[Samba] [SOLVED] roaming profile does ­­not ­work for "Domain Ad­m­ins"

?icro MEGAS micromegas at mail333.com
Thu Oct 30 17:19:17 MDT 2014

> HI Mirco, Isn't samba4 AD wonderful, the way it works just like a 
> windows AD DC :-)
> Yes, the problem you having isn't a problem, it is the way that 
> microsoft designed it, see here:
> https://social.technet.microsoft.com/Forums/windowsserver/en-US/7f03c07e-5a71-4ff3-abc1-50d3c14bf982/why-do-roaming-profiles-exclude-domain-admin-access?forum=winserverGP
> Rowland

Dear Rowland,

I do not agree because

a.) at last I did find the culprit which was causing that problem. I am glad that I *SOLVED IT* but on the other side I'm kinda disappointed because the root of that evil is your so highly-praised "smbmap" feauture which already caused a lot of discussion here on the list. I will get in detail and explain on the bottom of this message

b.) the link you posted is a completely different issue. The issue reported there is that roaming profiles created by Windows by default allow only the creator/owner and SYSTEM to access it and noone else. For example: when user "johndoe" logs in for the first time and his roaming profile is created, the directory \\server\sharename\johndoe has only two objects in the Windows Security Settings. They are "johndoe" itself and "SYSTEM". Noone else has access to it. Many administrators hate this default behaviour because they cannot browse the files in these directories although they are domain admins. I told you the reason why they cannot. This issue is explained and discussed on many other sites around the net. Just google for "roaming profile domain admins" and you will find a lot of hits, as well some tech sheets and explanations from Microsoft or even some workaround with neat scripts.

Well, now back to point a.) the explanation why I ran into that issue. As I stated before, the root of the evil was the "smbmap" feauture. How I found out? On the fresh-new Win7 machine I installed for my tests, I got some more detailled information on the event viewer and I saw a message in there for the failing "roaming profile". It explained in detail, that the user *must be owner of the roaming profile directory*. The solution is to make the user the owner of their profile folder. And now guess why the directories of these three administrators had following owner/group assigned:

root:root  johndoe.v2
root:root  foobar
root:root  admin3

I tell you, because when you use the smbmap feauture as suggested many times by you, the user itself becomes "root" to the machine and windows only see "root" but expects "foobar" and *THAT'S THE CULPRIT*. As you realized in the past days, I reported some issues to the samba lists where the "smbmap" feauture again was causing headache. Now after that horrible scenario I had to face, and moreover so many hours I had to spent, I certainly am sure *NOT TO USE* the *username map* directive in future and now I understand why a few days ago a samba developer suggested me NOT TO USE it. I should have listened to him.

You can read the technical details and see also the event viewer message that was logged on my Win7 workstation which helped me to find out the culprit. Although they are related to other Windows versions, the event viewer message is exactly the same, as I did receive it on my Win7 machine. The content is self-explanatory, read here:



More information about the samba mailing list