[Samba] Roaming Profiles with Windows ACLs
Mark Nienberg
mnlists at tippingstructural.com
Fri Oct 7 19:19:09 UTC 2016
I've set up a profiles share according to the wiki article:
https://wiki.samba.org/index.php/Implementing_roaming_profiles
Users are able to create new roaming profiles and they cannot browse each
others' profiles, so all that is working. The only issue is that the group
"domain admins" does not have privileges to read or delete user profiles.
The acls on the profiles directory look right to me:
[root at gecko share2]# getfacl profiles/
# file: profiles/
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
group::rwx
group:domain\040users:rwx
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:domain\040admins:rwx
default:mask::rwx
default:other::---
But the individual user directories do not inherit the default group acls
from the parent:
[root at gecko share2]# getfacl profiles/mark.V2/
# file: profiles/mark.V2/
# owner: mark
# group: domain\040users
user::rwx
user:mark:rwx
group::---
group:domain\040users:---
group:70006:rwx
mask::rwx
other::---
default:user::rwx
default:user:mark:rwx
default:group::---
default:group:domain\040users:---
default:group:70006:rwx
default:mask::rwx
default:other::---
The share is defined simply:
[profiles]
comment = Roaming Profiles
writable = yes
path = /mnt/share2/profiles
This is samba 4.4.5 on a domain member. The DC is also 4.4.5.
Have I missed something in the configuration?
More information about the samba
mailing list