samba - Jul 2015 - Samba4 roaming profiles & ownership of profile.V2 folders [RESOLVED]

On 04/07/15 00:58, Gary Dale wrote:
> On 03/07/15 01:21 PM, Rowland Penny wrote:
>> On 03/07/15 17:45, Gary Dale wrote:
>>> On 03/07/15 02:44 AM, Gary Dale wrote:
>>>> I've got roaming profiles for one account on a
Debian/Jessie AD DC
>>>> server but I can't get them to work for the other accounts.
The
>>>> differences are that the one account is also a Linux account in
the
>>>> AD DC and is in the Domain Admins group. The other accounts
were
>>>> created with ADUC on a Windows 7 machine logged in as the
Domain
>>>> Admins user just mentioned. They are Domain Users but not
Admins
>>>> and have no corresponding Linux account.
>>>>
>>>> I got that one account to work by taking ownership of its
profile
>>>> directory. However Windows 7 currently only offers me two
choices
>>>> for accounts that can take ownership of a profile directory
(Domain
>>>> Admins and that one account are both listed. Other accounts are
not
>>>> in the creator/owner tab).
>>>>
>>>> I've given Domain User full control of the profile folders
but that
>>>> doesn't seem to be good enough to get the profiles to be
loaded and
>>>> saved (the Linux permissions are 777).
>>>>
>>>> And yes, Ive set profile for each user using the Windows MMC
plugin.
>>>>
>>>> Any ideas on what I'm missing?
>>>
>>> Further to above, I added one of the user accounts to the Domain 
>>> Admins but still couldn't get a roaming profile to work for it.
>>
>> Hi, have a look here: 
>> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>>
>> Rowland
>
> Thanks. I'd been trying that without success. The section on using 
> ACLs doesn't work in my case for some reason.
>
The 'reason' is probably why profiles don't work.

Are you doing this on a DC or a member server ? on a DC I get this:

root at dc01:~# getent group "domain admins"
EXAMPLE\Domain Admins:*:10002:

and on a member server:

rowland at ThinkPad ~ $ getent group "domain admins"
domain_admins:x:10002:s4admin,rowland,administrator

I have RFC2307 attributes in AD and winbind set up on both.


> For example, the section in preparatory work says to:
>   setfacl -m g:"domain admins":rwx /srv/samba/Demo/
> where I substituted my profiles path for their path. When I run it, I get
>   # setfacl -m g:"domain admins":rwx /home/samba/profiles
>   setfacl: Option -m: Invalid argument near character 3
The 'Invalid argument' is "domain admins", your machine does
not
recognise it.
>
> The AD DC doesn't seem to recognize domain users or groups at all. And 
> on the Windows end, the ability to set privileges based on domain 
> groups or users seems spotty. Sometimes it works and sometimes it 
> doesn't.
>
> Similarly in the section "Profile share with using POSIX ACLs", I
> can't chgrp to a domain group.
Yep, your setup is not optimal.
>
> What finally worked was to ignore all the errors and just add the 
> extra lines to the share definition in smb.conf:
>   store dos attributes = Yes
>   create mask = 0600
>   directory mask = 0700
>   profile acls = yes
>   csc policy = disable
>
> Once I did that (and reloaded the config)  the other profiles started 
> working.
That is the old way, but if it works for you.

