[Samba] Samba4 roaming profiles & ownership of profile.V2 folders [RESOLVED]

Sat Jul 4 17:51:26 UTC 2015

On 04/07/15 04:22 AM, Rowland Penny wrote:
> On 04/07/15 00:58, Gary Dale wrote:
>> On 03/07/15 01:21 PM, Rowland Penny wrote:
>>> On 03/07/15 17:45, Gary Dale wrote:
>>>> On 03/07/15 02:44 AM, Gary Dale wrote:
>>>>> I've got roaming profiles for one account on a Debian/Jessie AD DC 
>>>>> server but I can't get them to work for the other accounts. The 
>>>>> differences are that the one account is also a Linux account in 
>>>>> the AD DC and is in the Domain Admins group. The other accounts 
>>>>> were created with ADUC on a Windows 7 machine logged in as the 
>>>>> Domain Admins user just mentioned. They are Domain Users but not 
>>>>> Admins and have no corresponding Linux account.
>>>>>
>>>>> I got that one account to work by taking ownership of its profile 
>>>>> directory. However Windows 7 currently only offers me two choices 
>>>>> for accounts that can take ownership of a profile directory 
>>>>> (Domain Admins and that one account are both listed. Other 
>>>>> accounts are not in the creator/owner tab).
>>>>>
>>>>> I've given Domain User full control of the profile folders but 
>>>>> that doesn't seem to be good enough to get the profiles to be 
>>>>> loaded and saved (the Linux permissions are 777).
>>>>>
>>>>> And yes, Ive set profile for each user using the Windows MMC plugin.
>>>>>
>>>>> Any ideas on what I'm missing?
>>>>
>>>> Further to above, I added one of the user accounts to the Domain 
>>>> Admins but still couldn't get a roaming profile to work for it.
>>>
>>> Hi, have a look here: 
>>> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>>>
>>> Rowland
>>
>> Thanks. I'd been trying that without success. The section on using 
>> ACLs doesn't work in my case for some reason.
>>
>
> The 'reason' is probably why profiles don't work.
>
> Are you doing this on a DC or a member server ? on a DC I get this:
>
> root at dc01:~# getent group "domain admins"
> EXAMPLE\Domain Admins:*:10002:
>
> and on a member server:
>
> rowland at ThinkPad ~ $ getent group "domain admins"
> domain_admins:x:10002:s4admin,rowland,administrator
>
> I have RFC2307 attributes in AD and winbind set up on both.

I get nothing when I run the command on the AD DC. There are currently 
no member servers.

I followed the instructions at 
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO and did include the 
--use-rfc2307. The only change I made was it doesn't actually mention 
installing kerberos but I found it necessary when I got to the configure 
kerberos section.

According to the wiki, I don't have to do any winbind config, although 
they don't recommend using a DC as a file server due to some problems 
with winbind. Unfortunately I only have the one server in this location.