[Samba] Roaming profiles

L.P.H. van Belle belle at bazuin.nl
Fri Aug 22 14:27:54 GMT 2008

yes, turn off Pofile acls,

and if that does not work try, 
enable the group policies for "Do not check for user ownership of Roaming
Profile Folders" and "Add the Administrator security group to the roaming
user profile share" policy using "Start" menu -> "Run", enter "gpedit.msc"
-> under "Computer Configuration" -> "Administrative Templates" -> "System"
-> "User Profiles" and enabling these two properties.

/snap from man smb.conf

          profile acls (S)
             This boolean parameter was added to fix the problems that
people have been having with storing user profiles on  Samba  shares  from
             2000  or  Windows  XP  clients. New versions of Windows 2000 or
Windows XP service packs do security ACL checking on the owner and ability
             write of the profile directory stored on a local workstation
when copied from a Samba share.

             When not in domain mode with winbindd then the security info
copied onto the local workstation has no meaning to the logged in user (SID)
             that  workstation  so  the  profile  storing  fails. Adding
this parameter onto a share used for profile storage changes two things
about the
             returned Windows ACL. Firstly it changes the owner and group
owner of all  reported  files  and  directories  to  be
             BUILTIN\Users  respectively  (SIDs  S-1-5-32-544,
S-1-5-32-545). Secondly it adds an ACE entry of "Full Control" to the SID
BUILTIN\Users to
             every returned ACL. This will allow any Windows 2000 or XP
workstation user to access the profile.

             Note that if you have multiple users logging on to a
workstation then in order to prevent them from being able to access each
others profiles
             you  must  remove  the "Bypass traverse checking" advanced user
right. This will prevent access to other users profile directories as the
             level profile directory (named after the user) is created by
the workstation profile code and has an ACL restricting entry to  the
             tree to the owning user.

===>>>       Default: profile acls = no  



>-----Oorspronkelijk bericht-----
>Van: samba-bounces+belle=bazuin.nl at lists.samba.org 
>[mailto:samba-bounces+belle=bazuin.nl at lists.samba.org] Namens 
>Mike Eggleston
>Verzonden: vrijdag 22 augustus 2008 16:19
>Aan: Mugo Martin
>CC: samba at lists.samba.org
>Onderwerp: Re: [Samba] Roaming profiles
>On Wed, 20 Aug 2008, Mugo Martin might have said:
>> Hi all, thanks for your replies
>> I got the profiles to work, did not remove the
>> profile acls = Yes
>> line. This is my profiles section;
>> [profiles]
>>         comment = User profiles
>>         path = /var/lib/samba/profiles
>>         read only = No
>>         profile acls = Yes
>>         valid users = %U
>>         force user = %U
>I added the 'profile acls = Yes' to my /etc/samba/smb.conf, ran
>'testparm', then 'service smb condrestart'.  All seemed ok, so I
>logged out of my xp work station, booted the work station, and logged
>back in.  When logging in I get the error that my roaming 
>profile is not
>valid/available. The detail says 'the specified network name 
>is no longer
>available.' So I reversed the change, bounced samba again (the service,
>not the box), logged out of xp, booted, and logged back in and got the
>same error.
>Any ideas what's going on?
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list