[Samba] setting up W7 profiles

Bob of Donelson Trophy bob at donelsontrophy.net
Fri Mar 6 12:41:05 MST 2015


On my test system I can only get 'getent -V' to respond. 

Member server smb.conf file: 

root at mbr01:~# cat /etc/samba/smb.conf
 workgroup = TEST
 security = ADS
 realm = TEST.BOB

 netbios name = mbr01
 domain master = no
 host msdfs = no

 dedicated keytab file = /etc/krb5.keytab
 kerberos method = secrets and keytab
 client signing = if_required

 ## map id's outside to domain to tdb files.
 idmap config *:backend = tdb
 idmap config *:range = 50001-80000
 ## map ids from the domain the range may not overlap !
 idmap config TEST:backend = ad
 idmap config TEST:schema_mode = rfc2307
 idmap config TEST:range = 10000-40000
 winbind nss info = rfc2307
 winbind trusted domains only = no
 winbind use default domain = yes
 winbind enum users = yes
 winbind enum groups = yes
 winbind refresh tickets = yes
 winbind offline logon = yes

 wins server =,

 template shell = /bin/bash
 template homedir = /home/samba/TEST/users/%U

 # user Administrator workaround, without it you are unable to set
 username map = /etc/samba/samba_usermapping

 # For ACL support on member file server
 vfs objects = acl_xattr
 map acl inherit = yes
 store dos attributes = yes

 # Share Setting Globally
 usershare allow guests = no
 unix extensions = no
 wide links = no
 reset on zero vc = yes
 veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
 hide unreadable = yes

 # disable printing completely
 load printers = no
 printing = bsd
 printcap name = /dev/null
 disable spoolss = yes

 path = /home/samba/TEST/users
 read only = no

 path = /home/samba/TEST/profiles
 read only = no
 admin users = +"TESTDomain Admins"
 profile acls = yes
 csc policy = disable

 path = /home/samba/TEST/companydata
 read only = no

 path = /home/samba/software
 read only = no 

And wbinfo: 

root at mbr01:~# wbinfo -u

root at mbr01:~# wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
domain admins
domain guests
schema admins
domain users

All these from the member server. Do I have something set incorrectly? 



Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [2]

"Everyone deserves an award!!"

On 2015-03-06 12:49, Rowland Penny wrote: 

> On 06/03/15 17:45, Bob of Donelson Trophy wrote:
>> Okay, so I did this to myself. I overlooked an important sentence on the "https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles [1]". The sentence that instructs to do "Profile share using Windows ACLs" ***OR*** "Profile share with using POSIX ACLs". So, I have reset the permissions to how they were before I messed them up doing the "POSIX ACLs" part. Went back through the W7 client and correctly set permissions (via Windows Explorer) as instructed on the wiki. I still cannot write profiles to the /home/samba/NTDOM/profiles directory. I think I am confused on the "Administrator" portion of the wiki page. In the text box, the top line discusses the "Administrator" permission settings. (Below "Administrator" lists "Domain Users" and "CREATOR OWNER".) In the graphic that appears just above the text box, the graphic illustrates setting permissions for the "SAMDOMadmin . . ." so, am I setting for my DCAdministrator or the member server administrator?
> If you replace 'SAMDOM' with your domain name does it make it any easier to understand, it means the administrator with the SID 'S-1-5-21-domainsid-500' who gets mapped to '0' on samba AD DC servers as standard.
>> And then begs the question, am I looking for 'getent group Domain Users' on the DC or the member server?
> The member server, if this is where you are storing the profiles.
> Rowland

[1] https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
[2] http://www.donelsontrophy.com

More information about the samba mailing list