[Samba] Samba AD and roaming profile permissions
alan at ankeny.net
Thu Mar 15 17:01:42 UTC 2018
I'm running Samba 4.7.0 on FreeNAS 11.1-U2. It's configured as an Active Directory Domain Controller, and I'm trying to configure roaming profiles. I've created a profile dataset in ZFS that uses Windows permissions. I've configured the share and file system permissions as described in the "Using Windows ACLs" section of:
I set the profile path for each under in Active Directory Users and Computers, but I have two problems.
First, Domain Users can't view the contents of the profile share until I also grant them "Read Attributes" and "Read Permissions" rights on the root of the share. When I grant these extra permissions, the Windows 7 workstations will create the user's user.V2 folder under the profile share the first time a user logs in.
Second, the roaming profile won't actually be saved in the newly created user.V2 folder, until I grant the user full control on their folder. Windows shows that the folder is owned by the user and that OWNER has full control on the folder. The user can even grant themselves full control to the folder. They just have to logout, login, and logout again after granting themselves full control to get their roaming profile to upload to the server.
These are the profile share settings generated by FreeNAS:
path = "/mnt/tank/profile"
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
access based share enum = no
shadow:snapdir = .zfs/snapshot
shadow:sort = desc
shadow:localtime = yes
shadow:format = auto-%Y%m%d.%H%M-1w
shadow:snapdirseverywhere = yes
vfs objects = shadow_copy2 zfs_space zfsacl streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare
What should I change to make roaming profiles work without manually granting the extra permission on each user's folder?
More information about the samba