[Samba] Profiles directory permssions

L.P.H. van Belle belle at bazuin.nl
Thu Jan 17 08:32:05 UTC 2019

Hi Gregory, 

This works as far as i know. Running it myself. 

( \\someserver\profiles\all-user-profile-dirs\ _
If thats
   /home/samba/profiles   then chmod it chmod 1700 or 3770 

1700 creator owner
2070 creator group 
3770 creator owner & creator group
( step 3 on the site : https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#required-permissions-for-the-file-share-hosting-roaming-user-profiles ) 
Please take note of the following, the above MS links show a bit different setup then the samba wiki. 
MS has changed things here, i'll go through it, looks like Windows Store needs some extra things. 

Try this.
Set on the Share Security tab the following. 
Everyone full control. 
If you dont like everyone here, you could use Authencated users (full control) also. 

Set on the security tab the following

Creator Owner 	Special full, but only subfolders and files
Administrator	Full Control
Domain Users 	Special)  only this folder. 
			Traverse folder / execute file
			List folder / read data
			Create folder / append data
SYSTEM		Full control

Now, if you use AD backend, you must set the UID/GID first on the users and primary user group. 
If you use \\someserver\profiles\%username% while creating the user in ADUC and uid/gid is not set. 
Then your are not able to use it, because root/Adminstrator will be the owner of the user folder. 

So try the set as im showing above. 

Try it, it depends also a bit on the setup you useing. 
Is profiles on a member of AD-DC server for example? 

Then setup like this :  ( windows ACLS ) 
    browseable = yes
    path = /home/samba/profiles
    read only = no
    acl_xattr:ignore system acl = yes

After the change with acl_xattr:ignore system acl = yes 
You MUST fix the rights from within windows again.

Order in howto setup this.
1 create folders on linux
2 chmod the folders on linux 
3 setup samba share in smb.conf 
4 setup the windows ACL rights. From a windows pc. 
5 create user with ADUC. 
6 (ADUC win7 ) add UID/GID to the users if needed ( in case you use AD backend for example )
  use samba tool if you have win10 ADUC.
7 Now you can setup the user profile path settings in ADUC  (\\server\profiles\%username% ) 

In my case if i change the order steps 5 6 7, i have the same problem. 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Gregory Sloop via samba
> Verzonden: woensdag 16 januari 2019 22:00
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Profiles directory permssions
> So, trying to get profiles working.
> The GPO is there and functioning.
> However, the user isn't able to create the needed directory 
> for *initial* setup of the profile.
> [It's possible if I hand-created the profile directory for 
> the user, and granted them rights, it would work properly. 
> But it is vastly easier to have the user create their own 
> directory at first login. I'm sure that's the intended 
> function, given the following wiki article.]
> I used this Wiki page as the "template" I'm using for 
> permissions and other setup details.
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles 
> If I give domain users "full control" it works. However with 
> just the listed perms: 
> \\someserver\profiles\all-user-profile-dirs\
> Traverse folder / execute file
> List folder / read data
> Create folder / append data	
> It won't create the profile directory - and I get an error 
> for that user when they login and get a Windows desktop.
> So, those permissions aren't adequate - at least that 
> certainly seems to be the case.
> Does anyone have a working set of permissions, or can point 
> me in the right direction?
> [Client is a W10P desktop. I'm not sure if W7 or something 
> else might be different.]
> -Greg
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list