[Samba] Roaming Profiles with Windows ACLs

[Rowland Penny]

On Fri, 7 Oct 2016 12:19:09 -0700
Mark Nienberg via samba <samba at lists.samba.org> wrote:

> I've set up a profiles share according to the wiki article:
> https://wiki.samba.org/index.php/Implementing_roaming_profiles
> 
> Users are able to create new roaming profiles and they cannot browse
> each others' profiles, so all that is working. The only issue is that
> the group "domain admins" does not have privileges to read or delete
> user profiles.
> 
> The acls on the profiles directory look right to me:
> 
> [root at gecko share2]# getfacl profiles/
> # file: profiles/
> # owner: root
> # group: domain\040admins
> user::rwx
> user:root:rwx
> group::rwx
> group:domain\040users:rwx
> group:domain\040admins:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:domain\040admins:rwx
> default:mask::rwx
> default:other::---
> 
> But the individual user directories do not inherit the default group
> acls from the parent:
> 
> [root at gecko share2]# getfacl profiles/mark.V2/
> # file: profiles/mark.V2/
> # owner: mark
> # group: domain\040users
> user::rwx
> user:mark:rwx
> group::---
> group:domain\040users:---
> group:70006:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:mark:rwx
> default:group::---
> default:group:domain\040users:---
> default:group:70006:rwx
> default:mask::rwx
> default:other::---
> 
> The share is defined simply:
> 
> [profiles]
>         comment = Roaming Profiles
>         writable = yes
>         path = /mnt/share2/profiles
> 
> This is samba 4.4.5 on a domain member. The DC is also 4.4.5.
> 
> Have I missed something in the configuration?

have you given Domain Admins the required rights ?

net rpc rights grant DOMAIN\\"Domain Admins"
SeDiskOperatorPrivilege -UAdministrator 

Rowland