samba - Oct 2014 - roaming profile does ­not ­work for "Domain Adm­ins"

I am facing an issue which I cannot explain myself. The roaming profiles
don't work for users that are members of the group "Domain
Admins". The [profiles] share on the member server was configured exactly
as explained on the wiki for roaming profiles. It works like a charm for all
domain users, *BUT*: if a user is member of the group "Domain Admins"
it *doesn't* :-( That means in detail:

I create a new user "test1" and assign the correct profile directory
to that user (\\membersrv\profiles\test1). I add this user also to the
"MYDOM\Domain Admins" group. On the windows client I login for the
first time with "test1" user and I watch the content of the linux
filesystem on my member server. As soon as "test1" is logged in on the
client, a directory membersrv:/srv/samba/profiles/test1 is created with the
appropriate mode and owner+group. Until here everything is fine, but as soon as
user "test1" logs off, *NO DATA IS WRITTEN* into its roaming profile
directory.

When I remove that user "test1" from the group "Domain
Admins", so in result "test1" is not a member of "Domain
Admins" anymore, the roaming profile works like a charm as one would
expect. When the user logs off, data is written correctly to its roaming
profile.

I don't suspect security issues on Windows or POSIX ACLs, because the user
"test1" can create directory "something" on
\\membersrv\profiles and inside \\membersrv\profiles\something he is allowed to
create subdirs or files. I don't think that's the problem. I ensured
that by putting "EVERYONE" to sharing and security settings for the
[profiles] share, but it didn't help either.

I cannot explain myself where this is related to. I'm stuck here for many
hours and have no clue where else to look at. Any help really appreciated.

Mirco
Meanwhile I spent about 12 hours (!) on that problem and still didn't solve
it. It's really frustrating me :( The problem occurs with Windows XP
workstation as well on Win7 workstation. Even when I "mkdir -p
/new/dir" on the member server, and create a new share in smb.conf, then
have "Everyone" in sharing settings, and "Everyone" in
security settings with FULL access, and assign the profile of user
"johndoe" to \\membersrv\newshare\johndoe" it doesn't work.
As I said before, I don't suspect security/file permission, because the user
can access that particular directory and read/write directories+files in there.
And as said before: when I remove "johndoe" from "Domain
Admins" group it works fine. So what the hell is causing that problem? I
also checked my GPO if there's something active but there is not. I only
have the "default domain controller policy" and default domain
policy". The latter one is empty, there are no objects. And even when I
check with "gpresult" on the windows clients, there are no settings
applied to that workstations. I installed a completely new Win7 workstation just
some minutes before and tried with the new machine, no luck, same problem! :-( I
also tried by creating new users in my AD, but it didn't help either. As
long as these users are not members of "Domain Admins" it works, but
when they are members in "Domain Admins" it doesn't work and they
cannot use roaming profiles.

It's really really getting on my nerves meanwhile. What the hell is going on
there? Why cannot members of "MYDOM\Domain Admins" use roaming
profiles? Please if anyone has an idea where to look at, I'd really
appreciate it. Thanks a lot in advance.

Mirco

On 30/10/14 22:25, ?icro MEGAS wrote:
> I am facing an issue which I cannot explain myself. The roaming profiles
don't work for users that are members of the group "Domain
Admins". The [profiles] share on the member server was configured exactly
as explained on the wiki for roaming profiles. It works like a charm for all
domain users, *BUT*: if a user is member of the group "Domain Admins"
it *doesn't* :-( That means in detail:
>
> I create a new user "test1" and assign the correct profile
directory to that user (\\membersrv\profiles\test1). I add this user also to the
"MYDOM\Domain Admins" group. On the windows client I login for the
first time with "test1" user and I watch the content of the linux
filesystem on my member server. As soon as "test1" is logged in on the
client, a directory membersrv:/srv/samba/profiles/test1 is created with the
appropriate mode and owner+group. Until here everything is fine, but as soon as
user "test1" logs off, *NO DATA IS WRITTEN* into its roaming profile
directory.
>
> When I remove that user "test1" from the group "Domain
Admins", so in result "test1" is not a member of "Domain
Admins" anymore, the roaming profile works like a charm as one would
expect. When the user logs off, data is written correctly to its roaming
profile.
>
> I don't suspect security issues on Windows or POSIX ACLs, because the
user "test1" can create directory "something" on
\\membersrv\profiles and inside \\membersrv\profiles\something he is allowed to
create subdirs or files. I don't think that's the problem. I ensured
that by putting "EVERYONE" to sharing and security settings for the
[profiles] share, but it didn't help either.
>
> I cannot explain myself where this is related to. I'm stuck here for
many hours and have no clue where else to look at. Any help really appreciated.
>
> Mirco
> Meanwhile I spent about 12 hours (!) on that problem and still didn't
solve it. It's really frustrating me :( The problem occurs with Windows XP
workstation as well on Win7 workstation. Even when I "mkdir -p
/new/dir" on the member server, and create a new share in smb.conf, then
have "Everyone" in sharing settings, and "Everyone" in
security settings with FULL access, and assign the profile of user
"johndoe" to \\membersrv\newshare\johndoe" it doesn't work.
As I said before, I don't suspect security/file permission, because the user
can access that particular directory and read/write directories+files in there.
And as said before: when I remove "johndoe" from "Domain
Admins" group it works fine. So what the hell is causing that problem? I
also checked my GPO if there's something active but there is not. I only
have the "default domain controller policy" and default domain
policy". The latter one is empty, there are no objects. And even when I
check with "gpresult" on the win
>   dows clients, there are no settings applied to that workstations. I
installed a completely new Win7 workstation just some minutes before and tried
with the new machine, no luck, same problem! :-( I also tried by creating new
users in my AD, but it didn't help either. As long as these users are not
members of "Domain Admins" it works, but when they are members in
"Domain Admins" it doesn't work and they cannot use roaming
profiles.
>
> It's really really getting on my nerves meanwhile. What the hell is
going on there? Why cannot members of "MYDOM\Domain Admins" use
roaming profiles? Please if anyone has an idea where to look at, I'd really
appreciate it. Thanks a lot in advance.
>
> Mirco
HI Mirco, Isn't samba4 AD wonderful, the way it works just like a 
windows AD DC :-)

