[Samba] Roaming Profile issue in Windows 10
Rowland Penny
rpenny at samba.org
Thu Apr 18 19:00:25 UTC 2019
On Thu, 18 Apr 2019 14:29:30 -0400
Bob Smith <bobs04475 at gmail.com> wrote:
> Hello Rowland,
>
> Thank you for the suggested link!
>
> I followed "Using POSIX ACLs on a Unix domain member" also.
Don't ;-)
Use Windows acls
> "Granting the SeDiskOperatorPrivilege Privilege"
> # net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege
> -U"SAMDOM\Administrator"
> Enter SAMDOM\Administrator's password:
> Failed to grant privileges for SAMDOM\Domain Admins
> (NT_STATUS_NO_SUCH_USER)
> Used a workaround of a user_map parameter in smb.conf:
> "username map = /etc/samba/user.map", added in global
> created the filemap /etc/samba/user.map including
> !root = SAMDOM\Administrator SAMDOM\administrator
That isn't a 'workaround', it is what you are supposed to do ;-)
>
> #net rpc rights grant "Domain Admins" SeDiskOperatorPrivilege
> -U"SAMDOM\Administrator"
> Enter SAMDOM\Administrator's password:
> Successfully granted rights.
>
> # net rpc rights list privileges SeDiskOperatorPrivilege
> -U"SAMDOM\Administrator"
> Enter SAMDOM\Administrator's password:
> SeDiskOperatorPrivilege:
> Unix Group\domain admins
> BUILTIN\Administrators
>
> It is displaying "Unix Group\domain admins" instead of 'SADOM\Domain
> Admins"?
Strange, does 'Domain Admins' have a gidNumber attribute or are you
using the 'rid' backend.
>
> "Adding a Share'
> # mkdir -p /profiles/
>
> # chown root:"Domain Admins" /profiles/
> # chmod 0770 /profiles/
>
> [profiles]
> path = /profiles/
> read only = no
>
> # smbcontrol all reload-config
>
> "Setting Share Permissions and ACLs"
> Signed in to Windows 10 with a domain admin account, Computer
> management, profiles shares,
> Share Permissions tab - this was already set to Full Control for
> Everyone
Ignore the share tab.
> Security Tab - by default Special Permissions were set to
> (Everyone, root (Unix User\root), domain admins (Unix Group\Domain
> admins), CREATOR OWNER, and CREATOR GROUP)
> Removed all of them and added 'Full Control' for "SAMDOM\Domain
> Admins" and 'Modify, Read & execute, List folder contents, Read, and
> Write' for "SAMDON\Domain Users"
> When I clicked Apply, it closed properties by itself. On Security
> tab, it says "You do not have permission to view or edit this
> object's permission settings." (I just lost access to the share)
Try following the page I pointed you at:
https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
>
> Signed in to Windows 10 with a domain user, getting "User Profile
> Service" message for Roaming profile issue,
> Event ID: 1521
> Source: User Profile Service
> Windows cannot locate the server copy of your roaming profile and is
> attempting to log you on with your local profile. Changes to the
> profile will not be copied to the server when you log off. This error
> may be caused by network problems or insufficient security rights.
> DETAIL - Access is denied.
>
> To check the list the extended ACLs of /profiles/
> # getfacl /profiles/
> getfacl: Removing leading '/' from absolute path names
> # file: /profiles/
> # owner: root
> # group: domain\040admins
> user::rwx
> user:root:rwx
> group::rwx
> group:domain\040admins:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::r-x
> default:group:domain\040admins:r-x
> default:mask::rwx
> default:other::r-x
>
> Looks like domain users (domain\040users) don't have access to the
> share.
Very nice, but that isn't the only place where the permissions are
stored.
>
> I’m trying different combinations of share permissions and ACLs from
> windows side with a Domain Admin.
Just follow the wiki, it is known to work.
>
> Which one should I use for the share?
>
> [Profiles]
> path = /profiles/
> read only = no
>
Just that, do everything else from Windows.
Rowland
More information about the samba
mailing list