[Samba] Samba4 roaming profiles & ownership of profile.V2 folders [RESOLVED]

Rowland Penny rowlandpenny241155 at gmail.com
Sat Jul 4 08:25:55 UTC 2015


On 04/07/15 01:11, Gary Dale wrote:
> On 03/07/15 07:58 PM, Gary Dale wrote:
>> On 03/07/15 01:21 PM, Rowland Penny wrote:
>>> On 03/07/15 17:45, Gary Dale wrote:
>>>> On 03/07/15 02:44 AM, Gary Dale wrote:
>>>>> I've got roaming profiles for one account on a Debian/Jessie AD DC 
>>>>> server but I can't get them to work for the other accounts. The 
>>>>> differences are that the one account is also a Linux account in 
>>>>> the AD DC and is in the Domain Admins group. The other accounts 
>>>>> were created with ADUC on a Windows 7 machine logged in as the 
>>>>> Domain Admins user just mentioned. They are Domain Users but not 
>>>>> Admins and have no corresponding Linux account.
>>>>>
>>>>> I got that one account to work by taking ownership of its profile 
>>>>> directory. However Windows 7 currently only offers me two choices 
>>>>> for accounts that can take ownership of a profile directory 
>>>>> (Domain Admins and that one account are both listed. Other 
>>>>> accounts are not in the creator/owner tab).
>>>>>
>>>>> I've given Domain User full control of the profile folders but 
>>>>> that doesn't seem to be good enough to get the profiles to be 
>>>>> loaded and saved (the Linux permissions are 777).
>>>>>
>>>>> And yes, Ive set profile for each user using the Windows MMC plugin.
>>>>>
>>>>> Any ideas on what I'm missing?
>>>>
>>>> Further to above, I added one of the user accounts to the Domain 
>>>> Admins but still couldn't get a roaming profile to work for it.
>>>
>>> Hi, have a look here: 
>>> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>>>
>>> Rowland
>>
>> Thanks. I'd been trying that without success. The section on using 
>> ACLs doesn't work in my case for some reason.
>>
>> For example, the section in preparatory work says to:
>>   setfacl -m g:"domain admins":rwx /srv/samba/Demo/
>> where I substituted my profiles path for their path. When I run it, I 
>> get
>>   # setfacl -m g:"domain admins":rwx /home/samba/profiles
>>   setfacl: Option -m: Invalid argument near character 3
>>
>> The AD DC doesn't seem to recognize domain users or groups at all. 
>> And on the Windows end, the ability to set privileges based on domain 
>> groups or users seems spotty. Sometimes it works and sometimes it 
>> doesn't.
>>
>> Similarly in the section "Profile share with using POSIX ACLs", I 
>> can't chgrp to a domain group.
>>
>> What finally worked was to ignore all the errors and just add the 
>> extra lines to the share definition in smb.conf:
>>   store dos attributes = Yes
>>   create mask = 0600
>>   directory mask = 0700
>>   profile acls = yes
>>   csc policy = disable
>>
>> Once I did that (and reloaded the config)  the other profiles started 
>> working.
>
> Actually, spoke too soon. There is still a minor glitch in that I need 
> a to connect to a share before the profiles get saved. It doesn't have 
> to be the profiles share, but if I don't have a share connected, the 
> profile isn't saved.
>
> Fortunately each workstation is supposed to have at least one 
> connection to a share.

You shouldn't have to do this, your computer should connect and save the 
profile, but I think that it isn't doing this automatically (for some 
reason your user is unknown) and the connection is getting rejected.

Rowland



More information about the samba mailing list