Rowland

On 04/07/15 04:22 AM, Rowland Penny wrote:
> On 04/07/15 00:58, Gary Dale wrote:
>> On 03/07/15 01:21 PM, Rowland Penny wrote:
>>> On 03/07/15 17:45, Gary Dale wrote:
>>>> On 03/07/15 02:44 AM, Gary Dale wrote:
>>>>> I've got roaming profiles for one account on a
Debian/Jessie AD DC
>>>>> server but I can't get them to work for the other
accounts. The
>>>>> differences are that the one account is also a Linux
account in
>>>>> the AD DC and is in the Domain Admins group. The other
accounts
>>>>> were created with ADUC on a Windows 7 machine logged in as
the
>>>>> Domain Admins user just mentioned. They are Domain Users
but not
>>>>> Admins and have no corresponding Linux account.
>>>>>
>>>>> I got that one account to work by taking ownership of its
profile
>>>>> directory. However Windows 7 currently only offers me two
choices
>>>>> for accounts that can take ownership of a profile directory
>>>>> (Domain Admins and that one account are both listed. Other 
>>>>> accounts are not in the creator/owner tab).
>>>>>
>>>>> I've given Domain User full control of the profile
folders but
>>>>> that doesn't seem to be good enough to get the profiles
to be
>>>>> loaded and saved (the Linux permissions are 777).
>>>>>
>>>>> And yes, Ive set profile for each user using the Windows
MMC plugin.
>>>>>
>>>>> Any ideas on what I'm missing?
>>>>
>>>> Further to above, I added one of the user accounts to the
Domain
>>>> Admins but still couldn't get a roaming profile to work for
it.
>>>
>>> Hi, have a look here: 
>>> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>>>
>>> Rowland
>>
>> Thanks. I'd been trying that without success. The section on using 
>> ACLs doesn't work in my case for some reason.
>>
>
> The 'reason' is probably why profiles don't work.
>
> Are you doing this on a DC or a member server ? on a DC I get this:
>
> root at dc01:~# getent group "domain admins"
> EXAMPLE\Domain Admins:*:10002:
>
> and on a member server:
>
> rowland at ThinkPad ~ $ getent group "domain admins"
> domain_admins:x:10002:s4admin,rowland,administrator
>
> I have RFC2307 attributes in AD and winbind set up on both.
I get nothing when I run the command on the AD DC. There are currently 
no member servers.

I followed the instructions at 
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO and did include the 
--use-rfc2307. The only change I made was it doesn't actually mention 
installing kerberos but I found it necessary when I got to the configure 
kerberos section.

According to the wiki, I don't have to do any winbind config, although 
they don't recommend using a DC as a file server due to some problems 
with winbind. Unfortunately I only have the one server in this location.

Could you try giving domain users rwx control of profile folder this way:

