[Samba] [SOLVED] roaming profile does ­­not ­work for "Domain Ad­m­ins"

L.P.H. van Belle belle at bazuin.nl
Fri Oct 31 01:46:18 MDT 2014

Pff what a discussion, but thats good ;-) 

but you didnt tell us what was in your windows even log... 
Which is very helpfull.. 

and this setting: 
Do not check for user Ownership of Roaming Profile Folders. 
is a very known setting, but should not be needed. 

Good that you did find it yourself. 

you even can set : 
acl_xattr:ignore system acl = yes 
on the profile share to have an even beter ACL compatibility. 

I also have "Domain Admins" on all my users folders and profile folders.
so and i have the smb user map also and it working fine.. 
But in my case there is NO domain admin with roaming profiles.... 
why... If you login on an infected pc, you can get this infection in your profile.
if you know login on a server, you wil infect your server. 
and because if this i really advice the split users ( people who just do office work ) for administrator.
No users should have admin rights, only when needed, and not while just working. 

I want thinking you already had the "Do not check for user Ownership of Roaming Profile Folders." 
enabled. this is why i needed the even message in windows. 

But good to hear its solved. 




>-----Oorspronkelijk bericht-----
>Van: micromegas at mail333.com 
>[mailto:samba-bounces at lists.samba.org] Namens ?icro MEGAS
>Verzonden: vrijdag 31 oktober 2014 0:19
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] [SOLVED] roaming profile does ­­not 
>­work for "Domain Ad­m­ins"
>> HI Mirco, Isn't samba4 AD wonderful, the way it works just like a 
>> windows AD DC :-)
>> Yes, the problem you having isn't a problem, it is the way that 
>> microsoft designed it, see here:
>> Rowland
>Dear Rowland,
>I do not agree because
>a.) at last I did find the culprit which was causing that 
>problem. I am glad that I *SOLVED IT* but on the other side 
>I'm kinda disappointed because the root of that evil is your 
>so highly-praised "smbmap" feauture which already caused a lot 
>of discussion here on the list. I will get in detail and 
>explain on the bottom of this message
>b.) the link you posted is a completely different issue. The 
>issue reported there is that roaming profiles created by 
>Windows by default allow only the creator/owner and SYSTEM to 
>access it and noone else. For example: when user "johndoe" 
>logs in for the first time and his roaming profile is created, 
>the directory \\server\sharename\johndoe has only two objects 
>in the Windows Security Settings. They are "johndoe" itself 
>and "SYSTEM". Noone else has access to it. Many administrators 
>hate this default behaviour because they cannot browse the 
>files in these directories although they are domain admins. I 
>told you the reason why they cannot. This issue is explained 
>and discussed on many other sites around the net. Just google 
>for "roaming profile domain admins" and you will find a lot of 
>hits, as well some tech sheets and explanations from Microsoft 
>or even some workaround with neat scripts.
>Well, now back to point a.) the explanation why I ran into 
>that issue. As I stated before, the root of the evil was the 
>"smbmap" feauture. How I found out? On the fresh-new Win7 
>machine I installed for my tests, I got some more detailled 
>information on the event viewer and I saw a message in there 
>for the failing "roaming profile". It explained in detail, 
>that the user *must be owner of the roaming profile 
>directory*. The solution is to make the user the owner of 
>their profile folder. And now guess why the directories of 
>these three administrators had following owner/group assigned:
>root:root  johndoe.v2
>root:root  foobar
>root:root  admin3
>I tell you, because when you use the smbmap feauture as 
>suggested many times by you, the user itself becomes "root" to 
>the machine and windows only see "root" but expects "foobar" 
>and *THAT'S THE CULPRIT*. As you realized in the past days, I 
>reported some issues to the samba lists where the "smbmap" 
>feauture again was causing headache. Now after that horrible 
>scenario I had to face, and moreover so many hours I had to 
>spent, I certainly am sure *NOT TO USE* the *username map* 
>directive in future and now I understand why a few days ago a 
>samba developer suggested me NOT TO USE it. I should have 
>listened to him.
>You can read the technical details and see also the event 
>viewer message that was logged on my Win7 workstation which 
>helped me to find out the culprit. Although they are related 
>to other Windows versions, the event viewer message is exactly 
>the same, as I did receive it on my Win7 machine. The content 
>is self-explanatory, read here:
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list