[Samba] How to debug not working Roaming profiles on Samba 4 AD setup?
Thomas DEBESSE
thomas.debesse at diocese-frejus-toulon.com
Mon Jun 27 21:42:37 UTC 2016
Hi, thank your for your answer.
> Are the 'File servers' joined to the domain ?
Yes
> Are the smb.conf files you posted complete
No, they are abstracted ones, because they are very long
> if not, can you post the complete ones, exactly as they are on the
computers (you can sanitize them if you need to)
Yes
> Try taking a look here:
https://wiki.samba.org/index.php/Implementing_roaming_profiles
I've read that page but it does not helped me… :(
So, following are the complete files, if you're OK with that, I just
applied on it a sed substitution to hide some sensitives names (and using
the nomenclature defined above since the server's pet names will mean
nothing for you), and removed some data shares that works very well and are
unrelated at all (by the way, I kept the unrelated "partage" share as an
example, even if it's unrelated to my current problem).
So, the "PDCSERV" config was the now-disabled All-In-One Samba3 PDC server.
The "ADSERV" is the current AD DC Samba4 server, and the "FILESERV" is the
current file sharing server (hosting homes and profiles). I have also some
other file servers but they are totally unrelated to the current described
problems since they just serves optional files for some people (like the
"partage" share described below). I also give you my logon.cmd so you see
how the machinery works.
As you can see, previous home paths were /home/users/%u and previous
profile paths were /home/users/%u/.profile.v2 and home paths are now
/home/users/%u/userdisk, and profile path are now /home/users/%u/profile.v2.
I just put the profile outside the home disk, which is recommended.
---------------------------------------------------------------------------
PDCSERV:
[global]
workgroup = DOMAIN
netbios name = PDCSERV
server string = "Server"
wins support = yes
dns proxy = no
unix extensions = no
log file = /var/log/samba/log.%m
log level = 4
debug level = 4
max log size = 5000
syslog = 0
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = smbpasswd:/etc/samba/smbpasswd
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
domain logons = yes
logon path = \\%N\profile
logon drive = U:
logon home = \\%N\%U
logon script = logon.cmd
domain master = auto
[homes]
comment = Dossier Personnel de %U
path = /home/users/%U/.windows
browseable = no
wide links = Yes
follow symlinks = Yes
writable = yes
read only = no
create mask = 2770
directory mask = 2770
public = no
hide files =
/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*~/$RECYCLE.BIN/
veto files = /.profile/.profile.v2/*.desktop/
[netlogon]
path = /etc/samba/netlogon
guest ok = no
writeable = yes
browseable = no
write list = ntadmin
[profile]
path = /home/users/%U/.profile
browsable = no
writeable = yes
create mask = 0600
directory mask = 0700
profile acls = yes
csc policy = disable
hide files =
/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*.desktop/
[profile.v2]
path = /home/users/%U/.profile.v2
browseable = no
writeable = yes
create mask = 0600
directory mask = 0700
profile acls = yes
csc policy = disable
hide files =
/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*.desktop/
[partage]
path = /home/partage
comment = "Partage Commun a tous"
browsable = yes
read only = no
create mask = 777
directory mask = 777
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
---------------------------------------------------------------------------
ADSERV:/etc/samba/smb.conf
[global]
workgroup = DOMAIN
realm = DOMAIN.REALM
netbios name = ADSERV
server role = active directory domain controller
domain logons = Yes
domain master = Yes
wins support = Yes
dns proxy = No
idmap_ldb:use rfc2307 = Yes
syslog = 1
log level = 4
panic action = /usr/share/samba/panic-action %d
printing = bsd
printcap name = /dev/null
load printers = No
disable spoolss = Yes
logon path = \\FILESERV\profile
logon drive = U:
logon home = \\FILESERV\%U
logon script = "logon.cmd"
[netlogon]
comment = "Service d’identification réseau"
path = /var/lib/samba/sysvol/savane.saba/scripts
guest ok = No
writeable = Yes
read only = No
browseable = No
write list = ntadmin
[sysvol]
path = /var/lib/samba/sysvol
read only = No
browseable = No
---------------------------------------------------------------------------
FILESERV:/etc/samba/smb.conf
[global]
workgroup = DOMAIN
realm = DOMAIN.REALM
netbios name = FILESERV
security = ADS
dfree command = /usr/local/bin/smb-dfree.sh
log file = /var/log/samba/log.%m
log level = 4
max log size = 1000
syslog = 2
panic action = /usr/share/samba/panic-action %d
server role = member server
local master = No
domain master = No
preferred master = No
encrypt passwords = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = Yes
winbind trusted domains only = No
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config DOMAIN:backend = rid
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 10000-30000
winbind nss info = template
template shell = /bin/false
template homedir = /home/users/%U
usershare allow guests = Yes
printing = bsd
printcap name = /dev/null
load printers = No
disable spoolss = Yes
unix extensions = No
hide special files = Yes
hide unreadable = Yes
hide dot files = Yes
hide files =
/Bureau/AppData/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*~/~$*/$RECYCLE.BIN/Thumbs.db/.DS_Store/*.desktop/
veto files = /.fuse_*/lost+found/aquota.group/aquota.user/
[homes]
comment = "Dossier personnel de %u"
path = "/home/users/%U/userdisk"
browseable = No
read only = No
writeable = Yes
browseable = No
public = No
wide links = Yes
follow symlinks = Yes
create mask = 2770
directory mask = 2770
force group = "users-%U"
valid users = %S
[partage]
comment = "Partage commun à tous"
path = /home/partage
browsable = Yes
read only = No
create mask = 2770
directory mask = 2770
[profile]
comment = "Profil NT5 (Windows XP)"
path = /home/users/%U/profile
browsable = No
writeable = Yes
create mask = 0600
directory mask = 0700
force group = "users-%U"
profile acls = Yes
csc policy = disable
[profile.v2]
comment = "Profil NT6 (Windows 7 etc.)"
path = /home/users/%U/profile.v2
browseable = No
writeable = Yes
create mask = 0600
directory mask = 0700
force group = "users-%U"
profile acls = Yes
csc policy = disable
---------------------------------------------------------------------------
ADSERV:/var/lib/samba/sysvol/savane.saba/scripts/logon.cmd
NET USE U: \\FILESERV\homes
NET USE P: \\FILESERV\partage
REGEDIT /S \\ADSERV\netlogon\common.reg
--
Thomas DEBESSE
More information about the samba
mailing list