[Samba] How to debug not working Roaming profiles on Samba 4 AD setup?

Rowland penny rpenny at samba.org
Tue Jun 28 12:17:28 UTC 2016

On 28/06/16 12:23, Thomas DEBESSE wrote:
> > OK, I think your problem is that you are trying to run your AD 
> domain as if it is still an NT4-style domain.
> This does not sound like a surprise to me. ;-)
> > with AD, you would add […] to each users object in AD. You can do 
> this with ADUC or by creating an ldif file on the DC and then use 
> ldbmodify to add it.
> Oh, yes, you're right, I had to do the same for the logon.cmd, I 
> already have a pdbedit call for logon.cmd stuff in my user creation 
> script I wrote myself.
> I did that for the logon.cmd stuff, for each user:
> pdbedit --script="logon.cmd" "${user_name}"
> I suppose I can use the --profile= , --drive= and --homedir= options 
> from pdbedit to do the same things you recommend without having to 
> deal with ldif file.
> Too bad these values can't be forced by a template on the AD DC. I 
> will try these options tonight when everyone will be logged out.

If you need to create new users, you could investigate 'samba-tool user 
create --help' on a Samba DC, or you can write a script around pdbedit 
to update your users.

> > did you know that ' writeable  = Yes' is the same as 'read only  = 
> No' ? There is no point in having both.
> Yes, these smb.conf are more than 15 years old, modifying them 
> continuously when I update something through the ages, so I will not 
> be surprised if some stuff are superfluous or some crap is remaining.
> > I would suggest you follow the Samba wiki and use ACLs instead of 
> the old style 'create mask' etc
> I will look at it interestingly, currently I don't need more and that 
> part, even old, works very well. :-)

You could add IDMU to ADUC on a windows machine, this will get you the 
'Unix Attributes' tabs


More information about the samba mailing list