[Samba] Samba4 roaming profiles & ownership of profile.V2 folders [RESOLVED]

Sat Jul 4 00:11:11 UTC 2015

On 03/07/15 07:58 PM, Gary Dale wrote:
> On 03/07/15 01:21 PM, Rowland Penny wrote:
>> On 03/07/15 17:45, Gary Dale wrote:
>>> On 03/07/15 02:44 AM, Gary Dale wrote:
>>>> I've got roaming profiles for one account on a Debian/Jessie AD DC 
>>>> server but I can't get them to work for the other accounts. The 
>>>> differences are that the one account is also a Linux account in the 
>>>> AD DC and is in the Domain Admins group. The other accounts were 
>>>> created with ADUC on a Windows 7 machine logged in as the Domain 
>>>> Admins user just mentioned. They are Domain Users but not Admins 
>>>> and have no corresponding Linux account.
>>>>
>>>> I got that one account to work by taking ownership of its profile 
>>>> directory. However Windows 7 currently only offers me two choices 
>>>> for accounts that can take ownership of a profile directory (Domain 
>>>> Admins and that one account are both listed. Other accounts are not 
>>>> in the creator/owner tab).
>>>>
>>>> I've given Domain User full control of the profile folders but that 
>>>> doesn't seem to be good enough to get the profiles to be loaded and 
>>>> saved (the Linux permissions are 777).
>>>>
>>>> And yes, Ive set profile for each user using the Windows MMC plugin.
>>>>
>>>> Any ideas on what I'm missing?
>>>
>>> Further to above, I added one of the user accounts to the Domain 
>>> Admins but still couldn't get a roaming profile to work for it.
>>
>> Hi, have a look here: 
>> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>>
>> Rowland
>
> Thanks. I'd been trying that without success. The section on using 
> ACLs doesn't work in my case for some reason.
>
> For example, the section in preparatory work says to:
>   setfacl -m g:"domain admins":rwx /srv/samba/Demo/
> where I substituted my profiles path for their path. When I run it, I get
>   # setfacl -m g:"domain admins":rwx /home/samba/profiles
>   setfacl: Option -m: Invalid argument near character 3
>
> The AD DC doesn't seem to recognize domain users or groups at all. And 
> on the Windows end, the ability to set privileges based on domain 
> groups or users seems spotty. Sometimes it works and sometimes it 
> doesn't.
>
> Similarly in the section "Profile share with using POSIX ACLs", I 
> can't chgrp to a domain group.
>
> What finally worked was to ignore all the errors and just add the 
> extra lines to the share definition in smb.conf:
>   store dos attributes = Yes
>   create mask = 0600
>   directory mask = 0700
>   profile acls = yes
>   csc policy = disable
>
> Once I did that (and reloaded the config)  the other profiles started 
> working.

Actually, spoke too soon. There is still a minor glitch in that I need a 
to connect to a share before the profiles get saved. It doesn't have to 
be the profiles share, but if I don't have a share connected, the 
profile isn't saved.

Fortunately each workstation is supposed to have at least one connection 
to a share.