[Samba] Unable to re-connect to roaming profile in samba4

Mon Feb 11 09:02:37 MST 2013

In case this helps anyone else with this issue:

Both these problems were resolved by switching from the Ubuntu/Debian
package (4.0.0+dfsg1-1) to the current git head (c932b139c8).

- Nick

On Fri, Feb 8, 2013 at 7:22 PM, Nick Semenkovich <semenko at syndetics.net> wrote:
> Still can't figure this out.
>
> The client-side logs show two entries:
>
> 1. The error in the first message "The processing of Group Policy failed."
>
> 2. A DNS processing failure:
> """The system failed to register host (A or AAAA) resource records
> (RRs) for network adapter with settings ..."""
>
> At debug level 5, Samba4 shows no DNS problems, and says "Got a dns
> update request." "All updates allowed." http://pastebin.com/fYrd9F1W
>
>
> - Nick
>
>
> On Thu, Feb 7, 2013 at 8:59 PM, Nick Semenkovich <semenko at syndetics.net> wrote:
>> I've just configured Samba4 on Ubuntu (4.0.0+dfsg1-1), and can't seem
>> to get roaming profiles working (I followed the guide at
>> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO )
>>
>> 1. Logons work just fine.
>> 2. DNS is configured and working, running through SAMBA_INTERNAL
>> 3. Clients can talk to the server and see/access shares at
>> \\server.corp.domain.com
>> 4. Clients are all Windows 8 and NTP time synced
>> 5. Permissions seem "OK" (the profiles directory is currently chmod
>> 777 -- without that, only the Administrator seemed to be able to
>> create their own profile ...)
>> 6. General users can log in/out (which creates a profile, if profiles
>> is chmod 777) but a subsequent login can't access it, with a generic
>> Windows 8 roaming profile error.
>>
>> Not really sure where to go from here. I've tried:
>> - Rebuilding the domain & re-joining machines
>> - Ultra-lax permissions
>> - Adding users via the samba-tool versus AD tools in Windows
>>
>> At client logon, the samba4 logs (with a debug level of 4) show a collection of:
>>
>> Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED'
>> single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED]
>>
>> and a few
>>
>> Terminating connection - 'kdc_tcp_call_loop:
>> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
>> single_terminate: reason[kdc_tcp_call_loop:
>> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
>>
>> (Not sure if they're related)
>>
>>
>> Notably, the client machines (all on Win 8) show nearly nothing in the
>> Event Log, except a Group Policy failure:
>> """
>> The processing of Group Policy failed. Windows attempted to read the
>> file \\corp.domain.com\sysvol\corp.domain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
>> from a domain controller and was not successful. Group Policy settings
>> may not be applied until this event is resolved. This issue may be
>> transient and could be caused by one or more of the following:
>> a) Name Resolution/Network Connectivity to the current domain controller.
>> b) File Replication Service Latency (a file created on another domain
>> controller has not replicated to the current domain controller).
>> c) The Distributed File System (DFS) client has been disabled.
>> """
>>
>> (Manually connecting to that gpi.ini file works perfectly)
>>
>>
>>
>> Not really sure what's going on here. The only oddities I see are:
>> * I can't get the old "add user script" function to work.
>> As a result, client usernames seem to just have a UID on the linux
>> side (their profiles show up as: drwxr-xr-x 14 3000015 users 4.0K Feb
>> 7 20:34 test.V2)
>> Any way around that?
>> * When profiles are created, they're appended with ".V2" -- Do I need
>> to add ".V2" to the profile path setting, e.g. %USERNAME%.V2? (I can't
>> imagine that's the case ...)
>>
>>
>> I've pasted my smb.conf to: http://pastebin.com/DQDkGxsv
>>
>> Any advice?
>>
>>
>> Thanks!
>> Nick