Web lists-archives.com

Re: [Samba] Roaming Profile issue in Windows 10




On Thu, 18 Apr 2019 14:29:30 -0400
Bob Smith <bobs04475@xxxxxxxxx> wrote:

> Hello Rowland,
> 
> Thank you for the suggested link!
> 
> I followed "Using POSIX ACLs on a Unix domain member" also.

Don't ;-)

Use Windows acls

> "Granting the SeDiskOperatorPrivilege Privilege"
> # net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege
> -U"SAMDOM\Administrator"
> Enter SAMDOM\Administrator's password:
> Failed to grant privileges for SAMDOM\Domain Admins
> (NT_STATUS_NO_SUCH_USER)

> Used a workaround of a user_map parameter in smb.conf:
> "username map = /etc/samba/user.map", added in global
> created the filemap /etc/samba/user.map including
> !root = SAMDOM\Administrator SAMDOM\administrator

That isn't a 'workaround', it is what you are supposed to do ;-)

> 
> #net rpc rights grant "Domain Admins" SeDiskOperatorPrivilege
> -U"SAMDOM\Administrator"
> Enter SAMDOM\Administrator's password:
> Successfully granted rights.
> 
> # net rpc rights list privileges SeDiskOperatorPrivilege
> -U"SAMDOM\Administrator"
> Enter SAMDOM\Administrator's password:
> SeDiskOperatorPrivilege:
>   Unix Group\domain admins
>   BUILTIN\Administrators
> 
> It is displaying "Unix Group\domain admins" instead of 'SADOM\Domain
> Admins"?

Strange, does 'Domain Admins' have a gidNumber attribute or are you
using the 'rid' backend.

> 
> "Adding a Share'
> # mkdir -p /profiles/
> 
> # chown root:"Domain Admins" /profiles/
> # chmod 0770 /profiles/
> 
> [profiles]
>        path = /profiles/
>        read only = no
> 
> # smbcontrol all reload-config
> 
> "Setting Share Permissions and ACLs"
> Signed in to Windows 10 with a domain admin account, Computer
> management, profiles shares,
> Share Permissions tab - this was already set to Full Control for
> Everyone 

Ignore the share tab.

> Security Tab - by default Special Permissions were set to
> (Everyone, root (Unix User\root), domain admins (Unix Group\Domain
> admins), CREATOR OWNER, and CREATOR GROUP)
> Removed all of them and added 'Full Control' for "SAMDOM\Domain
> Admins" and 'Modify, Read & execute, List folder contents, Read, and
> Write' for "SAMDON\Domain Users"
> When I clicked Apply, it closed properties by itself. On Security
> tab, it says "You do not have permission to view or edit this
> object's permission settings." (I just lost access to the share)

Try following the page I pointed you at:

https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

> 
> Signed in to Windows 10 with a domain user, getting "User Profile
> Service" message for Roaming profile issue,
> Event ID: 1521
> Source: User Profile Service
> Windows cannot locate the server copy of your roaming profile and is
> attempting to log you on with your local profile. Changes to the
> profile will not be copied to the server when you log off. This error
> may be caused by network problems or insufficient security rights.
> DETAIL - Access is denied.
> 
> To check the list the extended ACLs of /profiles/
> # getfacl /profiles/
> getfacl: Removing leading '/' from absolute path names
> # file: /profiles/
> # owner: root
> # group: domain\040admins
> user::rwx
> user:root:rwx
> group::rwx
> group:domain\040admins:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::r-x
> default:group:domain\040admins:r-x
> default:mask::rwx
> default:other::r-x
> 
> Looks like domain users (domain\040users) don't have access to the
> share.

Very nice, but that isn't the only place where the permissions are
stored.
> 
> I’m trying different combinations of share permissions and ACLs from
> windows side with a Domain Admin.

Just follow the wiki, it is known to work.

> 
> Which one should I use for the share?
> 
> [Profiles]
>        path = /profiles/
>        read only = no
> 

Just that, do everything else from Windows.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba