[Samba] Samba4 roaming profiles & ownership of profile.V2 folders [RESOLVED]
garydale at torfree.net
Fri Jul 3 23:58:46 UTC 2015
On 03/07/15 01:21 PM, Rowland Penny wrote:
> On 03/07/15 17:45, Gary Dale wrote:
>> On 03/07/15 02:44 AM, Gary Dale wrote:
>>> I've got roaming profiles for one account on a Debian/Jessie AD DC
>>> server but I can't get them to work for the other accounts. The
>>> differences are that the one account is also a Linux account in the
>>> AD DC and is in the Domain Admins group. The other accounts were
>>> created with ADUC on a Windows 7 machine logged in as the Domain
>>> Admins user just mentioned. They are Domain Users but not Admins and
>>> have no corresponding Linux account.
>>> I got that one account to work by taking ownership of its profile
>>> directory. However Windows 7 currently only offers me two choices
>>> for accounts that can take ownership of a profile directory (Domain
>>> Admins and that one account are both listed. Other accounts are not
>>> in the creator/owner tab).
>>> I've given Domain User full control of the profile folders but that
>>> doesn't seem to be good enough to get the profiles to be loaded and
>>> saved (the Linux permissions are 777).
>>> And yes, Ive set profile for each user using the Windows MMC plugin.
>>> Any ideas on what I'm missing?
>> Further to above, I added one of the user accounts to the Domain
>> Admins but still couldn't get a roaming profile to work for it.
> Hi, have a look here:
Thanks. I'd been trying that without success. The section on using ACLs
doesn't work in my case for some reason.
For example, the section in preparatory work says to:
setfacl -m g:"domain admins":rwx /srv/samba/Demo/
where I substituted my profiles path for their path. When I run it, I get
# setfacl -m g:"domain admins":rwx /home/samba/profiles
setfacl: Option -m: Invalid argument near character 3
The AD DC doesn't seem to recognize domain users or groups at all. And
on the Windows end, the ability to set privileges based on domain groups
or users seems spotty. Sometimes it works and sometimes it doesn't.
Similarly in the section "Profile share with using POSIX ACLs", I can't
chgrp to a domain group.
What finally worked was to ignore all the errors and just add the extra
lines to the share definition in smb.conf:
store dos attributes = Yes
create mask = 0600
directory mask = 0700
profile acls = yes
csc policy = disable
Once I did that (and reloaded the config) the other profiles started
More information about the samba