I'm running a Samba AD DC service on my Ubuntu server and I want to set up roaming profiles for users. It's important to note that this isn't a typical work or school setup; every user is completely trusted, and there's no sensitive information on these machines. Previously, users worked under a single user per machine, so this is a step up. I've configured user and public shares correctly, and every user is set as a Domain Admin. However, when I try to set up roaming profiles at \domainprofilesusername, I run into an issue. The Event Viewer logs show error 1521 stating 'Access is denied'. Despite the profiles being set to roaming in the system settings, they still show as local. I can access the share from Windows File Explorer without any problem, and I've even changed permissions to 777 on shares and directories without success. Here's my current Samba configuration for the share:
[profiles]
comment = User Profiles
path = /srv/samba/profiles
read only = no
browseable = yes
csc policy = disable
I'm not an experienced system admin, so I'd appreciate any guidance!
2 Answers
The 'Access Denied' error you're facing could be due to several factors. First, double-check that your samba users have proper permissions set in your smb.conf file and that they match the filesystem permissions on the profiles directory. Also, try using a different path format or check your network settings where the profiles are shared; sometimes, the problem can lie there. And remember, even if users are trusted, having administrative access for everyone can lead to issues down the road!
Honestly, you shouldn't make every user a domain admin, even in a trusted environment. It opens up a lot of vulnerabilities. Maybe consider creating a separate group for users who need elevated permissions and keep regular users with less access. That might help with your roaming profile access issues. Also, ensure that your Samba permissions align with the profile folder permissions.
I get your point! It does seem risky, but since it's a secure setup I thought it would be fine. I'm open to adjusting permissions, though.
Thanks for the tips! I'll review those settings and see if that resolves the issue.