Admins"
> </snip>
> Thanks,
> Albrecht.

John H Terpstra

"Don't do as I do; Show me better!" - Anonymous.

More information about the samba mailing list