[Samba] setting up W7 profiles

Rowland Penny rowlandpenny at googlemail.com
Fri Mar 6 12:56:02 MST 2015 

On 06/03/15 19:41, Bob of Donelson Trophy wrote:
>   
>
> On my test system I can only get 'getent -V' to respond.
>
> Member server smb.conf file:
>
> root at mbr01:~# cat /etc/samba/smb.conf
> [global]
>   workgroup = TEST
>   security = ADS
>   realm = TEST.BOB
>
>   netbios name = mbr01
>   domain master = no
>   host msdfs = no
>
>   dedicated keytab file = /etc/krb5.keytab
>   kerberos method = secrets and keytab
>   client signing = if_required
>
>   ## map id's outside to domain to tdb files.
>   idmap config *:backend = tdb
>   idmap config *:range = 50001-80000
>   ## map ids from the domain the range may not overlap !
>   idmap config TEST:backend = ad
>   idmap config TEST:schema_mode = rfc2307
>   idmap config TEST:range = 10000-40000
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users = yes
>   winbind enum groups = yes
>   winbind refresh tickets = yes
>   winbind offline logon = yes
>
>   wins server = 192.168.16.41, 192.168.16.42
>
>   template shell = /bin/bash
>   template homedir = /home/samba/TEST/users/%U
>
>   # user Administrator workaround, without it you are unable to set
> privileges
>   username map = /etc/samba/samba_usermapping
>
>   # For ACL support on member file server
>   vfs objects = acl_xattr
>   map acl inherit = yes
>   store dos attributes = yes
>
>   # Share Setting Globally
>   usershare allow guests = no
>   unix extensions = no
>   wide links = no
>   reset on zero vc = yes
>   veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>   hide unreadable = yes
>
>   # disable printing completely
>   load printers = no
>   printing = bsd
>   printcap name = /dev/null
>   disable spoolss = yes
>
> [home]
>   path = /home/samba/TEST/users
>   read only = no
>
> [profiles$]
>   path = /home/samba/TEST/profiles
>   read only = no
>   admin users = +"TESTDomain Admins"
>   profile acls = yes
>   csc policy = disable
>
> [data]
>   path = /home/samba/TEST/companydata
>   read only = no
>
> [software]
>   path = /home/samba/software
>   read only = no
>
> And wbinfo:
>
> root at mbr01:~# wbinfo -u
> administrator
> dns-tdc02
> dns-tdc01
> krbtgt
> guest
>
> root at mbr01:~# wbinfo -g
> allowed rodc password replication group
> enterprise read-only domain controllers
> denied rodc password replication group
> read-only domain controllers
> group policy creator owners
> ras and ias servers
> domain controllers
> enterprise admins
> domain computers
> cert publishers
> dnsupdateproxy
> domain admins
> domain guests
> schema admins
> domain users
> dnsadmins
>
> All these from the member server. Do I have something set incorrectly?
>
> ---
>
> -------------------------
>
> Bob Wooden of Donelson Trophy
>
> 615.885.2846 (main)
> www.donelsontrophy.com [2]
>
> "Everyone deserves an award!!"
>
> On 2015-03-06 12:49, Rowland Penny wrote:
>
>> On 06/03/15 17:45, Bob of Donelson Trophy wrote:
>>
>>> Okay, so I did this to myself. I overlooked an important sentence on the "https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles [1]". The sentence that instructs to do "Profile share using Windows ACLs" ***OR*** "Profile share with using POSIX ACLs". So, I have reset the permissions to how they were before I messed them up doing the "POSIX ACLs" part. Went back through the W7 client and correctly set permissions (via Windows Explorer) as instructed on the wiki. I still cannot write profiles to the /home/samba/NTDOM/profiles directory. I think I am confused on the "Administrator" portion of the wiki page. In the text box, the top line discusses the "Administrator" permission settings. (Below "Administrator" lists "Domain Users" and "CREATOR OWNER".) In the graphic that appears just above the text box, the graphic illustrates setting permissions for the "SAMDOMadmin . . ." so, am I setting for my DCAdministrator or the member server administrator?
>> If you replace 'SAMDOM' with your domain name does it make it any easier to understand, it means the administrator with the SID 'S-1-5-21-domainsid-500' who gets mapped to '0' on samba AD DC servers as standard.
>>
>>> And then begs the question, am I looking for 'getent group Domain Users' on the DC or the member server?
>> The member server, if this is where you are storing the profiles.
>>
>> Rowland
>   
>
> Links:
> ------
> [1] https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
> [2] http://www.donelsontrophy.com

Two things, you don't seem to have any domain users, 'wbinfo -u' is only 
showing the users normally created at first run
in the 'profiles' share, this:

admin users = +"TESTDomain Admins"

Should be:

admin users = +"TEST\Domain Admins"

Create a user on one of the DC's and give this user the uidNumber 
'10000', then give 'Domain Users' the gidNumber '10000'

now try 'getent passwd <what-ever-you-called-the-user>' and 'getent 
group Domain\ Users'

Rowland

More information about the samba mailing list