[Samba] Samba4 Domain UP, but no roaming profiles

Adam Tauno Williams awilliam at whitemice.org
Tue Dec 18 06:52:11 MST 2012

On Tue, 2012-12-18 at 02:45 +1100, Stephen Jones wrote:
> The problem is your smb.conf [profiles].  The only options you need are
> the path and read only = no.  Control access from Windows with an ACL
> applied to the profiles share security properties rather than forcing
> permissions from Samba.  S4 is different from S3.  I'm not sure if those
> mask options work in S4 but, if they do, those values will deny all
> access set through extended ACLs because those are applied through the
> group class.
> Fix smb.conf 

Ok, did that.  

Anyway, for whatever reason roaming profiles started worked.  Even
before I make this change.

> and start with an empty profiles directory 

Totally and completely not an option.  This is a migrated domain with
existing profiles.

> root:root.  getfacl will show you the Posix ACLs created from Windows.
> From Windows ADUC add the roaming profiles path to the user's profile. 

They already have this attribute by virtue of the migration.  The
existence of the attribute has been verified.

> Tip:  There is a GPO setting under
> computer-policies-templates-system-user profiles to add the
> administrators group to roaming profiles.  This is a good idea,
> otherwise administrators cannot browse the profile folders.

Cool, I'll take a look on that.

More information about the samba mailing list