[Samba] Samba4 roaming profiles & ownership of profile.V2 folders [RESOLVED]

Rowland Penny rowlandpenny241155 at gmail.com
Sun Jul 5 08:47:39 UTC 2015

On 04/07/15 22:53, Gary Dale wrote:
> On 04/07/15 02:37 PM, Rowland Penny wrote:
>> On 04/07/15 18:51, Gary Dale wrote:
>>> On 04/07/15 04:22 AM, Rowland Penny wrote:
>>>> On 04/07/15 00:58, Gary Dale wrote:
>>>>> On 03/07/15 01:21 PM, Rowland Penny wrote:
>>>>>> On 03/07/15 17:45, Gary Dale wrote:
>>>>>>> On 03/07/15 02:44 AM, Gary Dale wrote:
>>>>>>>> I've got roaming profiles for one account on a Debian/Jessie AD 
>>>>>>>> DC server but I can't get them to work for the other accounts. 
>>>>>>>> The differences are that the one account is also a Linux 
>>>>>>>> account in the AD DC and is in the Domain Admins group. The 
>>>>>>>> other accounts were created with ADUC on a Windows 7 machine 
>>>>>>>> logged in as the Domain Admins user just mentioned. They are 
>>>>>>>> Domain Users but not Admins and have no corresponding Linux 
>>>>>>>> account.
>>>>>>>> I got that one account to work by taking ownership of its 
>>>>>>>> profile directory. However Windows 7 currently only offers me 
>>>>>>>> two choices for accounts that can take ownership of a profile 
>>>>>>>> directory (Domain Admins and that one account are both listed. 
>>>>>>>> Other accounts are not in the creator/owner tab).
>>>>>>>> I've given Domain User full control of the profile folders but 
>>>>>>>> that doesn't seem to be good enough to get the profiles to be 
>>>>>>>> loaded and saved (the Linux permissions are 777).
>>>>>>>> And yes, Ive set profile for each user using the Windows MMC 
>>>>>>>> plugin.
>>>>>>>> Any ideas on what I'm missing?
>>>>>>> Further to above, I added one of the user accounts to the Domain 
>>>>>>> Admins but still couldn't get a roaming profile to work for it.
>>>>>> Hi, have a look here: 
>>>>>> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>>>>>> Rowland
>>>>> Thanks. I'd been trying that without success. The section on using 
>>>>> ACLs doesn't work in my case for some reason.
>>>> The 'reason' is probably why profiles don't work.
>>>> Are you doing this on a DC or a member server ? on a DC I get this:
>>>> root at dc01:~# getent group "domain admins"
>>>> EXAMPLE\Domain Admins:*:10002:
>>>> and on a member server:
>>>> rowland at ThinkPad ~ $ getent group "domain admins"
>>>> domain_admins:x:10002:s4admin,rowland,administrator
>>>> I have RFC2307 attributes in AD and winbind set up on both.
>>> I get nothing when I run the command on the AD DC. There are 
>>> currently no member servers.
>>> I followed the instructions at 
>>> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO and did include 
>>> the --use-rfc2307. The only change I made was it doesn't actually 
>>> mention installing kerberos but I found it necessary when I got to 
>>> the configure kerberos section.
>>> According to the wiki, I don't have to do any winbind config, 
>>> although they don't recommend using a DC as a file server due to 
>>> some problems with winbind. Unfortunately I only have the one server 
>>> in this location.
>> Ah, well this might seem a bit stupid, but if you followed:
>> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>> to the letter and you have this '[Profiles]' in smb.conf, could you 
>> try changing it to '[profiles]' i.e. change the uppercase 'P' to a 
>> lowercase 'p', reload or restart samba then try again.
>> Rowland
> Tried it both ways.  :(

I don't normally use the DC for profiles, so I created a profiles share 
on the DC following the wiki page and setting the permissions from 
windows as the wiki page shows.
It didn't work!
I checked everything, comparing it with where I normally do store them, 
there appeared to be no difference, but it just wouldn't work. The only 
difference I could find was the share that did work was called 
'[profiles]' and the one that didn't was called '[Profiles]', so I 
changed it to '[profiles]' on the DC, restarted samba and with that 
slight change it now works.

All I can suggest is that you check everything again, follow the wiki 
page again, do not set the ACLs with setfacl, do it from windows and 
only set the users/groups as show on the wiki page, no others.


More information about the samba mailing list