Rowland Penny
2015-Jul-03 17:21 UTC
[Samba] Samba4 roaming profiles & ownership of profile.V2 folders
On 03/07/15 17:45, Gary Dale wrote:> On 03/07/15 02:44 AM, Gary Dale wrote: >> I've got roaming profiles for one account on a Debian/Jessie AD DC >> server but I can't get them to work for the other accounts. The >> differences are that the one account is also a Linux account in the >> AD DC and is in the Domain Admins group. The other accounts were >> created with ADUC on a Windows 7 machine logged in as the Domain >> Admins user just mentioned. They are Domain Users but not Admins and >> have no corresponding Linux account. >> >> I got that one account to work by taking ownership of its profile >> directory. However Windows 7 currently only offers me two choices for >> accounts that can take ownership of a profile directory (Domain >> Admins and that one account are both listed. Other accounts are not >> in the creator/owner tab). >> >> I've given Domain User full control of the profile folders but that >> doesn't seem to be good enough to get the profiles to be loaded and >> saved (the Linux permissions are 777). >> >> And yes, Ive set profile for each user using the Windows MMC plugin. >> >> Any ideas on what I'm missing? > > Further to above, I added one of the user accounts to the Domain > Admins but still couldn't get a roaming profile to work for it.Hi, have a look here: https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles Rowland
Gary Dale
2015-Jul-03 23:58 UTC
[Samba] Samba4 roaming profiles & ownership of profile.V2 folders [RESOLVED]
On 03/07/15 01:21 PM, Rowland Penny wrote:> On 03/07/15 17:45, Gary Dale wrote: >> On 03/07/15 02:44 AM, Gary Dale wrote: >>> I've got roaming profiles for one account on a Debian/Jessie AD DC >>> server but I can't get them to work for the other accounts. The >>> differences are that the one account is also a Linux account in the >>> AD DC and is in the Domain Admins group. The other accounts were >>> created with ADUC on a Windows 7 machine logged in as the Domain >>> Admins user just mentioned. They are Domain Users but not Admins and >>> have no corresponding Linux account. >>> >>> I got that one account to work by taking ownership of its profile >>> directory. However Windows 7 currently only offers me two choices >>> for accounts that can take ownership of a profile directory (Domain >>> Admins and that one account are both listed. Other accounts are not >>> in the creator/owner tab). >>> >>> I've given Domain User full control of the profile folders but that >>> doesn't seem to be good enough to get the profiles to be loaded and >>> saved (the Linux permissions are 777). >>> >>> And yes, Ive set profile for each user using the Windows MMC plugin. >>> >>> Any ideas on what I'm missing? >> >> Further to above, I added one of the user accounts to the Domain >> Admins but still couldn't get a roaming profile to work for it. > > Hi, have a look here: > https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles > > RowlandThanks. I'd been trying that without success. The section on using ACLs doesn't work in my case for some reason. For example, the section in preparatory work says to: setfacl -m g:"domain admins":rwx /srv/samba/Demo/ where I substituted my profiles path for their path. When I run it, I get # setfacl -m g:"domain admins":rwx /home/samba/profiles setfacl: Option -m: Invalid argument near character 3 The AD DC doesn't seem to recognize domain users or groups at all. And on the Windows end, the ability to set privileges based on domain groups or users seems spotty. Sometimes it works and sometimes it doesn't. Similarly in the section "Profile share with using POSIX ACLs", I can't chgrp to a domain group. What finally worked was to ignore all the errors and just add the extra lines to the share definition in smb.conf: store dos attributes = Yes create mask = 0600 directory mask = 0700 profile acls = yes csc policy = disable Once I did that (and reloaded the config) the other profiles started working.
