[Samba] Samba4 roaming profiles & ownership of profile.V2 folders [RESOLVED]

Sun Jul 5 16:11:06 UTC 2015

On 05/07/15 04:47 AM, Rowland Penny wrote:
> On 04/07/15 22:53, Gary Dale wrote:
>> On 04/07/15 02:37 PM, Rowland Penny wrote:
>>> On 04/07/15 18:51, Gary Dale wrote:
>>>> On 04/07/15 04:22 AM, Rowland Penny wrote:
>>>>> On 04/07/15 00:58, Gary Dale wrote:
>>>>>> On 03/07/15 01:21 PM, Rowland Penny wrote:
>>>>>>> On 03/07/15 17:45, Gary Dale wrote:
>>>>>>>> On 03/07/15 02:44 AM, Gary Dale wrote:
>>>>>>>>> I've got roaming profiles for one account on a Debian/Jessie 
>>>>>>>>> AD DC server but I can't get them to work for the other 
>>>>>>>>> accounts. The differences are that the one account is also a 
>>>>>>>>> Linux account in the AD DC and is in the Domain Admins group. 
>>>>>>>>> The other accounts were created with ADUC on a Windows 7 
>>>>>>>>> machine logged in as the Domain Admins user just mentioned. 
>>>>>>>>> They are Domain Users but not Admins and have no corresponding 
>>>>>>>>> Linux account.
>>>>>>>>>
>>>>>>>>> I got that one account to work by taking ownership of its 
>>>>>>>>> profile directory. However Windows 7 currently only offers me 
>>>>>>>>> two choices for accounts that can take ownership of a profile 
>>>>>>>>> directory (Domain Admins and that one account are both listed. 
>>>>>>>>> Other accounts are not in the creator/owner tab).
>>>>>>>>>
>>>>>>>>> I've given Domain User full control of the profile folders but 
>>>>>>>>> that doesn't seem to be good enough to get the profiles to be 
>>>>>>>>> loaded and saved (the Linux permissions are 777).
>>>>>>>>>
>>>>>>>>> And yes, Ive set profile for each user using the Windows MMC 
>>>>>>>>> plugin.
>>>>>>>>>
>>>>>>>>> Any ideas on what I'm missing?
>>>>>>>>
>>>>>>>> Further to above, I added one of the user accounts to the 
>>>>>>>> Domain Admins but still couldn't get a roaming profile to work 
>>>>>>>> for it.
>>>>>>>
>>>>>>> Hi, have a look here: 
>>>>>>> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>>>>>>>
>>>>>>> Rowland
>>>>>>
>>>>>> Thanks. I'd been trying that without success. The section on 
>>>>>> using ACLs doesn't work in my case for some reason.
>>>>>>
>>>>>
>>>>> The 'reason' is probably why profiles don't work.
>>>>>
>>>>> Are you doing this on a DC or a member server ? on a DC I get this:
>>>>>
>>>>> root at dc01:~# getent group "domain admins"
>>>>> EXAMPLE\Domain Admins:*:10002:
>>>>>
>>>>> and on a member server:
>>>>>
>>>>> rowland at ThinkPad ~ $ getent group "domain admins"
>>>>> domain_admins:x:10002:s4admin,rowland,administrator
>>>>>
>>>>> I have RFC2307 attributes in AD and winbind set up on both.
>>>>
>>>> I get nothing when I run the command on the AD DC. There are 
>>>> currently no member servers.
>>>>
>>>> I followed the instructions at 
>>>> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO and did include 
>>>> the --use-rfc2307. The only change I made was it doesn't actually 
>>>> mention installing kerberos but I found it necessary when I got to 
>>>> the configure kerberos section.
>>>>
>>>> According to the wiki, I don't have to do any winbind config, 
>>>> although they don't recommend using a DC as a file server due to 
>>>> some problems with winbind. Unfortunately I only have the one 
>>>> server in this location.
>>>>
>>>
>>> Ah, well this might seem a bit stupid, but if you followed:
>>>
>>> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>>>
>>> to the letter and you have this '[Profiles]' in smb.conf, could you 
>>> try changing it to '[profiles]' i.e. change the uppercase 'P' to a 
>>> lowercase 'p', reload or restart samba then try again.
>>>
>>> Rowland
>>
>> Tried it both ways.  :(
>>
>
> I don't normally use the DC for profiles, so I created a profiles 
> share on the DC following the wiki page and setting the permissions 
> from windows as the wiki page shows.
> It didn't work!
> I checked everything, comparing it with where I normally do store 
> them, there appeared to be no difference, but it just wouldn't work. 
> The only difference I could find was the share that did work was 
> called '[profiles]' and the one that didn't was called '[Profiles]', 
> so I changed it to '[profiles]' on the DC, restarted samba and with 
> that slight change it now works.
>
> All I can suggest is that you check everything again, follow the wiki 
> page again, do not set the ACLs with setfacl, do it from windows and 
> only set the users/groups as show on the wiki page, no others.
>
> Rowland

Thanks Rowland. In my case I've done almost all the testing with the 
share & folder names in lower case. I've been through the howto wiki 
page mulitiple times and everything looks good and the various suggested 
tests all work.

The profiles are all currently being saved so I'll leave it alone for 
now (if it ain't broke...) and revisit it if/when I run into another 
problem.