[Samba] Samba4 roaming profiles & ownership of profile.V2 folders [RESOLVED]

Rowland Penny rowlandpenny241155 at gmail.com
Sat Jul 4 08:22:54 UTC 2015

On 04/07/15 00:58, Gary Dale wrote:
> On 03/07/15 01:21 PM, Rowland Penny wrote:
>> On 03/07/15 17:45, Gary Dale wrote:
>>> On 03/07/15 02:44 AM, Gary Dale wrote:
>>>> I've got roaming profiles for one account on a Debian/Jessie AD DC 
>>>> server but I can't get them to work for the other accounts. The 
>>>> differences are that the one account is also a Linux account in the 
>>>> AD DC and is in the Domain Admins group. The other accounts were 
>>>> created with ADUC on a Windows 7 machine logged in as the Domain 
>>>> Admins user just mentioned. They are Domain Users but not Admins 
>>>> and have no corresponding Linux account.
>>>> I got that one account to work by taking ownership of its profile 
>>>> directory. However Windows 7 currently only offers me two choices 
>>>> for accounts that can take ownership of a profile directory (Domain 
>>>> Admins and that one account are both listed. Other accounts are not 
>>>> in the creator/owner tab).
>>>> I've given Domain User full control of the profile folders but that 
>>>> doesn't seem to be good enough to get the profiles to be loaded and 
>>>> saved (the Linux permissions are 777).
>>>> And yes, Ive set profile for each user using the Windows MMC plugin.
>>>> Any ideas on what I'm missing?
>>> Further to above, I added one of the user accounts to the Domain 
>>> Admins but still couldn't get a roaming profile to work for it.
>> Hi, have a look here: 
>> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>> Rowland
> Thanks. I'd been trying that without success. The section on using 
> ACLs doesn't work in my case for some reason.

The 'reason' is probably why profiles don't work.

Are you doing this on a DC or a member server ? on a DC I get this:

root at dc01:~# getent group "domain admins"
EXAMPLE\Domain Admins:*:10002:

and on a member server:

rowland at ThinkPad ~ $ getent group "domain admins"

I have RFC2307 attributes in AD and winbind set up on both.

> For example, the section in preparatory work says to:
>   setfacl -m g:"domain admins":rwx /srv/samba/Demo/
> where I substituted my profiles path for their path. When I run it, I get
>   # setfacl -m g:"domain admins":rwx /home/samba/profiles
>   setfacl: Option -m: Invalid argument near character 3

The 'Invalid argument' is "domain admins", your machine does not 
recognise it.

> The AD DC doesn't seem to recognize domain users or groups at all. And 
> on the Windows end, the ability to set privileges based on domain 
> groups or users seems spotty. Sometimes it works and sometimes it 
> doesn't.
> Similarly in the section "Profile share with using POSIX ACLs", I 
> can't chgrp to a domain group.

Yep, your setup is not optimal.

> What finally worked was to ignore all the errors and just add the 
> extra lines to the share definition in smb.conf:
>   store dos attributes = Yes
>   create mask = 0600
>   directory mask = 0700
>   profile acls = yes
>   csc policy = disable
> Once I did that (and reloaded the config)  the other profiles started 
> working.

That is the old way, but if it works for you.


More information about the samba mailing list