[Samba] Profile problem

Stefan Kania stefan at kania-online.de
Sat Feb 6 09:58:47 UTC 2021 

You sould use a GPO to assign the profiles and not the setting of each
user. The Profil-directory of each user will be created by the
useraccount so the permission on /samba/profile sould be "1770 root
domain users" 

Am 06.02.21 um 10:47 schrieb Anders Östling via samba:
> Hi all
>
> I have started to rebuild a client’s samba environment from scratch on Debian. The plan is to use Samba AD instead of Windows AD, and to use a Samba FS for everything else. AFAIK the AD and FS setup is done correctly since I can logon from a Windows client, map home drive and map application drives.
>
> The problem is that roaming profiles don’t work. I have linked to a screenshot taken on the Windows 10 desktop that shows
>
> Event log error
> Profile share permissions
> Profile folder permissions
> Folder with mapped drives (done by netlogon script run from sysvol)
> The user account settings
>
> https://drive.google.com/file/d/1vMRAGJn-01UWARN5Hs8LflMKDtaOt6vU/view?usp=sharing
>
> ACL permissions for the Profiles share
>
> root at fs1-hplts:/samba# getfacl Profiles/
> # file: Profiles/
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> user:30512:rwx
> user:30513:r-x
> group::---
> group:root:---
> group:NT\040Authority\\system:rwx
> group:domain\040admins:rwx
> group:domain\040users:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:30512:rwx
> default:group::---
> default:group:root:---
> default:group:NT\040Authority\\system:rwx
> default:group:domain\040admins:rwx
> default:mask::rwx
> default:other::---
>
> The samba FS config goes here (I changed the profiles share to browsable in order to view the share for troubleshooting)
>
> [global]
>    workgroup = HPLTS
>    server role = MEMBER SERVER
>    security = ADS
>    realm = HOGANAS-PLATSLAGAREN.SE
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>    server string ="Fileserver Samba4 %h"
>    log file = /var/log/samba/%m.log
>    log level = 5
>    max logsize = 2000
>    username map = /etc/samba/user.map
>    idmap config * : backend = tdb
>    idmap config * : range = 10000-20000
>    idmap config HPLTS : backend = rid
>    idmap config HPLTS : range = 30000-40000
>    encrypt passwords = yes
>    winbind refresh tickets = yes
>    winbind offline logon = yes
>    winbind enum users = yes
>    winbind enum groups = yes
>    winbind nested groups = yes
>    winbind expand groups = yes
>    winbind use default domain = yes
>    os level = 20
>    domain master = no
>    local master = no
>    preferred master = no
>    map to guest = bad user
>    host msdfs = no
>    netbios name = fS1-hplts
>    client min protocol = SMB2
>    client max protocol = SMB3
>    unix extensions = no
>    reset on zero vc = yes
>    hide unreadable = yes
>    acl group control = yes
>    acl map full control = yes
>    ea support = yes
>    vfs objects = acl_xattr recycle
>    map acl inherit = yes
>    store dos attributes = yes
>    dos filemode = yes
>    dos filetimes = yes
>    restrict anonymous = 2
>    strict allocate = yes
>    guest ok = no
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    disable spoolss = yes
>
>    interfaces = lo enp1s0
>    bind interfaces only = yes
>
> [Users]
>    comment = "User home directories"
>    path = /samba/Users
>    browseable = yes
>    read only = no
>    force create mode = 0660
>    force directory mode = 2770
>
> [Profiles]
>    comment = "User roaming profiles"
>    path = /samba/Profiles
>    browseable = yes
>    read only = no
>    force create mode = 0660
>    force directory mode = 2770
>
> [Documents]
>    comment = "Shared documents"
>    path = /samba/Documents
>    browseable = yes
>    read only = no
>    force create mode = 0660
>    force directory mode = 2770
>
> [Setup]
>    comment = "Setup applications"
>    path = /samba/Setup
>
> [Legacy]
>    comment = "Legacy applications (DOS & 16-bit)"
>    path = /samba/Legacy
>
> [Robotics]
>    comment = "Industrial systems"
>    path = /samba/Robotics
> The samba AD config is this one
>
> [global]
>         netbios name = DC1-HPLTS
>         realm = HOGANAS-PLATSLAGAREN.SE
>         server role = active directory domain controller
>         workgroup = HPLTS
>         idmap_ldb:use rfc2307 = yes
>         dns forwarder = 8.8.8.8
>         allow dns updates
> [netlogon]
>         path = /var/lib/samba/sysvol/hoganas-platslagaren.se/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No

-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html

More information about the samba mailing list