[Samba] setting up W7 profiles

Bob of Donelson Trophy bob at donelsontrophy.net
Fri Mar 6 10:45:51 MST 2015

Okay, so I did this to myself. I overlooked an important sentence on the
"https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles". The
sentence that instructs to do "Profile share using Windows ACLs"
***OR*** "Profile share with using POSIX ACLs".

So, I have reset the permissions to how they were before I messed them
up doing the "POSIX ACLs" part. Went back through the W7 client and
correctly set permissions (via Windows Explorer) as instructed on the

I still cannot write profiles to the /home/samba/NTDOM/profiles
directory. I think I am confused on the "Administrator" portion of the
wiki page. 

In the text box, the top line discusses the "Administrator" permission
settings. (Below "Administrator" lists "Domain Users" and "CREATOR
OWNER".) In the graphic that appears just above the text box, the
graphic illustrates setting permissions for the "\SAMDOMadmin . . ." so,
am I setting for my DCAdministrator or the member server administrator? 

And then begs the question, am I looking for 'getent group Domain Users'
on the DC or the member server? 


Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-03-05 11:49, Rowland Penny wrote: 

> On 05/03/15 17:22, Bob of Donelson Trophy wrote:
> Rowland, 'getent group DomainUsers' indeed returns nothing. Now, I know, you know this like the "back of your hand" but, am I wrong, are the permissions for **profiles** somewhat (not alot) different from permissions for file shares? Because I see that instructions (on the wiki) for file sharing reads differently. Thanks, again. --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" On 2015-03-05 07:38, Rowland Penny wrote: On 05/03/15 13:25, Bob of Donelson Trophy wrote: I am setting up W7 profiles following the "Samba & Windows Profiles" on the Sambawiki. If it matters, I have two functional DC's and one member server. When I run '# chmod 1770 /srv/samba/profiles' (on the member server) the permissions changed to: root at mbr01:~# ls -alh /srv/samba/profiles total 12K drwxrwx--T+ 2 root root 4.0K Mar 1 10:21 . drwxr-xr-t 5 root root 4.0K Mar 1 10:21 .. The first line changed from 'drwx
to 'drwxrwx--T+' and the second did not change. Under "Profile share with using POSIX ACLs" it is indicated that we should change the '# chgrp „Domain Users" /srv/samba/profiles' I am getting "chgrp: invalid group: `Domain Users' " When I run "wbinfo -g" there listed is "domain users". I have tried lower case "# chgrp „domain users" /srv/samba/profiles" with the same result "chgrp: invalid group: `domain users' ". Suggestions? Hi Bob, 'wbinfo -g' does indeed show 'domain users' but this is not what is used when you try to use chgrp. What does 'getent group Domain Users' show ? If it doesn't return anything, then we need to find out why not Rowland
 Links: ------ [1] http://www.donelsontrophy.com [1] 

OK, the problem here is that Unix has to know who 'Domain Users' is
before it will/can change the group ownership of a directory.

I take it that the passwd & group lines in /etc/nsswitch.conf have had
'winbind' added to them and if you run 'pam-auth-update' it shows
winbind amongst the authentication methods.

Does Domain Users have a gidNumber ? If not then modify the 'Domain
Users' object in AD and add one.

You have to get 'getent group Domain Users' to return the group info
before you can go any further.


[1] http://www.donelsontrophy.com

More information about the samba mailing list