setfacl -m g:users:rwx
On Jul 4, 2015 1:53 PM, "Gary Dale" <garydale at torfree.net>
wrote:
> On 04/07/15 04:22 AM, Rowland Penny wrote:
>
>> On 04/07/15 00:58, Gary Dale wrote:
>>
>>> On 03/07/15 01:21 PM, Rowland Penny wrote:
>>>
>>>> On 03/07/15 17:45, Gary Dale wrote:
>>>>
>>>>> On 03/07/15 02:44 AM, Gary Dale wrote:
>>>>>
>>>>>> I've got roaming profiles for one account on a
Debian/Jessie AD DC
>>>>>> server but I can't get them to work for the other
accounts. The differences
>>>>>> are that the one account is also a Linux account in the
AD DC and is in the
>>>>>> Domain Admins group. The other accounts were created
with ADUC on a Windows
>>>>>> 7 machine logged in as the Domain Admins user just
mentioned. They are
>>>>>> Domain Users but not Admins and have no corresponding
Linux account.
>>>>>>
>>>>>> I got that one account to work by taking ownership of
its profile
>>>>>> directory. However Windows 7 currently only offers me
two choices for
>>>>>> accounts that can take ownership of a profile directory
(Domain Admins and
>>>>>> that one account are both listed. Other accounts are
not in the
>>>>>> creator/owner tab).
>>>>>>
>>>>>> I've given Domain User full control of the profile
folders but that
>>>>>> doesn't seem to be good enough to get the profiles
to be loaded and saved
>>>>>> (the Linux permissions are 777).
>>>>>>
>>>>>> And yes, Ive set profile for each user using the
Windows MMC plugin.
>>>>>>
>>>>>> Any ideas on what I'm missing?
>>>>>>
>>>>>
>>>>> Further to above, I added one of the user accounts to the
Domain
>>>>> Admins but still couldn't get a roaming profile to work
for it.
>>>>>
>>>>
>>>> Hi, have a look here:
>>>> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>>>>
>>>> Rowland
>>>>
>>>
>>> Thanks. I'd been trying that without success. The section on
using ACLs
>>> doesn't work in my case for some reason.
>>>
>>>
>> The 'reason' is probably why profiles don't work.
>>
>> Are you doing this on a DC or a member server ? on a DC I get this:
>>
>> root at dc01:~# getent group "domain admins"
>> EXAMPLE\Domain Admins:*:10002:
>>
>> and on a member server:
>>
>> rowland at ThinkPad ~ $ getent group "domain admins"
>> domain_admins:x:10002:s4admin,rowland,administrator
>>
>> I have RFC2307 attributes in AD and winbind set up on both.
>>
>
> I get nothing when I run the command on the AD DC. There are currently no
> member servers.
>
> I followed the instructions at
> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO and did include the
> --use-rfc2307. The only change I made was it doesn't actually mention
> installing kerberos but I found it necessary when I got to the configure
> kerberos section.
>
> According to the wiki, I don't have to do any winbind config, although
> they don't recommend using a DC as a file server due to some problems
with
> winbind. Unfortunately I only have the one server in this location.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 04/07/15 18:51, Gary Dale wrote:
> On 04/07/15 04:22 AM, Rowland Penny wrote:
>> On 04/07/15 00:58, Gary Dale wrote:
>>> On 03/07/15 01:21 PM, Rowland Penny wrote:
>>>> On 03/07/15 17:45, Gary Dale wrote:
>>>>> On 03/07/15 02:44 AM, Gary Dale wrote:
>>>>>> I've got roaming profiles for one account on a
Debian/Jessie AD
>>>>>> DC server but I can't get them to work for the
other accounts.
>>>>>> The differences are that the one account is also a
Linux account
>>>>>> in the AD DC and is in the Domain Admins group. The
other
>>>>>> accounts were created with ADUC on a Windows 7 machine
logged in
>>>>>> as the Domain Admins user just mentioned. They are
Domain Users
>>>>>> but not Admins and have no corresponding Linux account.
>>>>>>
>>>>>> I got that one account to work by taking ownership of
its profile
>>>>>> directory. However Windows 7 currently only offers me
two choices
>>>>>> for accounts that can take ownership of a profile
directory
>>>>>> (Domain Admins and that one account are both listed.
Other
>>>>>> accounts are not in the creator/owner tab).
>>>>>>
>>>>>> I've given Domain User full control of the profile
folders but
>>>>>> that doesn't seem to be good enough to get the
profiles to be
>>>>>> loaded and saved (the Linux permissions are 777).
>>>>>>
>>>>>> And yes, Ive set profile for each user using the
Windows MMC plugin.
>>>>>>
>>>>>> Any ideas on what I'm missing?
>>>>>
>>>>> Further to above, I added one of the user accounts to the
Domain
>>>>> Admins but still couldn't get a roaming profile to work
for it.
>>>>
>>>> Hi, have a look here: 
>>>> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>>>>
>>>> Rowland
>>>
>>> Thanks. I'd been trying that without success. The section on
using
>>> ACLs doesn't work in my case for some reason.
>>>
>>
>> The 'reason' is probably why profiles don't work.
>>
>> Are you doing this on a DC or a member server ? on a DC I get this:
>>
>> root at dc01:~# getent group "domain admins"
>> EXAMPLE\Domain Admins:*:10002:
>>
>> and on a member server:
>>
>> rowland at ThinkPad ~ $ getent group "domain admins"
>> domain_admins:x:10002:s4admin,rowland,administrator
>>
>> I have RFC2307 attributes in AD and winbind set up on both.
>
> I get nothing when I run the command on the AD DC. There are currently 
> no member servers.
>
> I followed the instructions at 
> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO and did include the 
> --use-rfc2307. The only change I made was it doesn't actually mention 
> installing kerberos but I found it necessary when I got to the 
> configure kerberos section.
>
> According to the wiki, I don't have to do any winbind config, although 
> they don't recommend using a DC as a file server due to some problems 
> with winbind. Unfortunately I only have the one server in this location.
>
Ah, well this might seem a bit stupid, but if you followed:

https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles

to the letter and you have this '[Profiles]' in smb.conf, could you try 
changing it to '[profiles]' i.e. change the uppercase 'P' to a
lowercase
'p', reload or restart samba then try again.

Rowland