[Samba] How to debug not working Roaming profiles on Samba 4 AD setup?

Thomas DEBESSE thomas.debesse at diocese-frejus-toulon.com
Mon Jun 27 21:42:37 UTC 2016


Hi, thank your for your answer.

> Are the 'File servers' joined to the domain ?
Yes

> Are the smb.conf files you posted complete
No, they are abstracted ones, because they are very long

> if not, can you post the complete ones, exactly as they are on the
computers (you can sanitize them if you need to)
Yes

> Try taking a look here:
https://wiki.samba.org/index.php/Implementing_roaming_profiles
I've read that page but it does not helped me… :(

So, following are the complete files, if you're OK with that, I just
applied on it a sed substitution to hide some sensitives names (and using
the nomenclature defined above since the server's pet names will mean
nothing for you), and removed some data shares that works very well and are
unrelated at all (by the way, I kept the unrelated "partage" share as an
example, even if it's unrelated to my current problem).

So, the "PDCSERV" config was the now-disabled All-In-One Samba3 PDC server.
The "ADSERV" is the current AD DC Samba4 server, and the "FILESERV" is the
current file sharing server (hosting homes and profiles). I have also some
other file servers but they are totally unrelated to the current described
problems since they just serves optional files for some people (like the
"partage" share described below). I also give you my logon.cmd so you see
how the machinery works.

As you can see, previous home paths were /home/users/%u and previous
profile paths were /home/users/%u/.profile.v2 and home paths are now
/home/users/%u/userdisk, and profile path are now /home/users/%u/profile.v2.
I just put the profile outside the home disk, which is recommended.

---------------------------------------------------------------------------
PDCSERV:

[global]
    workgroup = DOMAIN
    netbios name = PDCSERV
    server string = "Server"

    wins support = yes
    dns proxy = no
    unix extensions = no

    log file = /var/log/samba/log.%m
    log level = 4
    debug level = 4
    max log size = 5000
    syslog = 0

    panic action = /usr/share/samba/panic-action %d
    encrypt passwords = true

    passdb backend = smbpasswd:/etc/samba/smbpasswd
    obey pam restrictions = yes
    unix password sync = yes

    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    pam password change = yes

    domain logons = yes
    logon path = \\%N\profile
    logon drive = U:
    logon home = \\%N\%U
    logon script = logon.cmd
    domain master = auto

[homes]
    comment = Dossier Personnel de %U
    path = /home/users/%U/.windows
    browseable = no
    wide links = Yes
    follow symlinks = Yes
    writable = yes
    read only = no
    create mask = 2770
    directory mask = 2770
    public = no
    hide files =
/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*~/$RECYCLE.BIN/
    veto files = /.profile/.profile.v2/*.desktop/

[netlogon]
    path = /etc/samba/netlogon
    guest ok = no
    writeable = yes
    browseable = no
    write list = ntadmin

[profile]
    path = /home/users/%U/.profile
    browsable = no
    writeable = yes
    create mask = 0600
    directory mask = 0700
    profile acls = yes
    csc policy = disable
    hide files =
/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*.desktop/

[profile.v2]
    path = /home/users/%U/.profile.v2
    browseable = no
    writeable = yes
    create mask = 0600
    directory mask = 0700
    profile acls = yes
    csc policy = disable
    hide files =
/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*.desktop/

[partage]
    path            = /home/partage
    comment         = "Partage Commun a tous"
    browsable       = yes
    read only       = no
    create mask     = 777
    directory mask  = 777

[printers]
    comment = All Printers
    browseable = no
    path = /var/spool/samba
    printable = yes
    guest ok = no
    read only = yes
    create mask = 0700

[print$]
    comment = Printer Drivers
    path = /var/lib/samba/printers
    browseable = yes
    read only = yes
    guest ok = no


---------------------------------------------------------------------------
ADSERV:/etc/samba/smb.conf

