[Samba] Profile problem
Stefan Kania
stefan at kania-online.de
Sat Feb 6 09:58:47 UTC 2021
You sould use a GPO to assign the profiles and not the setting of each
user. The Profil-directory of each user will be created by the
useraccount so the permission on /samba/profile sould be "1770 root
domain users"
Am 06.02.21 um 10:47 schrieb Anders Östling via samba:
> Hi all
>
> I have started to rebuild a client’s samba environment from scratch on Debian. The plan is to use Samba AD instead of Windows AD, and to use a Samba FS for everything else. AFAIK the AD and FS setup is done correctly since I can logon from a Windows client, map home drive and map application drives.
>
> The problem is that roaming profiles don’t work. I have linked to a screenshot taken on the Windows 10 desktop that shows
>
> Event log error
> Profile share permissions
> Profile folder permissions
> Folder with mapped drives (done by netlogon script run from sysvol)
> The user account settings
>
> https://drive.google.com/file/d/1vMRAGJn-01UWARN5Hs8LflMKDtaOt6vU/view?usp=sharing
>
> ACL permissions for the Profiles share
>
> root at fs1-hplts:/samba# getfacl Profiles/
> # file: Profiles/
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> user:30512:rwx
> user:30513:r-x
> group::---
> group:root:---
> group:NT\040Authority\\system:rwx
> group:domain\040admins:rwx
> group:domain\040users:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:30512:rwx
> default:group::---
> default:group:root:---
> default:group:NT\040Authority\\system:rwx
> default:group:domain\040admins:rwx
> default:mask::rwx
> default:other::---
>
> The samba FS config goes here (I changed the profiles share to browsable in order to view the share for troubleshooting)
>
> [global]
> workgroup = HPLTS
> server role = MEMBER SERVER
> security = ADS
> realm = HOGANAS-PLATSLAGAREN.SE
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> server string ="Fileserver Samba4 %h"
> log file = /var/log/samba/%m.log
> log level = 5
> max logsize = 2000
> username map = /etc/samba/user.map
> idmap config * : backend = tdb
> idmap config * : range = 10000-20000
> idmap config HPLTS : backend = rid
> idmap config HPLTS : range = 30000-40000
> encrypt passwords = yes
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind nested groups = yes
> winbind expand groups = yes
> winbind use default domain = yes
> os level = 20
> domain master = no
> local master = no
> preferred master = no
> map to guest = bad user
> host msdfs = no
> netbios name = fS1-hplts
> client min protocol = SMB2
> client max protocol = SMB3
> unix extensions = no
> reset on zero vc = yes
> hide unreadable = yes
> acl group control = yes
> acl map full control = yes
> ea support = yes
> vfs objects = acl_xattr recycle
> map acl inherit = yes
> store dos attributes = yes
> dos filemode = yes
> dos filetimes = yes
> restrict anonymous = 2
> strict allocate = yes
> guest ok = no
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> interfaces = lo enp1s0
> bind interfaces only = yes
>
> [Users]
> comment = "User home directories"
> path = /samba/Users
> browseable = yes
> read only = no
> force create mode = 0660
> force directory mode = 2770
>
> [Profiles]
> comment = "User roaming profiles"
> path = /samba/Profiles
> browseable = yes
> read only = no
> force create mode = 0660
> force directory mode = 2770
>
> [Documents]
> comment = "Shared documents"
> path = /samba/Documents
> browseable = yes
> read only = no
> force create mode = 0660
> force directory mode = 2770
>
> [Setup]
> comment = "Setup applications"
> path = /samba/Setup
>
> [Legacy]
> comment = "Legacy applications (DOS & 16-bit)"
> path = /samba/Legacy
>
> [Robotics]
> comment = "Industrial systems"
> path = /samba/Robotics
> The samba AD config is this one
>
> [global]
> netbios name = DC1-HPLTS
> realm = HOGANAS-PLATSLAGAREN.SE
> server role = active directory domain controller
> workgroup = HPLTS
> idmap_ldb:use rfc2307 = yes
> dns forwarder = 8.8.8.8
> allow dns updates
> [netlogon]
> path = /var/lib/samba/sysvol/hoganas-platslagaren.se/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html
More information about the samba
mailing list