[Samba] Ugh - half connected Win 7 machines to Samba 4.1.18 AD

Tue Jun 16 20:35:07 MDT 2015

I have been at my wits end now since Sunday trying to debug an issue 
that occurred when I tried to update from sernet-samba-4.1.18 to 
sernet-samba-4.2.2 on my small network. I have one administrator account 
and two user accounts which I will call account1 and account2. Before I 
updated I was able to login into any of 3 Windows 7 Professional boxes 
and 5 linux boxes running CentOS 6.6 using any of the accounts without 
any issue. Also before I updated I backed up my samba database 
(/var/lib/samba on a CentOS 6.6 system). The update went fine but when I 
tried to login into a linux box with account1 I discovered that user 
home directories on the server were broken (see the thread "winbind on 
the DC again ... sorry"). I worked around this problem but then 
discovered that the roaming profile for account2 was broken. So at this 
point I decided back out the upgrade. So to that end I shutdown the AD, 
moved the backup into place, downgraded to sernet-samba-4.1.18 and 
restarted the AD. It was at this point all hell breaks loose.

For the administrator and account1 there is absolutely no problem. 
Everything works exactly as expected and in the same manner prior to the 
upgrade. I can log into any machine (Windows 7 or Linux) and home 
directories are found and roaming profiles work just like they are 
supposed to work. The problem is with account2. There is no problem with 
Linux boxes. The home directory is found and has the proper permissions 
and everything is good. The problem is with the roaming profile of 
account1 on any of the Windows 7 boxes.

On the main box upon which account1 is used the profile looks like it 
gets loaded. However when the user logs out the profile cannot be 
completely synchronized. Only the NTUSER.dat, NTUSER.ini, etc seem to 
get moved to the Profile area. On the other 2 Windows 7 boxes the user 
is logged in with a "Temporary Profile". I tried to do what others 
suggested which was to remove the Windows 7 box from the domain, remove 
the offending profile and delete the Profilelist key in the registry, 
add the machine back to the domain and then login to get these two 
Windows7 boxes to recreate the profile to no avail. Every time only a 
temporary profile is created. What is strange is that the Temporary 
Profile has the correct SID for account2. No matter what I do I can't 
get the account2 Profile to synchronize from the 1st Windows 7 box to 
the AD nor can I get the other two Windows 7 Professional to recreate 
the Profile (other than a temporary one) on the AD. I also will point 
out that there is no problem with credentials on any of these machines 
for any of account1, account2 or administrator and the account home 
directory is available and seems to be okay.

So I am lost here as to why 2 of the accounts (account1 and 
administrator) are fine and the one account2 is so broken on the Windows 
boxes? Worse is that I have discovered that if I use samba-tool to 
create a new user and use ADUC to setup the profile, etc. I have the 
exact same problem on all three Windows 7 boxes. On the first login only 
a temporary profile gets created. I cannot get a permanent, roaming 
profile to be created on the AD. And worse yet if I create a new user on 
the Windows 7 box using ADUC it does not show up on the AD at all. I am 
open to all suggestions as to how to go about debugging and fixing this 
problem. It seems that somehow the Windows 7 boxes are now half 
connected to the AD. I can get user credentials and see home 
directories, but I cannot use roaming profiles for users created with 
samba-tool and don't see users created with ADUC at all.

Thank you for your help.