Yes, the problem you having isn't a problem, it is the way that 
microsoft designed it, see here:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/7f03c07e-5a71-4ff3-abc1-50d3c14bf982/why-do-roaming-profiles-exclude-domain-admin-access?forum=winserverGP

Rowland

Hello Mirco,

Am 30.10.2014 um 23:25 schrieb ?icro MEGAS:
> I create a new user "test1" and assign the correct profile
> directory to that user (\\membersrv\profiles\test1).
> I add this user also to the "MYDOM\Domain Admins" group.
> On the windows client I login for the first time with
> "test1" user and I watch the content of the linux
> filesystem on my member server. As soon as "test1" is
> logged in on the client, a directory
> membersrv:/srv/samba/profiles/test1 is created with
> the appropriate mode and owner+group.
> Until here everything is fine, but as soon as user
> "test1" logs off, *NO DATA IS WRITTEN* into its
> roaming profile directory.
Sorry. I _can't_ confirm this. I tried this exactly on my 4.1.13 test
environment.

After the first login the profile directory is created and if the
account loggs off, the profile is uploaded in there. And I made sure,
that this account has Domain Admin permissions. I also used this account
to add an additional account.

My test environment is setup exactly like described in
https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
(with Windows ACLs). No additional stuff is done like other ACLs, etc.
It's 100% like documented there and works.


What are the differences between the HowTo and your setup? And what
Samba version are you running?



Regards,
Marc

> HI Mirco, Isn't samba4 AD wonderful, the way it works just like a 
> windows AD DC :-)
> 
> Yes, the problem you having isn't a problem, it is the way that 
> microsoft designed it, see here:
> 
>
https://social.technet.microsoft.com/Forums/windowsserver/en-US/7f03c07e-5a71-4ff3-abc1-50d3c14bf982/why-do-roaming-profiles-exclude-domain-admin-access?forum=winserverGP
> Rowland
Dear Rowland,

I do not agree because

a.) at last I did find the culprit which was causing that problem. I am glad
that I *SOLVED IT* but on the other side I'm kinda disappointed because the
root of that evil is your so highly-praised "smbmap" feauture which
already caused a lot of discussion here on the list. I will get in detail and
explain on the bottom of this message

b.) the link you posted is a completely different issue. The issue reported
there is that roaming profiles created by Windows by default allow only the
creator/owner and SYSTEM to access it and noone else. For example: when user
"johndoe" logs in for the first time and his roaming profile is
created, the directory \\server\sharename\johndoe has only two objects in the
Windows Security Settings. They are "johndoe" itself and
"SYSTEM". Noone else has access to it. Many administrators hate this
default behaviour because they cannot browse the files in these directories
although they are domain admins. I told you the reason why they cannot. This
issue is explained and discussed on many other sites around the net. Just google
for "roaming profile domain admins" and you will find a lot of hits,
as well some tech sheets and explanations from Microsoft or even some workaround
with neat scripts.

Well, now back to point a.) the explanation why I ran into that issue. As I
stated before, the root of the evil was the "smbmap" feauture. How I
found out? On the fresh-new Win7 machine I installed for my tests, I got some
more detailled information on the event viewer and I saw a message in there for
the failing "roaming profile". It explained in detail, that the user
*must be owner of the roaming profile directory*. The solution is to make the
user the owner of their profile folder. And now guess why the directories of
these three administrators had following owner/group assigned:

root:root  johndoe.v2
root:root  foobar
root:root  admin3

I tell you, because when you use the smbmap feauture as suggested many times by
you, the user itself becomes "root" to the machine and windows only
see "root" but expects "foobar" and *THAT'S THE
CULPRIT*. As you realized in the past days, I reported some issues to the samba
lists where the "smbmap" feauture again was causing headache. Now
after that horrible scenario I had to face, and moreover so many hours I had to
spent, I certainly am sure *NOT TO USE* the *username map* directive in future
and now I understand why a few days ago a samba developer suggested me NOT TO
USE it. I should have listened to him.

You can read the technical details and see also the event viewer message that
was logged on my Win7 workstation which helped me to find out the culprit.
Although they are related to other Windows versions, the event viewer message is
exactly the same, as I did receive it on my Win7 machine. The content is
self-explanatory, read here:

http://support.microsoft.com/kb/327259
http://support.microsoft.com/kb/327462

Cheers,
Mirco.

Pff what a discussion, but thats good ;-) 

but you didnt tell us what was in your windows even log... 
Which is very helpfull.. 

and this setting: 
Do not check for user Ownership of Roaming Profile Folders. 
is a very known setting, but should not be needed. 

Good that you did find it yourself. 

you even can set : 
acl_xattr:ignore system acl = yes 
on the profile share to have an even beter ACL compatibility. 

I also have "Domain Admins" on all my users folders and profile
folders.
so and i have the smb user map also and it working fine.. 
But in my case there is NO domain admin with roaming profiles.... 
why... If you login on an infected pc, you can get this infection in your
profile.
if you know login on a server, you wil infect your server. 
and because if this i really advice the split users ( people who just do office
work ) for administrator.
No users should have admin rights, only when needed, and not while just working.

I want thinking you already had the "Do not check for user Ownership of
Roaming Profile Folders."
enabled. this is why i needed the even message in windows. 

But good to hear its solved. 

Greetz, 

Louis

 
>-----Oorspronkelijk bericht-----
>Van: micromegas at mail333.com 
>[mailto:samba-bounces at lists.samba.org] Namens ?icro MEGAS
>Verzonden: vrijdag 31 oktober 2014 0:19
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] [SOLVED] roaming profile does ??not 
>?work for "Domain Ad?m?ins"
>
>> HI Mirco, Isn't samba4 AD wonderful, the way it works just like a 
>> windows AD DC :-)
>> 
>> Yes, the problem you having isn't a problem, it is the way that 
>> microsoft designed it, see here:
>> 
>> 
>https://social.technet.microsoft.com/Forums/windowsserver/en-US
>/7f03c07e-5a71-4ff3-abc1-50d3c14bf982/why-do-roaming-profiles-e
>xclude-domain-admin-access?forum=winserverGP
>> Rowland
>
>Dear Rowland,
>
>I do not agree because
>
>a.) at last I did find the culprit which was causing that 
>problem. I am glad that I *SOLVED IT* but on the other side 
>I'm kinda disappointed because the root of that evil is your 
>so highly-praised "smbmap" feauture which already caused a lot 
>of discussion here on the list. I will get in detail and 
>explain on the bottom of this message
>
>b.) the link you posted is a completely different issue. The 
>issue reported there is that roaming profiles created by 
>Windows by default allow only the creator/owner and SYSTEM to 
>access it and noone else. For example: when user "johndoe" 
>logs in for the first time and his roaming profile is created, 
>the directory \\server\sharename\johndoe has only two objects 
>in the Windows Security Settings. They are "johndoe" itself 
>and "SYSTEM". Noone else has access to it. Many administrators 
>hate this default behaviour because they cannot browse the 
>files in these directories although they are domain admins. I 
>told you the reason why they cannot. This issue is explained 
>and discussed on many other sites around the net. Just google 
>for "roaming profile domain admins" and you will find a lot of 
>hits, as well some tech sheets and explanations from Microsoft 
>or even some workaround with neat scripts.
>
>Well, now back to point a.) the explanation why I ran into 
>that issue. As I stated before, the root of the evil was the 
>"smbmap" feauture. How I found out? On the fresh-new Win7 
>machine I installed for my tests, I got some more detailled 
>information on the event viewer and I saw a message in there 
>for the failing "roaming profile". It explained in detail, 
>that the user *must be owner of the roaming profile 
>directory*. The solution is to make the user the owner of 
>their profile folder. And now guess why the directories of 
>these three administrators had following owner/group assigned:
>
>root:root  johndoe.v2
>root:root  foobar
>root:root  admin3
>
>I tell you, because when you use the smbmap feauture as 
>suggested many times by you, the user itself becomes "root" to 
>the machine and windows only see "root" but expects
"foobar"
>and *THAT'S THE CULPRIT*. As you realized in the past days, I 
>reported some issues to the samba lists where the "smbmap" 
>feauture again was causing headache. Now after that horrible 
>scenario I had to face, and moreover so many hours I had to 
>spent, I certainly am sure *NOT TO USE* the *username map* 
>directive in future and now I understand why a few days ago a 
>samba developer suggested me NOT TO USE it. I should have 
>listened to him.
>
>You can read the technical details and see also the event 
>viewer message that was logged on my Win7 workstation which 
>helped me to find out the culprit. Although they are related 
>to other Windows versions, the event viewer message is exactly 
>the same, as I did receive it on my Win7 machine. The content 
>is self-explanatory, read here:
>
>http://support.microsoft.com/kb/327259
>http://support.microsoft.com/kb/327462
>
>Cheers,
>Mirco.
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>