[Samba] Problems with samba and profile syncing from various windows versions

L.P.H. van Belle belle at bazuin.nl
Thu May 4 09:11:27 UTC 2017 

A way to do this is for the ACL, copy the default create a file from it and use that. 
For the share right, i dont know, havent tried that. 

getfact path_to_sysvol 

You get something like this :  

getfacl /var/lib/samba/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---


Create a file with the needed content. 
Then  setfacl -M FILE-ACL.txt -R /var/lib/samba/sysvol
Change path to sysvol if needed. 

Important one. 
You need to find the id for user SYSTEM, in above example, 3000002 is for me SYSTEM. 
There are mostly 2 numeric id's and only one with RWX rights. Thats system. 
Most things work without system, i recommend you set it.

But preffered is to do this from within windows. 
Just join a pc to the domain and login with a user with "Domain Admins" rights. 
And setup as the wiki shows.




Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Arnaud FLORENT via samba
> Verzonden: donderdag 4 mei 2017 10:22
> Aan: Rowland Penny; samba at lists.samba.org
> Onderwerp: Re: [Samba] Problems with samba and profile 
> syncing from various windows versions
> 
> 
> 
> Le 04/05/2017 à 10:01, Rowland Penny a écrit :
> > On Thu, 4 May 2017 09:39:17 +0200
> > Arnaud FLORENT <aflorent at iris-tech.fr> wrote:
> >
> >>
> >> Le 04/05/2017 à 09:36, Rowland Penny a écrit :
> >>> On Thu, 4 May 2017 09:07:11 +0200
> >>> Arnaud FLORENT <aflorent at iris-tech.fr> wrote:
> >>>
> >>>> Le 04/05/2017 à 08:45, Rowland Penny via samba a écrit :
> >>>>> On Wed, 3 May 2017 22:48:06 +0200
> >>>>> Jakub Kulesza via samba <samba at lists.samba.org> wrote:
> >>>>>
> >>>>>> Thanks for pointing this out.
> >>>>>>
> >>>>>> I have read that again, now my profiles do not have 
> "vfs objects 
> >>>>>> = full_audit" and disabled the csc policy. I have 
> verified that I 
> >>>>>> have set up my profiles share properly and that it has all the 
> >>>>>> right entitlements. I have reset the entitlements for 
> the users 
> >>>>>> that have issues (as Administrator right click on the 
> folder and 
> >>>>>> do the dance there with Windows). We'll see tomorrow.
> >>>>>>
> >>>>>> Is "profile acls" required anymore on Samba 4.3? What 
> effect will 
> >>>>>> it have on Windows 10?
> >>>>>>
> >>>>> On a Samba AD DC, no, you must use windows ACLs, but, on a Unix 
> >>>>> domain member, you can use the old way i.e. 'create mask' etc
> >>>>>
> >>>>> Rowland
> >>>>>     
> >>>>>
> >>>> Could you explain why  the old way can not be used please?
> >>>>
> >>>> why only shares using extended ACLs are supported on a 
> Samba AD DC?
> >>>>
> >>>> extended ACL support is automatically enabled globally but there 
> >>>> may be a way to disable it for a specific share?
> >>> You answered your question yourself ;-)
> >>>
> >>> Extended ACL support is automatically enabled globally and you 
> >>> cannot turn it off.
> >>>
> >>> Rowland
> >>>
> >>>
> >> nt acl =no
> >> seems to work
> >>
> >> am i wrong to use this?
> > YES!
> >
> >> what kind of errors may occurs?
> > The AD DC relies on NT ACLs, you need to accept that you must use 
> > Windows ACLs on a Samba AD DC if you use it as a fileserver. If you 
> > must use the old way of doing things, set up a Unix domain 
> member and 
> > use this as a fileserver instead.
> >
> > If you go here:
> >
> > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
> >
> > Under the heading 'Using POSIX ACLs', you will find an info box 
> > containing this:
> >
> >   When setting up the share on a Samba Active Directory (AD) domain
> >   controller (DC), you cannot use POSIX ACLs. On an Samba DC, only
> >   shares using extended ACLs are supported. For further details, see
> >   Enable Extended ACL Support in the smb.conf File. To set 
> up the share
> >   on a Samba AD DC, see Setting up the Profiles Share on 
> the Samba File
> >   Server - Using Windows ACLs.
> >
> > This wasn't written for no reason.
> >
> > Rowland
> Thank you Rowloand
> 
> so my next question is
> 
> is there a way to setup the share and windows acl only from 
> server command line?
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list