I've set up a profiles share according to the wiki article:
https://wiki.samba.org/index.php/Implementing_roaming_profiles
Users are able to create new roaming profiles and they cannot browse each
others' profiles, so all that is working. The only issue is that the group
"domain admins" does not have privileges to read or delete user
profiles.
The acls on the profiles directory look right to me:
[root at gecko share2]# getfacl profiles/
# file: profiles/
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
group::rwx
group:domain\040users:rwx
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:domain\040admins:rwx
default:mask::rwx
default:other::---
But the individual user directories do not inherit the default group acls
from the parent:
[root at gecko share2]# getfacl profiles/mark.V2/
# file: profiles/mark.V2/
# owner: mark
# group: domain\040users
user::rwx
user:mark:rwx
group::---
group:domain\040users:---
group:70006:rwx
mask::rwx
other::---
default:user::rwx
default:user:mark:rwx
default:group::---
default:group:domain\040users:---
default:group:70006:rwx
default:mask::rwx
default:other::---
The share is defined simply:
[profiles]
comment = Roaming Profiles
writable = yes
path = /mnt/share2/profiles
This is samba 4.4.5 on a domain member. The DC is also 4.4.5.
Have I missed something in the configuration?
On Fri, 7 Oct 2016 12:19:09 -0700 Mark Nienberg via samba <samba at lists.samba.org> wrote:> I've set up a profiles share according to the wiki article: > https://wiki.samba.org/index.php/Implementing_roaming_profiles > > Users are able to create new roaming profiles and they cannot browse > each others' profiles, so all that is working. The only issue is that > the group "domain admins" does not have privileges to read or delete > user profiles. > > The acls on the profiles directory look right to me: > > [root at gecko share2]# getfacl profiles/ > # file: profiles/ > # owner: root > # group: domain\040admins > user::rwx > user:root:rwx > group::rwx > group:domain\040users:rwx > group:domain\040admins:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:group::--- > default:group:domain\040admins:rwx > default:mask::rwx > default:other::--- > > But the individual user directories do not inherit the default group > acls from the parent: > > [root at gecko share2]# getfacl profiles/mark.V2/ > # file: profiles/mark.V2/ > # owner: mark > # group: domain\040users > user::rwx > user:mark:rwx > group::--- > group:domain\040users:--- > group:70006:rwx > mask::rwx > other::--- > default:user::rwx > default:user:mark:rwx > default:group::--- > default:group:domain\040users:--- > default:group:70006:rwx > default:mask::rwx > default:other::--- > > The share is defined simply: > > [profiles] > comment = Roaming Profiles > writable = yes > path = /mnt/share2/profiles > > This is samba 4.4.5 on a domain member. The DC is also 4.4.5. > > Have I missed something in the configuration?have you given Domain Admins the required rights ? net rpc rights grant DOMAIN\\"Domain Admins" SeDiskOperatorPrivilege -UAdministrator Rowland
On Fri, Oct 7, 2016 at 12:38 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> have you given Domain Admins the required rights ? > > net rpc rights grant DOMAIN\\"Domain Admins" > SeDiskOperatorPrivilege -UAdministrator >Yes. I followed this wiki example: https://wiki.samba.org/index.php/Shares_with_Windows_ACLs Here is some output: [nienberg at gecko ~]$ net rpc rights list accounts -U'STA\myAdminAccount' STA\Domain Admins SeDiskOperatorPrivilege