[Samba] Samba AD and roaming profile permissions

Alan Schmitz alan at ankeny.net
Thu Mar 15 17:01:42 UTC 2018


I'm running Samba 4.7.0 on FreeNAS 11.1-U2.  It's configured as an Active Directory Domain Controller, and I'm trying to configure roaming profiles.  I've created a profile dataset in ZFS that uses Windows permissions.  I've configured the share and file system permissions as described in the "Using Windows ACLs" section of:

   https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
   
I set the profile path for each under in Active Directory Users and Computers, but I have two problems.

First, Domain Users can't view the contents of the profile share until I also grant them "Read Attributes" and "Read Permissions" rights on the root of the share.  When I grant these extra permissions, the Windows 7 workstations will create the user's user.V2 folder under the profile share the first time a user logs in.

Second, the roaming profile won't actually be saved in the newly created user.V2 folder, until I grant the user full control on their folder.  Windows shows that the folder is owned by the user and that OWNER has full control on the folder.  The user can even grant themselves full control to the folder.  They just have to logout, login, and logout again after granting themselves full control to get their roaming profile to upload to the server.

These are the profile share settings generated by FreeNAS:

[profile]
  path = "/mnt/tank/profile"
  printable = no
  veto files = /.snapshot/.windows/.mac/.zfs/
  writeable = yes
  browseable = yes
  access based share enum = no
  shadow:snapdir = .zfs/snapshot
  shadow:sort = desc
  shadow:localtime = yes
  shadow:format = auto-%Y%m%d.%H%M-1w
  shadow:snapdirseverywhere = yes
  vfs objects = shadow_copy2 zfs_space zfsacl streams_xattr
  hide dot files = yes
  guest ok = no
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = true
  zfsacl:acesort = dontcare

What should I change to make roaming profiles work without manually granting the extra permission on each user's folder?

Thanks,
Alan


More information about the samba mailing list