[Samba] Roaming Profiles with Windows ACLs
Rowland Penny
rpenny at samba.org
Fri Oct 7 19:38:34 UTC 2016
On Fri, 7 Oct 2016 12:19:09 -0700
Mark Nienberg via samba <samba at lists.samba.org> wrote:
> I've set up a profiles share according to the wiki article:
> https://wiki.samba.org/index.php/Implementing_roaming_profiles
>
> Users are able to create new roaming profiles and they cannot browse
> each others' profiles, so all that is working. The only issue is that
> the group "domain admins" does not have privileges to read or delete
> user profiles.
>
> The acls on the profiles directory look right to me:
>
> [root at gecko share2]# getfacl profiles/
> # file: profiles/
> # owner: root
> # group: domain\040admins
> user::rwx
> user:root:rwx
> group::rwx
> group:domain\040users:rwx
> group:domain\040admins:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:domain\040admins:rwx
> default:mask::rwx
> default:other::---
>
> But the individual user directories do not inherit the default group
> acls from the parent:
>
> [root at gecko share2]# getfacl profiles/mark.V2/
> # file: profiles/mark.V2/
> # owner: mark
> # group: domain\040users
> user::rwx
> user:mark:rwx
> group::---
> group:domain\040users:---
> group:70006:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:mark:rwx
> default:group::---
> default:group:domain\040users:---
> default:group:70006:rwx
> default:mask::rwx
> default:other::---
>
> The share is defined simply:
>
> [profiles]
> comment = Roaming Profiles
> writable = yes
> path = /mnt/share2/profiles
>
> This is samba 4.4.5 on a domain member. The DC is also 4.4.5.
>
> Have I missed something in the configuration?
have you given Domain Admins the required rights ?
net rpc rights grant DOMAIN\\"Domain Admins"
SeDiskOperatorPrivilege -UAdministrator
Rowland
More information about the samba
mailing list