samba - Jul 2015 - Samba4 roaming profiles & ownership of profile.V2 folders [RESOLVED]

On 04/07/15 18:51, Gary Dale wrote:
> On 04/07/15 04:22 AM, Rowland Penny wrote:
>> On 04/07/15 00:58, Gary Dale wrote:
>>> On 03/07/15 01:21 PM, Rowland Penny wrote:
>>>> On 03/07/15 17:45, Gary Dale wrote:
>>>>> On 03/07/15 02:44 AM, Gary Dale wrote:
>>>>>> I've got roaming profiles for one account on a
Debian/Jessie AD
>>>>>> DC server but I can't get them to work for the
other accounts.
>>>>>> The differences are that the one account is also a
Linux account
>>>>>> in the AD DC and is in the Domain Admins group. The
other
>>>>>> accounts were created with ADUC on a Windows 7 machine
logged in
>>>>>> as the Domain Admins user just mentioned. They are
Domain Users
>>>>>> but not Admins and have no corresponding Linux account.
>>>>>>
>>>>>> I got that one account to work by taking ownership of
its profile
>>>>>> directory. However Windows 7 currently only offers me
two choices
>>>>>> for accounts that can take ownership of a profile
directory
>>>>>> (Domain Admins and that one account are both listed.
Other
>>>>>> accounts are not in the creator/owner tab).
>>>>>>
>>>>>> I've given Domain User full control of the profile
folders but
>>>>>> that doesn't seem to be good enough to get the
profiles to be
>>>>>> loaded and saved (the Linux permissions are 777).
>>>>>>
>>>>>> And yes, Ive set profile for each user using the
Windows MMC plugin.
>>>>>>
>>>>>> Any ideas on what I'm missing?
>>>>>
>>>>> Further to above, I added one of the user accounts to the
Domain
>>>>> Admins but still couldn't get a roaming profile to work
for it.
>>>>
>>>> Hi, have a look here: 
>>>> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>>>>
>>>> Rowland
>>>
>>> Thanks. I'd been trying that without success. The section on
using
>>> ACLs doesn't work in my case for some reason.
>>>
>>
>> The 'reason' is probably why profiles don't work.
>>
>> Are you doing this on a DC or a member server ? on a DC I get this:
>>
>> root at dc01:~# getent group "domain admins"
>> EXAMPLE\Domain Admins:*:10002:
>>
>> and on a member server:
>>
>> rowland at ThinkPad ~ $ getent group "domain admins"
>> domain_admins:x:10002:s4admin,rowland,administrator
>>
>> I have RFC2307 attributes in AD and winbind set up on both.
>
> I get nothing when I run the command on the AD DC. There are currently 
> no member servers.
>
> I followed the instructions at 
> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO and did include the 
> --use-rfc2307. The only change I made was it doesn't actually mention 
> installing kerberos but I found it necessary when I got to the 
> configure kerberos section.
>
> According to the wiki, I don't have to do any winbind config, although 
> they don't recommend using a DC as a file server due to some problems 
> with winbind. Unfortunately I only have the one server in this location.
>
Ah, well this might seem a bit stupid, but if you followed:

https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles

to the letter and you have this '[Profiles]' in smb.conf, could you try 
changing it to '[profiles]' i.e. change the uppercase 'P' to a
lowercase
'p', reload or restart samba then try again.

Rowland

On 04/07/15 02:37 PM, Rowland Penny wrote:
> On 04/07/15 18:51, Gary Dale wrote:
>> On 04/07/15 04:22 AM, Rowland Penny wrote:
>>> On 04/07/15 00:58, Gary Dale wrote:
>>>> On 03/07/15 01:21 PM, Rowland Penny wrote:
>>>>> On 03/07/15 17:45, Gary Dale wrote:
>>>>>> On 03/07/15 02:44 AM, Gary Dale wrote:
>>>>>>> I've got roaming profiles for one account on a
Debian/Jessie AD
>>>>>>> DC server but I can't get them to work for the
other accounts.
>>>>>>> The differences are that the one account is also a
Linux account
>>>>>>> in the AD DC and is in the Domain Admins group. The
other
>>>>>>> accounts were created with ADUC on a Windows 7
machine logged in
>>>>>>> as the Domain Admins user just mentioned. They are
Domain Users
>>>>>>> but not Admins and have no corresponding Linux
account.
>>>>>>>
>>>>>>> I got that one account to work by taking ownership
of its
>>>>>>> profile directory. However Windows 7 currently only
offers me
>>>>>>> two choices for accounts that can take ownership of
a profile
>>>>>>> directory (Domain Admins and that one account are
both listed.
>>>>>>> Other accounts are not in the creator/owner tab).
>>>>>>>
>>>>>>> I've given Domain User full control of the
profile folders but
>>>>>>> that doesn't seem to be good enough to get the
profiles to be
>>>>>>> loaded and saved (the Linux permissions are 777).
>>>>>>>
>>>>>>> And yes, Ive set profile for each user using the
Windows MMC
>>>>>>> plugin.
>>>>>>>
>>>>>>> Any ideas on what I'm missing?
>>>>>>
>>>>>> Further to above, I added one of the user accounts to
the Domain
>>>>>> Admins but still couldn't get a roaming profile to
work for it.
>>>>>
>>>>> Hi, have a look here: 
>>>>> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>>>>>
>>>>> Rowland
>>>>
>>>> Thanks. I'd been trying that without success. The section
on using
>>>> ACLs doesn't work in my case for some reason.
>>>>
>>>
>>> The 'reason' is probably why profiles don't work.
>>>
>>> Are you doing this on a DC or a member server ? on a DC I get this:
>>>
>>> root at dc01:~# getent group "domain admins"
>>> EXAMPLE\Domain Admins:*:10002:
>>>
>>> and on a member server:
>>>
>>> rowland at ThinkPad ~ $ getent group "domain admins"
>>> domain_admins:x:10002:s4admin,rowland,administrator
>>>
>>> I have RFC2307 attributes in AD and winbind set up on both.
>>
>> I get nothing when I run the command on the AD DC. There are 
>> currently no member servers.
>>
>> I followed the instructions at 
>> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO and did include 
>> the --use-rfc2307. The only change I made was it doesn't actually 
>> mention installing kerberos but I found it necessary when I got to 
>> the configure kerberos section.
>>
>> According to the wiki, I don't have to do any winbind config, 
>> although they don't recommend using a DC as a file server due to
some
>> problems with winbind. Unfortunately I only have the one server in 
>> this location.
>>
>
> Ah, well this might seem a bit stupid, but if you followed:
>
> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>
> to the letter and you have this '[Profiles]' in smb.conf, could you
> try changing it to '[profiles]' i.e. change the uppercase
'P' to a
> lowercase 'p', reload or restart samba then try again.
>
> Rowland
Tried it both ways.  :(

