[Samba] Ugh - half connected Win 7 machines to Samba 4.1.18 AD
Paul R. Ganci
ganci at nurdog.com
Tue Jun 16 20:35:07 MDT 2015
I have been at my wits end now since Sunday trying to debug an issue
that occurred when I tried to update from sernet-samba-4.1.18 to
sernet-samba-4.2.2 on my small network. I have one administrator account
and two user accounts which I will call account1 and account2. Before I
updated I was able to login into any of 3 Windows 7 Professional boxes
and 5 linux boxes running CentOS 6.6 using any of the accounts without
any issue. Also before I updated I backed up my samba database
(/var/lib/samba on a CentOS 6.6 system). The update went fine but when I
tried to login into a linux box with account1 I discovered that user
home directories on the server were broken (see the thread "winbind on
the DC again ... sorry"). I worked around this problem but then
discovered that the roaming profile for account2 was broken. So at this
point I decided back out the upgrade. So to that end I shutdown the AD,
moved the backup into place, downgraded to sernet-samba-4.1.18 and
restarted the AD. It was at this point all hell breaks loose.
For the administrator and account1 there is absolutely no problem.
Everything works exactly as expected and in the same manner prior to the
upgrade. I can log into any machine (Windows 7 or Linux) and home
directories are found and roaming profiles work just like they are
supposed to work. The problem is with account2. There is no problem with
Linux boxes. The home directory is found and has the proper permissions
and everything is good. The problem is with the roaming profile of
account1 on any of the Windows 7 boxes.
On the main box upon which account1 is used the profile looks like it
gets loaded. However when the user logs out the profile cannot be
completely synchronized. Only the NTUSER.dat, NTUSER.ini, etc seem to
get moved to the Profile area. On the other 2 Windows 7 boxes the user
is logged in with a "Temporary Profile". I tried to do what others
suggested which was to remove the Windows 7 box from the domain, remove
the offending profile and delete the Profilelist key in the registry,
add the machine back to the domain and then login to get these two
Windows7 boxes to recreate the profile to no avail. Every time only a
temporary profile is created. What is strange is that the Temporary
Profile has the correct SID for account2. No matter what I do I can't
get the account2 Profile to synchronize from the 1st Windows 7 box to
the AD nor can I get the other two Windows 7 Professional to recreate
the Profile (other than a temporary one) on the AD. I also will point
out that there is no problem with credentials on any of these machines
for any of account1, account2 or administrator and the account home
directory is available and seems to be okay.
So I am lost here as to why 2 of the accounts (account1 and
administrator) are fine and the one account2 is so broken on the Windows
boxes? Worse is that I have discovered that if I use samba-tool to
create a new user and use ADUC to setup the profile, etc. I have the
exact same problem on all three Windows 7 boxes. On the first login only
a temporary profile gets created. I cannot get a permanent, roaming
profile to be created on the AD. And worse yet if I create a new user on
the Windows 7 box using ADUC it does not show up on the AD at all. I am
open to all suggestions as to how to go about debugging and fixing this
problem. It seems that somehow the Windows 7 boxes are now half
connected to the AD. I can get user credentials and see home
directories, but I cannot use roaming profiles for users created with
samba-tool and don't see users created with ADUC at all.
Thank you for your help.
More information about the samba
mailing list