[Samba] Samba4 roaming profiles & ownership of profile.V2 folders [RESOLVED]

Gary Dale garydale at torfree.net
Sat Jul 4 21:53:23 UTC 2015

On 04/07/15 02:37 PM, Rowland Penny wrote:
> On 04/07/15 18:51, Gary Dale wrote:
>> On 04/07/15 04:22 AM, Rowland Penny wrote:
>>> On 04/07/15 00:58, Gary Dale wrote:
>>>> On 03/07/15 01:21 PM, Rowland Penny wrote:
>>>>> On 03/07/15 17:45, Gary Dale wrote:
>>>>>> On 03/07/15 02:44 AM, Gary Dale wrote:
>>>>>>> I've got roaming profiles for one account on a Debian/Jessie AD 
>>>>>>> DC server but I can't get them to work for the other accounts. 
>>>>>>> The differences are that the one account is also a Linux account 
>>>>>>> in the AD DC and is in the Domain Admins group. The other 
>>>>>>> accounts were created with ADUC on a Windows 7 machine logged in 
>>>>>>> as the Domain Admins user just mentioned. They are Domain Users 
>>>>>>> but not Admins and have no corresponding Linux account.
>>>>>>> I got that one account to work by taking ownership of its 
>>>>>>> profile directory. However Windows 7 currently only offers me 
>>>>>>> two choices for accounts that can take ownership of a profile 
>>>>>>> directory (Domain Admins and that one account are both listed. 
>>>>>>> Other accounts are not in the creator/owner tab).
>>>>>>> I've given Domain User full control of the profile folders but 
>>>>>>> that doesn't seem to be good enough to get the profiles to be 
>>>>>>> loaded and saved (the Linux permissions are 777).
>>>>>>> And yes, Ive set profile for each user using the Windows MMC 
>>>>>>> plugin.
>>>>>>> Any ideas on what I'm missing?
>>>>>> Further to above, I added one of the user accounts to the Domain 
>>>>>> Admins but still couldn't get a roaming profile to work for it.
>>>>> Hi, have a look here: 
>>>>> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>>>>> Rowland
>>>> Thanks. I'd been trying that without success. The section on using 
>>>> ACLs doesn't work in my case for some reason.
>>> The 'reason' is probably why profiles don't work.
>>> Are you doing this on a DC or a member server ? on a DC I get this:
>>> root at dc01:~# getent group "domain admins"
>>> EXAMPLE\Domain Admins:*:10002:
>>> and on a member server:
>>> rowland at ThinkPad ~ $ getent group "domain admins"
>>> domain_admins:x:10002:s4admin,rowland,administrator
>>> I have RFC2307 attributes in AD and winbind set up on both.
>> I get nothing when I run the command on the AD DC. There are 
>> currently no member servers.
>> I followed the instructions at 
>> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO and did include 
>> the --use-rfc2307. The only change I made was it doesn't actually 
>> mention installing kerberos but I found it necessary when I got to 
>> the configure kerberos section.
>> According to the wiki, I don't have to do any winbind config, 
>> although they don't recommend using a DC as a file server due to some 
>> problems with winbind. Unfortunately I only have the one server in 
>> this location.
> Ah, well this might seem a bit stupid, but if you followed:
> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
> to the letter and you have this '[Profiles]' in smb.conf, could you 
> try changing it to '[profiles]' i.e. change the uppercase 'P' to a 
> lowercase 'p', reload or restart samba then try again.
> Rowland

Tried it both ways.  :(

More information about the samba mailing list