[Samba] setting up W7 profiles

L.P.H. van Belle belle at bazuin.nl
Mon Mar 9 04:59:43 MDT 2015 

Bob, to the following.. 

set the in smb.conf not more not less. 

On the member server. 

[profiles$]
path = /home/samba/TEST/profiles
read only = no
acl_xattr:ignore system acl = yes

restart samba
now type 
chown root:root /home/samba/TEST/profiles 
chmod 1777 /home/samba/TEST/profiles  

Now go to the wiki and set the correct rights for a profile share. 
and ONLY for AD! ( not the POSIX ) 

Now go set the share rights from withing windows. 
then set the rights on the folder from within windows. 

if this does not work, i'll eat my shoe...  

and for these:
 admin users = +"TESTDomain Admins"
 profile acls = yes
 csc policy = disable

You dont need postix settings on the profiles share imo. 


Louis 



>-----Oorspronkelijk bericht-----
>Van: bob at donelsontrophy.net 
>[mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy
>Verzonden: vrijdag 6 maart 2015 20:41
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] setting up W7 profiles
>
> 
>
>On my test system I can only get 'getent -V' to respond. 
>
>Member server smb.conf file: 
>
>root at mbr01:~# cat /etc/samba/smb.conf
>[global]
> workgroup = TEST
> security = ADS
> realm = TEST.BOB
>
> netbios name = mbr01
> domain master = no
> host msdfs = no
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> client signing = if_required
>
> ## map id's outside to domain to tdb files.
> idmap config *:backend = tdb
> idmap config *:range = 50001-80000
> ## map ids from the domain the range may not overlap !
> idmap config TEST:backend = ad
> idmap config TEST:schema_mode = rfc2307
> idmap config TEST:range = 10000-40000
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
> winbind offline logon = yes
>
> wins server = 192.168.16.41, 192.168.16.42
>
> template shell = /bin/bash
> template homedir = /home/samba/TEST/users/%U
>
> # user Administrator workaround, without it you are unable to set
>privileges
> username map = /etc/samba/samba_usermapping
>
> # For ACL support on member file server
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> # Share Setting Globally
> usershare allow guests = no
> unix extensions = no
> wide links = no
> reset on zero vc = yes
> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
> hide unreadable = yes
>
> # disable printing completely
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
>[home]
> path = /home/samba/TEST/users
> read only = no
>
>[profiles$]
> path = /home/samba/TEST/profiles
> read only = no
> admin users = +"TESTDomain Admins"
> profile acls = yes
> csc policy = disable
>
>[data]
> path = /home/samba/TEST/companydata
> read only = no
>
>[software]
> path = /home/samba/software
> read only = no 
>
>And wbinfo: 
>
>root at mbr01:~# wbinfo -u
>administrator
>dns-tdc02
>dns-tdc01
>krbtgt
>guest 
>
>root at mbr01:~# wbinfo -g
>allowed rodc password replication group
>enterprise read-only domain controllers
>denied rodc password replication group
>read-only domain controllers
>group policy creator owners
>ras and ias servers
>domain controllers
>enterprise admins
>domain computers
>cert publishers
>dnsupdateproxy
>domain admins
>domain guests
>schema admins
>domain users
>dnsadmins 
>
>All these from the member server. Do I have something set incorrectly? 
>
>---
>
>-------------------------
>
>Bob Wooden of Donelson Trophy
>
>615.885.2846 (main)
>www.donelsontrophy.com [2]
>
>"Everyone deserves an award!!"
>
>On 2015-03-06 12:49, Rowland Penny wrote: 
>
>> On 06/03/15 17:45, Bob of Donelson Trophy wrote:
>> 
>>> Okay, so I did this to myself. I overlooked an important 
>sentence on the 
>"https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles 
>[1]". The sentence that instructs to do "Profile share using 
>Windows ACLs" ***OR*** "Profile share with using POSIX ACLs". 
>So, I have reset the permissions to how they were before I 
>messed them up doing the "POSIX ACLs" part. Went back through 
>the W7 client and correctly set permissions (via Windows 
>Explorer) as instructed on the wiki. I still cannot write 
>profiles to the /home/samba/NTDOM/profiles directory. I think 
>I am confused on the "Administrator" portion of the wiki page. 
>In the text box, the top line discusses the "Administrator" 
>permission settings. (Below "Administrator" lists "Domain 
>Users" and "CREATOR OWNER".) In the graphic that appears just 
>above the text box, the graphic illustrates setting 
>permissions for the "SAMDOMadmin . . ." so, am I setting for 
>my DCAdministrator or the member server administrator?
>> 
>> If you replace 'SAMDOM' with your domain name does it make 
>it any easier to understand, it means the administrator with 
>the SID 'S-1-5-21-domainsid-500' who gets mapped to '0' on 
>samba AD DC servers as standard.
>> 
>>> And then begs the question, am I looking for 'getent group 
>Domain Users' on the DC or the member server?
>> 
>> The member server, if this is where you are storing the profiles.
>> 
>> Rowland
> 
>
>Links:
>------
>[1] https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>[2] http://www.donelsontrophy.com
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list