[Samba] roaming profile does ­not ­work for "Domain Adm­ins"

?icro MEGAS micromegas at mail333.com
Thu Oct 30 16:25:57 MDT 2014

I am facing an issue which I cannot explain myself. The roaming profiles don't work for users that are members of the group "Domain Admins". The [profiles] share on the member server was configured exactly as explained on the wiki for roaming profiles. It works like a charm for all domain users, *BUT*: if a user is member of the group "Domain Admins" it *doesn't* :-( That means in detail:

I create a new user "test1" and assign the correct profile directory to that user (\\membersrv\profiles\test1). I add this user also to the "MYDOM\Domain Admins" group. On the windows client I login for the first time with "test1" user and I watch the content of the linux filesystem on my member server. As soon as "test1" is logged in on the client, a directory membersrv:/srv/samba/profiles/test1 is created with the appropriate mode and owner+group. Until here everything is fine, but as soon as user "test1" logs off, *NO DATA IS WRITTEN* into its roaming profile directory.

When I remove that user "test1" from the group "Domain Admins", so in result "test1" is not a member of "Domain Admins" anymore, the roaming profile works like a charm as one would expect. When the user logs off, data is written correctly to its roaming profile.

I don't suspect security issues on Windows or POSIX ACLs, because the user "test1" can create directory "something" on \\membersrv\profiles and inside \\membersrv\profiles\something he is allowed to create subdirs or files. I don't think that's the problem. I ensured that by putting "EVERYONE" to sharing and security settings for the [profiles] share, but it didn't help either.

I cannot explain myself where this is related to. I'm stuck here for many hours and have no clue where else to look at. Any help really appreciated.

Meanwhile I spent about 12 hours (!) on that problem and still didn't solve it. It's really frustrating me :( The problem occurs with Windows XP workstation as well on Win7 workstation. Even when I "mkdir -p /new/dir" on the member server, and create a new share in smb.conf, then have "Everyone" in sharing settings, and "Everyone" in security settings with FULL access, and assign the profile of user "johndoe" to \\membersrv\newshare\johndoe" it doesn't work. As I said before, I don't suspect security/file permission, because the user can access that particular directory and read/write directories+files in there. And as said before: when I remove "johndoe" from "Domain Admins" group it works fine. So what the hell is causing that problem? I also checked my GPO if there's something active but there is not. I only have the "default domain controller policy" and default domain policy". The latter one is empty, there are no objects. And even when I check with "gpresult" on the windows clients, there are no settings applied to that workstations. I installed a completely new Win7 workstation just some minutes before and tried with the new machine, no luck, same problem! :-( I also tried by creating new users in my AD, but it didn't help either. As long as these users are not members of "Domain Admins" it works, but when they are members in "Domain Admins" it doesn't work and they cannot use roaming profiles.

It's really really getting on my nerves meanwhile. What the hell is going on there? Why cannot members of "MYDOM\Domain Admins" use roaming profiles? Please if anyone has an idea where to look at, I'd really appreciate it. Thanks a lot in advance.


More information about the samba mailing list