Gary Dale
2015-Jul-04 00:11 UTC
[Samba] Samba4 roaming profiles & ownership of profile.V2 folders [RESOLVED]
On 03/07/15 07:58 PM, Gary Dale wrote:> On 03/07/15 01:21 PM, Rowland Penny wrote: >> On 03/07/15 17:45, Gary Dale wrote: >>> On 03/07/15 02:44 AM, Gary Dale wrote: >>>> I've got roaming profiles for one account on a Debian/Jessie AD DC >>>> server but I can't get them to work for the other accounts. The >>>> differences are that the one account is also a Linux account in the >>>> AD DC and is in the Domain Admins group. The other accounts were >>>> created with ADUC on a Windows 7 machine logged in as the Domain >>>> Admins user just mentioned. They are Domain Users but not Admins >>>> and have no corresponding Linux account. >>>> >>>> I got that one account to work by taking ownership of its profile >>>> directory. However Windows 7 currently only offers me two choices >>>> for accounts that can take ownership of a profile directory (Domain >>>> Admins and that one account are both listed. Other accounts are not >>>> in the creator/owner tab). >>>> >>>> I've given Domain User full control of the profile folders but that >>>> doesn't seem to be good enough to get the profiles to be loaded and >>>> saved (the Linux permissions are 777). >>>> >>>> And yes, Ive set profile for each user using the Windows MMC plugin. >>>> >>>> Any ideas on what I'm missing? >>> >>> Further to above, I added one of the user accounts to the Domain >>> Admins but still couldn't get a roaming profile to work for it. >> >> Hi, have a look here: >> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles >> >> Rowland > > Thanks. I'd been trying that without success. The section on using > ACLs doesn't work in my case for some reason. > > For example, the section in preparatory work says to: > setfacl -m g:"domain admins":rwx /srv/samba/Demo/ > where I substituted my profiles path for their path. When I run it, I get > # setfacl -m g:"domain admins":rwx /home/samba/profiles > setfacl: Option -m: Invalid argument near character 3 > > The AD DC doesn't seem to recognize domain users or groups at all. And > on the Windows end, the ability to set privileges based on domain > groups or users seems spotty. Sometimes it works and sometimes it > doesn't. > > Similarly in the section "Profile share with using POSIX ACLs", I > can't chgrp to a domain group. > > What finally worked was to ignore all the errors and just add the > extra lines to the share definition in smb.conf: > store dos attributes = Yes > create mask = 0600 > directory mask = 0700 > profile acls = yes > csc policy = disable > > Once I did that (and reloaded the config) the other profiles started > working.Actually, spoke too soon. There is still a minor glitch in that I need a to connect to a share before the profiles get saved. It doesn't have to be the profiles share, but if I don't have a share connected, the profile isn't saved. Fortunately each workstation is supposed to have at least one connection to a share.
Rowland Penny
2015-Jul-04 08:22 UTC
[Samba] Samba4 roaming profiles & ownership of profile.V2 folders [RESOLVED]
On 04/07/15 00:58, Gary Dale wrote:> On 03/07/15 01:21 PM, Rowland Penny wrote: >> On 03/07/15 17:45, Gary Dale wrote: >>> On 03/07/15 02:44 AM, Gary Dale wrote: >>>> I've got roaming profiles for one account on a Debian/Jessie AD DC >>>> server but I can't get them to work for the other accounts. The >>>> differences are that the one account is also a Linux account in the >>>> AD DC and is in the Domain Admins group. The other accounts were >>>> created with ADUC on a Windows 7 machine logged in as the Domain >>>> Admins user just mentioned. They are Domain Users but not Admins >>>> and have no corresponding Linux account. >>>> >>>> I got that one account to work by taking ownership of its profile >>>> directory. However Windows 7 currently only offers me two choices >>>> for accounts that can take ownership of a profile directory (Domain >>>> Admins and that one account are both listed. Other accounts are not >>>> in the creator/owner tab). >>>> >>>> I've given Domain User full control of the profile folders but that >>>> doesn't seem to be good enough to get the profiles to be loaded and >>>> saved (the Linux permissions are 777). >>>> >>>> And yes, Ive set profile for each user using the Windows MMC plugin. >>>> >>>> Any ideas on what I'm missing? >>> >>> Further to above, I added one of the user accounts to the Domain >>> Admins but still couldn't get a roaming profile to work for it. >> >> Hi, have a look here: >> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles >> >> Rowland > > Thanks. I'd been trying that without success. The section on using > ACLs doesn't work in my case for some reason. >The 'reason' is probably why profiles don't work. Are you doing this on a DC or a member server ? on a DC I get this: root at dc01:~# getent group "domain admins" EXAMPLE\Domain Admins:*:10002: and on a member server: rowland at ThinkPad ~ $ getent group "domain admins" domain_admins:x:10002:s4admin,rowland,administrator I have RFC2307 attributes in AD and winbind set up on both.> For example, the section in preparatory work says to: > setfacl -m g:"domain admins":rwx /srv/samba/Demo/ > where I substituted my profiles path for their path. When I run it, I get > # setfacl -m g:"domain admins":rwx /home/samba/profiles > setfacl: Option -m: Invalid argument near character 3The 'Invalid argument' is "domain admins", your machine does not recognise it.> > The AD DC doesn't seem to recognize domain users or groups at all. And > on the Windows end, the ability to set privileges based on domain > groups or users seems spotty. Sometimes it works and sometimes it > doesn't. > > Similarly in the section "Profile share with using POSIX ACLs", I > can't chgrp to a domain group.Yep, your setup is not optimal.> > What finally worked was to ignore all the errors and just add the > extra lines to the share definition in smb.conf: > store dos attributes = Yes > create mask = 0600 > directory mask = 0700 > profile acls = yes > csc policy = disable > > Once I did that (and reloaded the config) the other profiles started > working.That is the old way, but if it works for you. Rowland
Reasonably Related Threads
- Samba4 roaming profiles & ownership of profile.V2 folders [RESOLVED]
- Samba4 roaming profiles & ownership of profile.V2 folders [RESOLVED]
- Samba4 roaming profiles & ownership of profile.V2 folders
- Samba4 roaming profiles & ownership of profile.V2 folders [RESOLVED]
- Samba4 roaming profiles & ownership of profile.V2 folders [RESOLVED]