[Samba] Samba4 roaming profiles & ownership of profile.V2 folders [RESOLVED]

Gary Dale garydale at torfree.net
Fri Jul 3 23:58:46 UTC 2015 

On 03/07/15 01:21 PM, Rowland Penny wrote:
> On 03/07/15 17:45, Gary Dale wrote:
>> On 03/07/15 02:44 AM, Gary Dale wrote:
>>> I've got roaming profiles for one account on a Debian/Jessie AD DC 
>>> server but I can't get them to work for the other accounts. The 
>>> differences are that the one account is also a Linux account in the 
>>> AD DC and is in the Domain Admins group. The other accounts were 
>>> created with ADUC on a Windows 7 machine logged in as the Domain 
>>> Admins user just mentioned. They are Domain Users but not Admins and 
>>> have no corresponding Linux account.
>>>
>>> I got that one account to work by taking ownership of its profile 
>>> directory. However Windows 7 currently only offers me two choices 
>>> for accounts that can take ownership of a profile directory (Domain 
>>> Admins and that one account are both listed. Other accounts are not 
>>> in the creator/owner tab).
>>>
>>> I've given Domain User full control of the profile folders but that 
>>> doesn't seem to be good enough to get the profiles to be loaded and 
>>> saved (the Linux permissions are 777).
>>>
>>> And yes, Ive set profile for each user using the Windows MMC plugin.
>>>
>>> Any ideas on what I'm missing?
>>
>> Further to above, I added one of the user accounts to the Domain 
>> Admins but still couldn't get a roaming profile to work for it.
>
> Hi, have a look here: 
> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>
> Rowland

Thanks. I'd been trying that without success. The section on using ACLs 
doesn't work in my case for some reason.

For example, the section in preparatory work says to:
   setfacl -m g:"domain admins":rwx /srv/samba/Demo/
where I substituted my profiles path for their path. When I run it, I get
   # setfacl -m g:"domain admins":rwx /home/samba/profiles
   setfacl: Option -m: Invalid argument near character 3

The AD DC doesn't seem to recognize domain users or groups at all. And 
on the Windows end, the ability to set privileges based on domain groups 
or users seems spotty. Sometimes it works and sometimes it doesn't.

Similarly in the section "Profile share with using POSIX ACLs", I can't 
chgrp to a domain group.

What finally worked was to ignore all the errors and just add the extra 
lines to the share definition in smb.conf:
   store dos attributes = Yes
   create mask = 0600
   directory mask = 0700
   profile acls = yes
   csc policy = disable

Once I did that (and reloaded the config)  the other profiles started 
working.

More information about the samba mailing list