On 04/07/15 22:53, Gary Dale wrote:
> On 04/07/15 02:37 PM, Rowland Penny wrote:
>> On 04/07/15 18:51, Gary Dale wrote:
>>> On 04/07/15 04:22 AM, Rowland Penny wrote:
>>>> On 04/07/15 00:58, Gary Dale wrote:
>>>>> On 03/07/15 01:21 PM, Rowland Penny wrote:
>>>>>> On 03/07/15 17:45, Gary Dale wrote:
>>>>>>> On 03/07/15 02:44 AM, Gary Dale wrote:
>>>>>>>> I've got roaming profiles for one account
on a Debian/Jessie AD
>>>>>>>> DC server but I can't get them to work for
the other accounts.
>>>>>>>> The differences are that the one account is
also a Linux
>>>>>>>> account in the AD DC and is in the Domain
Admins group. The
>>>>>>>> other accounts were created with ADUC on a
Windows 7 machine
>>>>>>>> logged in as the Domain Admins user just
mentioned. They are
>>>>>>>> Domain Users but not Admins and have no
corresponding Linux
>>>>>>>> account.
>>>>>>>>
>>>>>>>> I got that one account to work by taking
ownership of its
>>>>>>>> profile directory. However Windows 7 currently
only offers me
>>>>>>>> two choices for accounts that can take
ownership of a profile
>>>>>>>> directory (Domain Admins and that one account
are both listed.
>>>>>>>> Other accounts are not in the creator/owner
tab).
>>>>>>>>
>>>>>>>> I've given Domain User full control of the
profile folders but
>>>>>>>> that doesn't seem to be good enough to get
the profiles to be
>>>>>>>> loaded and saved (the Linux permissions are
777).
>>>>>>>>
>>>>>>>> And yes, Ive set profile for each user using
the Windows MMC
>>>>>>>> plugin.
>>>>>>>>
>>>>>>>> Any ideas on what I'm missing?
>>>>>>>
>>>>>>> Further to above, I added one of the user accounts
to the Domain
>>>>>>> Admins but still couldn't get a roaming profile
to work for it.
>>>>>>
>>>>>> Hi, have a look here: 
>>>>>>
https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>>>>>>
>>>>>> Rowland
>>>>>
>>>>> Thanks. I'd been trying that without success. The
section on using
>>>>> ACLs doesn't work in my case for some reason.
>>>>>
>>>>
>>>> The 'reason' is probably why profiles don't work.
>>>>
>>>> Are you doing this on a DC or a member server ? on a DC I get
this:
>>>>
>>>> root at dc01:~# getent group "domain admins"
>>>> EXAMPLE\Domain Admins:*:10002:
>>>>
>>>> and on a member server:
>>>>
>>>> rowland at ThinkPad ~ $ getent group "domain admins"
>>>> domain_admins:x:10002:s4admin,rowland,administrator
>>>>
>>>> I have RFC2307 attributes in AD and winbind set up on both.
>>>
>>> I get nothing when I run the command on the AD DC. There are 
>>> currently no member servers.
>>>
>>> I followed the instructions at 
>>> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO and did include 
>>> the --use-rfc2307. The only change I made was it doesn't
actually
>>> mention installing kerberos but I found it necessary when I got to 
>>> the configure kerberos section.
>>>
>>> According to the wiki, I don't have to do any winbind config, 
>>> although they don't recommend using a DC as a file server due
to
>>> some problems with winbind. Unfortunately I only have the one
server
>>> in this location.
>>>
>>
>> Ah, well this might seem a bit stupid, but if you followed:
>>
>> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
>>
>> to the letter and you have this '[Profiles]' in smb.conf, could
you
>> try changing it to '[profiles]' i.e. change the uppercase
'P' to a
>> lowercase 'p', reload or restart samba then try again.
>>
>> Rowland
>
> Tried it both ways.  :(
>
I don't normally use the DC for profiles, so I created a profiles share 
on the DC following the wiki page and setting the permissions from 
windows as the wiki page shows.
It didn't work!
I checked everything, comparing it with where I normally do store them, 
there appeared to be no difference, but it just wouldn't work. The only 
difference I could find was the share that did work was called 
'[profiles]' and the one that didn't was called
'[Profiles]', so I
changed it to '[profiles]' on the DC, restarted samba and with that 
slight change it now works.

All I can suggest is that you check everything again, follow the wiki 
page again, do not set the ACLs with setfacl, do it from windows and 
only set the users/groups as show on the wiki page, no others.

Rowland