[Samba] Samba4 roaming profiles & ownership of profile.V2 folders [RESOLVED]
rowlandpenny241155 at gmail.com
Sat Jul 4 08:25:55 UTC 2015
On 04/07/15 01:11, Gary Dale wrote:
> On 03/07/15 07:58 PM, Gary Dale wrote:
>> On 03/07/15 01:21 PM, Rowland Penny wrote:
>>> On 03/07/15 17:45, Gary Dale wrote:
>>>> On 03/07/15 02:44 AM, Gary Dale wrote:
>>>>> I've got roaming profiles for one account on a Debian/Jessie AD DC
>>>>> server but I can't get them to work for the other accounts. The
>>>>> differences are that the one account is also a Linux account in
>>>>> the AD DC and is in the Domain Admins group. The other accounts
>>>>> were created with ADUC on a Windows 7 machine logged in as the
>>>>> Domain Admins user just mentioned. They are Domain Users but not
>>>>> Admins and have no corresponding Linux account.
>>>>> I got that one account to work by taking ownership of its profile
>>>>> directory. However Windows 7 currently only offers me two choices
>>>>> for accounts that can take ownership of a profile directory
>>>>> (Domain Admins and that one account are both listed. Other
>>>>> accounts are not in the creator/owner tab).
>>>>> I've given Domain User full control of the profile folders but
>>>>> that doesn't seem to be good enough to get the profiles to be
>>>>> loaded and saved (the Linux permissions are 777).
>>>>> And yes, Ive set profile for each user using the Windows MMC plugin.
>>>>> Any ideas on what I'm missing?
>>>> Further to above, I added one of the user accounts to the Domain
>>>> Admins but still couldn't get a roaming profile to work for it.
>>> Hi, have a look here:
>> Thanks. I'd been trying that without success. The section on using
>> ACLs doesn't work in my case for some reason.
>> For example, the section in preparatory work says to:
>> setfacl -m g:"domain admins":rwx /srv/samba/Demo/
>> where I substituted my profiles path for their path. When I run it, I
>> # setfacl -m g:"domain admins":rwx /home/samba/profiles
>> setfacl: Option -m: Invalid argument near character 3
>> The AD DC doesn't seem to recognize domain users or groups at all.
>> And on the Windows end, the ability to set privileges based on domain
>> groups or users seems spotty. Sometimes it works and sometimes it
>> Similarly in the section "Profile share with using POSIX ACLs", I
>> can't chgrp to a domain group.
>> What finally worked was to ignore all the errors and just add the
>> extra lines to the share definition in smb.conf:
>> store dos attributes = Yes
>> create mask = 0600
>> directory mask = 0700
>> profile acls = yes
>> csc policy = disable
>> Once I did that (and reloaded the config) the other profiles started
> Actually, spoke too soon. There is still a minor glitch in that I need
> a to connect to a share before the profiles get saved. It doesn't have
> to be the profiles share, but if I don't have a share connected, the
> profile isn't saved.
> Fortunately each workstation is supposed to have at least one
> connection to a share.
You shouldn't have to do this, your computer should connect and save the
profile, but I think that it isn't doing this automatically (for some
reason your user is unknown) and the connection is getting rejected.
More information about the samba