[global]
    workgroup     = DOMAIN
    realm         = DOMAIN.REALM
    netbios name  = ADSERV
    server role   = active directory domain controller

    domain logons = Yes
    domain master = Yes

    wins support  = Yes
    dns proxy     = No

    idmap_ldb:use rfc2307 = Yes

    syslog    = 1
    log level = 4

    panic action = /usr/share/samba/panic-action %d

    printing        = bsd
    printcap name   = /dev/null
    load printers   = No
    disable spoolss = Yes

    logon path   = \\FILESERV\profile
    logon drive  = U:
    logon home   = \\FILESERV\%U
    logon script = "logon.cmd"

[netlogon]
    comment    = "Service d’identification réseau"
    path       = /var/lib/samba/sysvol/savane.saba/scripts
    guest ok   = No
    writeable  = Yes
    read only  = No
    browseable = No
    write list = ntadmin

[sysvol]
    path       = /var/lib/samba/sysvol
    read only  = No
    browseable = No


---------------------------------------------------------------------------
FILESERV:/etc/samba/smb.conf

[global]
    workgroup    = DOMAIN
    realm        = DOMAIN.REALM
    netbios name = FILESERV
    security     = ADS

    dfree command = /usr/local/bin/smb-dfree.sh

    log file  = /var/log/samba/log.%m
    log level = 4
    max log size = 1000
    syslog    = 2

    panic action = /usr/share/samba/panic-action %d

    server role = member server

    local master     = No
    domain master    = No
    preferred master = No

    encrypt passwords     = Yes
    dedicated keytab file = /etc/krb5.keytab
    kerberos method       = secrets and keytab

    winbind refresh tickets      = Yes
    winbind trusted domains only = No
    winbind use default domain   = Yes
    winbind enum users           = Yes
    winbind enum groups          = Yes

    idmap config *:backend          = tdb
    idmap config *:range            = 2000-9999

    idmap config DOMAIN:backend     = rid
    idmap config DOMAIN:schema_mode = rfc2307
    idmap config DOMAIN:range       = 10000-30000

    winbind nss info = template
    template shell   = /bin/false
    template homedir = /home/users/%U

    usershare allow guests = Yes

    printing        = bsd
    printcap name   = /dev/null
    load printers   = No
    disable spoolss = Yes

    unix extensions = No
    hide special files = Yes
    hide unreadable    = Yes
    hide dot files     = Yes
    hide files =
/Bureau/AppData/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*~/~$*/$RECYCLE.BIN/Thumbs.db/.DS_Store/*.desktop/
    veto files = /.fuse_*/lost+found/aquota.group/aquota.user/

[homes]
    comment = "Dossier personnel de %u"
    path = "/home/users/%U/userdisk"
    browseable = No
    read only = No
    writeable = Yes
    browseable = No
    public = No
    wide links = Yes
    follow symlinks = Yes
    create mask = 2770
    directory mask = 2770
    force group = "users-%U"
    valid users = %S

[partage]
    comment         = "Partage commun à tous"
    path            = /home/partage
    browsable       = Yes
    read only       = No
    create mask     = 2770
    directory mask  = 2770

[profile]
    comment = "Profil NT5 (Windows XP)"
    path = /home/users/%U/profile
    browsable = No
    writeable = Yes
    create mask = 0600
    directory mask = 0700
    force group = "users-%U"
    profile acls = Yes
    csc policy = disable

[profile.v2]
    comment = "Profil NT6 (Windows 7 etc.)"
    path = /home/users/%U/profile.v2
    browseable = No
    writeable = Yes
    create mask = 0600
    directory mask = 0700
    force group = "users-%U"
    profile acls = Yes
    csc policy = disable

---------------------------------------------------------------------------
ADSERV:/var/lib/samba/sysvol/savane.saba/scripts/logon.cmd

NET USE U: \\FILESERV\homes
NET USE P: \\FILESERV\partage

REGEDIT /S \\ADSERV\netlogon\common.reg

-- 
Thomas DEBESSE


More information about the samba mailing list