?icro MEGAS
2014-Oct-30 14:12 UTC
[Samba] roaming profile does not work for "Domain Admins"
Hello list, I am facing an issue which I cannot explain myself. The roaming profiles don't work for users that are members of the group "Domain Admins". The [profiles] share on the member server was configured exactly as explained on the wiki for roaming profiles. It works like a charm for all domain users, *BUT*: if a user is member of the group "Domain Admins" it *doesn't* :-( That means in detail: I create a new user "test1" and assign the correct profile directory to that user (\\membersrv\profiles\test1). I add this user also to the "MYDOM\Domain Admins" group. On the windows client I login for the first time with "test1" user and I watch the content of the linux filesystem on my member server. As soon as "test1" is logged in on the client, a directory membersrv:/srv/samba/profiles/test1 is created with the appropriate mode and owner+group. Until here everything is fine, but as soon as user "test1" logs off, *NO DATA IS WRITTEN* into its roaming profile directory. When I remove that user "test1" from the group "Domain Admins", so in result "test1" is not a member of "Domain Admins" anymore, the roaming profile works like a charm as one would expect. When the user logs off, data is written correctly to its roaming profile. I don't suspect security issues on Windows or POSIX ACLs, because the user "test1" can create directory "something" on \\membersrv\profiles and inside \\membersrv\profiles\something he is allowed to create subdirs or files. I don't think that's the problem. I ensured that by putting "EVERYONE" to sharing and security settings for the [profiles] share, but it didn't help either. I cannot explain myself where this is related to. I'm stuck here for many hours and have no clue where else to look at. Any help really appreciated. Mirco
L.P.H. van Belle
2014-Oct-30 15:12 UTC
[Samba] roaming profile does not work for "Domain Admins"
and what does your windows pc event log tell us?>-----Oorspronkelijk bericht----- >Van: micromegas at mail333.com >[mailto:samba-bounces at lists.samba.org] Namens ?icro MEGAS >Verzonden: donderdag 30 oktober 2014 15:12 >Aan: samba at lists.samba.org >Onderwerp: [Samba] roaming profile does not work for "Domain Admins" > >Hello list, > >I am facing an issue which I cannot explain myself. The >roaming profiles don't work for users that are members of the >group "Domain Admins". The [profiles] share on the member >server was configured exactly as explained on the wiki for >roaming profiles. It works like a charm for all domain users, >*BUT*: if a user is member of the group "Domain Admins" it >*doesn't* :-( That means in detail: > >I create a new user "test1" and assign the correct profile >directory to that user (\\membersrv\profiles\test1). I add >this user also to the "MYDOM\Domain Admins" group. On the >windows client I login for the first time with "test1" user >and I watch the content of the linux filesystem on my member >server. As soon as "test1" is logged in on the client, a >directory membersrv:/srv/samba/profiles/test1 is created with >the appropriate mode and owner+group. Until here everything is >fine, but as soon as user "test1" logs off, *NO DATA IS >WRITTEN* into its roaming profile directory. > >When I remove that user "test1" from the group "Domain >Admins", so in result "test1" is not a member of "Domain >Admins" anymore, the roaming profile works like a charm as one >would expect. When the user logs off, data is written >correctly to its roaming profile. > >I don't suspect security issues on Windows or POSIX ACLs, >because the user "test1" can create directory "something" on >\\membersrv\profiles and inside \\membersrv\profiles\something >he is allowed to create subdirs or files. I don't think that's >the problem. I ensured that by putting "EVERYONE" to sharing >and security settings for the [profiles] share, but it didn't >help either. > >I cannot explain myself where this is related to. I'm stuck >here for many hours and have no clue where else to look at. >Any help really appreciated. > >Mirco >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >