[Samba] Samba-4.3.11 Roaming profiles on FreeBSD10.3
James B. Byrne
byrnejb at harte-lyne.ca
Fri Jul 29 16:12:04 UTC 2016
On Fri, July 29, 2016 02:58, L.P.H. van Belle wrote:
> I sniped the best parts, and added comment.
>
>
>
>>
>
>> The situation is that assigning a new user the profile:
>
>> //DC/PROFILES/%USERNAME% does not produce anything on the DC's
>
>> filesystem.
>
> Correct that only dan when you first login with the user and then
> logoff.
>
>
>
>>However, using the same string as a mapping for the
>
>> user's home drive works fine. In other words the directory
>
>> //DC/PROFILES/%USERNAME% is created when used as the mapping
>> argument.
>
> //DC/PROFILES/%USERNAME% is created when you klik on the OK knop in
> windows tool.
>
>> However, the existence of this directory does not cure anything.
>> If
>
>> following creation of the profile directory using the mapping
>> gambit
>
>> one changes the profile to use that directory then when one logs on
>> as
>
>> \\DC\%USERNAME% the profile cannot be found or created on the DC
>> for that user. If I rename the existing profile directory to
>> PROFILES/%USERNAME%.V2 then I do not get the temporary profile
>> error notice when logging in so the profile is found. But when
>> logging off I instead get the error notice that the roaming profile
>> could not be synchronised and nothing is saved on the host
>> filesystem.
>
>
>
>
>
> It looks like you swapped these 2 paths.
>
> The user folder rights are bit different then the profiles folder.
>
> But you have to little info to be more precise.
>
>
>
> If you share the user folder. Example :
>
> /home/DOMAIN/users/Userfolders.
>
> In this path. /home/DOMAIN/users/Userfolders
>
>
>
> Share the users folder like
>
> \\DC\users\%username and Now this folder wil be automatic created
> through RSAT.
>
> IF you assigned uid/gid ( samba AD backend ) first assign the UID/GID
> THEN set the user homedir.
>
> Wrong order can give the problem off not creating the user folders.
>
>
>
> And for the profiles setup like this.
>
> /home/DOMAIN/profiles/Userfolders.
>
>
>
> And share like
>
> \\dc\profiles\%username%
>
>
>
> Once this is correct set, now choose.
>
> Windows profiles acl or (l(unix) posix acl.
>
> Setup exact like this :
>
> https://wiki.samba.org/index.php/Implementing_roaming_profiles
>
> and it works.
>
>
>
> Check it, if it doesnt work post the needed info.
>
>
>
> And recheck your homedir folders
>
> https://wiki.samba.org/index.php/User_home_drives
>
>
>
>
>
>
>
> Greetz,
>
>
>
> Louis
First of all thank for your reply. Here are some additional data:
# cat /usr/local/etc/smb4.conf
# Global parameters
[global]
workgroup = BROCKLEY-2016
realm = BROCKLEY-2016.HARTE-LYNE.CA
netbios name = SAMBA-01
server role = active directory domain controller
dns forwarder = 216.185.71.33
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/db/samba4/sysvol/brockley-2016.harte-lyne.ca/scripts
read only = No
[sysvol]
path = /var/db/samba4/sysvol
read only = No
[PROFILES]
path = /var/samba4/BROCKLEY-2016/PROFILES/
read only = No
[USERS]
path = /var/samba4/BROCKLEY-2016/USERS/
read only = No
Home directories work fine and always have. Users can put files into
their home drives.
# getfacl /var/samba4/BROCKLEY-2016/USERS/
# file: /var/samba4/BROCKLEY-2016/USERS/
# owner: root
# group: BROCKLEY-2016\domain admins
user::rwx
user:root:rwx
user:3000002:rwx
user:3000003:r-x
user:BROCKLEY-2016\domain admins:rwx
group::rwx
group:3000002:rwx
group:3000003:r-x
group:BROCKLEY-2016\domain admins:rwx
mask::rwx
other::---
# ll /var/samba4/BROCKLEY-2016/USERS/testing12
total 12
drwxrwx---+ 2 BROCKLEY-2016\testing12 staff 512 Jul 29 10:14 Testing
-rwxrwx---+ 1 BROCKLEY-2016\testing12 staff 0 Jul 29 10:15
Testing.txt.txt
# wbinfo -u
BROCKLEY-2016\administrator
BROCKLEY-2016\testing11
BROCKLEY-2016\testing12
BROCKLEY-2016\krbtgt
BROCKLEY-2016\guest
I deliberately switched the PROFILES share with the USERS share in
order to test whether or not there was something obviously wrong with
either the share definition or the permissions. I understand that one
must first press on the ok button to trigger the event.
I did not set a POSIX uid for BROCKLEY-2016\testing12. I have not set
any UNIX Attributes on any of the builtin users or groups.
I have followed the instructions for setting up roaming profiles to
the best of my ability to follow them. Evidently their is some
assumed knowledge that I do not have.
To begin with. What should the share permission be? This window is
not commented upon in the Roaming profile set-up but is in the Home
directories set-up. By default the initial state for any share has
Everyone with Full Control. Is this what is meant to be left in the
Share Permissions?
In the security tab only the advanced permissions entries are shown
and the entire panel is not displayed. Are the three entities
displayed the ONLY members that are to be present?
There is a check-box in the advanced Security settings called 'Include
inheritable permissions from this object's parent' that is enabled by
default. There is no mention of this on the roaming page.
When I perform exactly the steps listed in the roaming profiles I get
a warning that I am changing the root properties and asking if I want
to proceed. Again no mention of this.
Assuming that the three entities shown in the advanced tab are all
that are meant to be present I deleted the others. Again, there are
no instructions to do this but neither is there any mention of the
other entities existence.
What this leaves me with is three (3) entries in the Security Tab being:
CREATOR OWNER - Special Permissions
Administrator - Full Control
DOmain Users - Special Permissions
Is this correct? Should any other entries should be present?
Back on the Share Permissions tab I still see this:
Everyone - Full Control
So, what am I to make of this? It does not strike me as being correct
but there are no mention of it. However, if it is left in place then
profile directories are created and if it is removed profiles are not.
So it appears necessary. But what are its implications and why are
they not discussed? If Everyone has Full Control of the PROFILES
share then of course everything is permitted by anyone on anything.
The security permissions notwithstanding. Or does Everyone - Full
Control not mean what it appears to mean?
If I look at the example on
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs there the
Share Permissions have only Domain Admins and they do not have Full
Control. The instructions on
https://wiki.samba.org/index.php/Implementing_roaming_profiles say
this:
Setup a share named "Profiles" according to the documentation
Shares with Windows ACLs
Set the following ACLs on the root of the Profiles share according
to Set ACLs on the root of a share
How much of the instruction on the references apply to roaming
profiles? Do I remove Everyone - Full Control from the Share
Permissions and replace it with Domain Admins - Change and Read as
shown in the references? Because that is what I did to begin with and
evidently that is enough to break roaming profiles.
As I wrote earlier my experience with MS-Windows in general, and AD-DC
in particular, is terribly out of date and quite limited in any case.
So perhaps what this apparent contradiction means is very different
than what I believe it should.
None of this is meant as any criticism of either the software or the
documentation. I am simply describing my experience with it based on
my existing knowledge.
However, if Everyone - Full Control in the Share Permissions IS
required for roaming shares to work then it would be nice to have this
information explicitly set out on the wiki page. At the moment, with
Everyone -Full Control roaming profiles are correctly created and
populated. However, I cannot proceed until I know that this is
required and that I have not opened some massive security hole by
leaving it.
Sincerely,
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
More information about the samba
mailing list