samba - Dec 2012 - Samba4 Domain UP, but no roaming profiles

I've performed a *successful* domain migration from S3/LDAPSAM to
S4.0.0.  Yay!   I can browse and connect to the server from a
workstation [logged in as a local account].  DNS looks good.  kinit &
klist work.   I was able to *add* a workstation to the domain.

But I can't get roaming profiles to work.  On the server the roaming
profile looks like -

[profiles]
        path = /opt/s4/var/profiles
        read only = No
        profile acls = Yes
        writeable = yes
        create mask = 0600
        directory mask = 0700

-- 
Adam Tauno Williams  GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA

Hi,

The problem is your smb.conf [profiles].  The only options you need are
the path and read only = no.  Control access from Windows with an ACL
applied to the profiles share security properties rather than forcing
permissions from Samba.  S4 is different from S3.  I'm not sure if those
mask options work in S4 but, if they do, those values will deny all
access set through extended ACLs because those are applied through the
group class.

Fix smb.conf and start with an empty profiles directory with drwxr-xr-x.
root:root.  Browse to the profiles share from a Windows client in the
domain and open the security properties (as Administrator).  You can
remove entries for Everyone, CREATOR OWNER, CREATOR GROUP, etc.  Leave
the entry for Administrator.  Add an entry for Domain Users with
read/execute/write permissions for this folder only.  If you look at the
profiles directory from linux it will now look like drwxrwx---+
root:root.  getfacl will show you the Posix ACLs created from Windows.
>From Windows ADUC add the roaming profiles path to the user's profile. 
When you login as the user his profile folder will be created
automatically.  If you browse the profiles share again and look at the
security settings of the user's folder it will show only the user and
SYSTEM, both with full control.  This gives the access control you are
trying to achieve.

Tip:  There is a GPO setting under
computer-policies-templates-system-user profiles to add the
administrators group to roaming profiles.  This is a good idea,
otherwise administrators cannot browse the profile folders.

Regards,

Stephen Jones
Lloyd Systems Engineering


On Sat, Dec 15, 2012, at 01:57 PM, Adam Tauno Williams
wrote:
> I've performed a *successful* domain migration from S3/LDAPSAM to
> S4.0.0.  Yay!   I can browse and connect to the server from a
> workstation [logged in as a local account].  DNS looks good.  kinit &
> klist work.   I was able to *add* a workstation to the domain.
> 
> But I can't get roaming profiles to work.  On the server the roaming
> profile looks like -
> 
> [profiles]
>         path = /opt/s4/var/profiles
>         read only = No
>         profile acls = Yes
>         writeable = yes
>         create mask = 0600
>         directory mask = 0700
> 
> -- 
> Adam Tauno Williams  GPG D95ED383
> Systems Administrator, Python Developer, LPI / NCLA
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba