[Samba] Samba4 roaming profiles & ownership of profile.V2 folders [RESOLVED]
rowlandpenny241155 at gmail.com
Sat Jul 4 08:22:54 UTC 2015
On 04/07/15 00:58, Gary Dale wrote:
> On 03/07/15 01:21 PM, Rowland Penny wrote:
>> On 03/07/15 17:45, Gary Dale wrote:
>>> On 03/07/15 02:44 AM, Gary Dale wrote:
>>>> I've got roaming profiles for one account on a Debian/Jessie AD DC
>>>> server but I can't get them to work for the other accounts. The
>>>> differences are that the one account is also a Linux account in the
>>>> AD DC and is in the Domain Admins group. The other accounts were
>>>> created with ADUC on a Windows 7 machine logged in as the Domain
>>>> Admins user just mentioned. They are Domain Users but not Admins
>>>> and have no corresponding Linux account.
>>>> I got that one account to work by taking ownership of its profile
>>>> directory. However Windows 7 currently only offers me two choices
>>>> for accounts that can take ownership of a profile directory (Domain
>>>> Admins and that one account are both listed. Other accounts are not
>>>> in the creator/owner tab).
>>>> I've given Domain User full control of the profile folders but that
>>>> doesn't seem to be good enough to get the profiles to be loaded and
>>>> saved (the Linux permissions are 777).
>>>> And yes, Ive set profile for each user using the Windows MMC plugin.
>>>> Any ideas on what I'm missing?
>>> Further to above, I added one of the user accounts to the Domain
>>> Admins but still couldn't get a roaming profile to work for it.
>> Hi, have a look here:
> Thanks. I'd been trying that without success. The section on using
> ACLs doesn't work in my case for some reason.
The 'reason' is probably why profiles don't work.
Are you doing this on a DC or a member server ? on a DC I get this:
root at dc01:~# getent group "domain admins"
and on a member server:
rowland at ThinkPad ~ $ getent group "domain admins"
I have RFC2307 attributes in AD and winbind set up on both.
> For example, the section in preparatory work says to:
> setfacl -m g:"domain admins":rwx /srv/samba/Demo/
> where I substituted my profiles path for their path. When I run it, I get
> # setfacl -m g:"domain admins":rwx /home/samba/profiles
> setfacl: Option -m: Invalid argument near character 3
The 'Invalid argument' is "domain admins", your machine does not
> The AD DC doesn't seem to recognize domain users or groups at all. And
> on the Windows end, the ability to set privileges based on domain
> groups or users seems spotty. Sometimes it works and sometimes it
> Similarly in the section "Profile share with using POSIX ACLs", I
> can't chgrp to a domain group.
Yep, your setup is not optimal.
> What finally worked was to ignore all the errors and just add the
> extra lines to the share definition in smb.conf:
> store dos attributes = Yes
> create mask = 0600
> directory mask = 0700
> profile acls = yes
> csc policy = disable
> Once I did that (and reloaded the config) the other profiles started
That is the old way, but if it works for you.
More information about the samba