I'm running Samba 4.7.0 on FreeNAS 11.1-U2. It's configured as an
Active Directory Domain Controller, and I'm trying to configure roaming
profiles. I've created a profile dataset in ZFS that uses Windows
permissions. I've configured the share and file system permissions as
described in the "Using Windows ACLs" section of:
https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
I set the profile path for each under in Active Directory Users and Computers,
but I have two problems.
First, Domain Users can't view the contents of the profile share until I
also grant them "Read Attributes" and "Read Permissions"
rights on the root of the share. When I grant these extra permissions, the
Windows 7 workstations will create the user's user.V2 folder under the
profile share the first time a user logs in.
Second, the roaming profile won't actually be saved in the newly created
user.V2 folder, until I grant the user full control on their folder. Windows
shows that the folder is owned by the user and that OWNER has full control on
the folder. The user can even grant themselves full control to the folder.
They just have to logout, login, and logout again after granting themselves full
control to get their roaming profile to upload to the server.
These are the profile share settings generated by FreeNAS:
[profile]
path = "/mnt/tank/profile"
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
access based share enum = no
shadow:snapdir = .zfs/snapshot
shadow:sort = desc
shadow:localtime = yes
shadow:format = auto-%Y%m%d.%H%M-1w
shadow:snapdirseverywhere = yes
vfs objects = shadow_copy2 zfs_space zfsacl streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare
What should I change to make roaming profiles work without manually granting the
extra permission on each user's folder?
Thanks,
Alan
