[Samba] How to debug not working Roaming profiles on Samba 4 AD setup?
Rowland penny
rpenny at samba.org
Tue Jun 28 06:59:21 UTC 2016
On 27/06/16 22:42, Thomas DEBESSE wrote:
> Hi, thank your for your answer.
>
> > Are the 'File servers' joined to the domain ?
> Yes
>
> > Are the smb.conf files you posted complete
> No, they are abstracted ones, because they are very long
>
> > if not, can you post the complete ones, exactly as they are on the
> computers (you can sanitize them if you need to)
> Yes
>
> > Try taking a look here:
> https://wiki.samba.org/index.php/Implementing_roaming_profiles
> I've read that page but it does not helped me… :(
>
> So, following are the complete files, if you're OK with that, I just
> applied on it a sed substitution to hide some sensitives names (and
> using the nomenclature defined above since the server's pet names will
> mean nothing for you), and removed some data shares that works very
> well and are unrelated at all (by the way, I kept the unrelated
> "partage" share as an example, even if it's unrelated to my current
> problem).
>
> So, the "PDCSERV" config was the now-disabled All-In-One Samba3 PDC
> server. The "ADSERV" is the current AD DC Samba4 server, and the
> "FILESERV" is the current file sharing server (hosting homes and
> profiles). I have also some other file servers but they are totally
> unrelated to the current described problems since they just serves
> optional files for some people (like the "partage" share described
> below). I also give you my logon.cmd so you see how the machinery works.
>
> As you can see, previous home paths were /home/users/%u and previous
> profile paths were /home/users/%u/.profile.v2 and home paths are now
> /home/users/%u/userdisk, and profile path are now
> /home/users/%u/profile.v2.
> I just put the profile outside the home disk, which is recommended.
>
> ---------------------------------------------------------------------------
> PDCSERV:
>
> [global]
> workgroup = DOMAIN
> netbios name = PDCSERV
> server string = "Server"
>
> wins support = yes
> dns proxy = no
> unix extensions = no
>
> log file = /var/log/samba/log.%m
> log level = 4
> debug level = 4
> max log size = 5000
> syslog = 0
>
> panic action = /usr/share/samba/panic-action %d
> encrypt passwords = true
>
> passdb backend = smbpasswd:/etc/samba/smbpasswd
> obey pam restrictions = yes
> unix password sync = yes
>
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> pam password change = yes
>
> domain logons = yes
> logon path = \\%N\profile
> logon drive = U:
> logon home = \\%N\%U
> logon script = logon.cmd
> domain master = auto
>
> [homes]
> comment = Dossier Personnel de %U
> path = /home/users/%U/.windows
> browseable = no
> wide links = Yes
> follow symlinks = Yes
> writable = yes
> read only = no
> create mask = 2770
> directory mask = 2770
> public = no
> hide files =
> /Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*~/$RECYCLE.BIN/
> veto files = /.profile/.profile.v2/*.desktop/
>
> [netlogon]
> path = /etc/samba/netlogon
> guest ok = no
> writeable = yes
> browseable = no
> write list = ntadmin
>
> [profile]
> path = /home/users/%U/.profile
> browsable = no
> writeable = yes
> create mask = 0600
> directory mask = 0700
> profile acls = yes
> csc policy = disable
> hide files =
> /Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*.desktop/
>
> [profile.v2]
> path = /home/users/%U/.profile.v2
> browseable = no
> writeable = yes
> create mask = 0600
> directory mask = 0700
> profile acls = yes
> csc policy = disable
> hide files =
> /Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*.desktop/
>
> [partage]
> path = /home/partage
> comment = "Partage Commun a tous"
> browsable = yes
> read only = no
> create mask = 777
> directory mask = 777
>
> [printers]
> comment = All Printers
> browseable = no
> path = /var/spool/samba
> printable = yes
> guest ok = no
> read only = yes
> create mask = 0700
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
> browseable = yes
> read only = yes
> guest ok = no
>
>
> ---------------------------------------------------------------------------
> ADSERV:/etc/samba/smb.conf
>
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.REALM
> netbios name = ADSERV
> server role = active directory domain controller
>
> domain logons = Yes
> domain master = Yes
>
> wins support = Yes
> dns proxy = No
>
> idmap_ldb:use rfc2307 = Yes
>
> syslog = 1
> log level = 4
>
> panic action = /usr/share/samba/panic-action %d
>
> printing = bsd
> printcap name = /dev/null
> load printers = No
> disable spoolss = Yes
>
> logon path = \\FILESERV\profile
> logon drive = U:
> logon home = \\FILESERV\%U
> logon script = "logon.cmd"
>
> [netlogon]
> comment = "Service d’identification réseau"
> path = /var/lib/samba/sysvol/savane.saba/scripts
> guest ok = No
> writeable = Yes
> read only = No
> browseable = No
> write list = ntadmin
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> browseable = No
>
>
> ---------------------------------------------------------------------------
> FILESERV:/etc/samba/smb.conf
>
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.REALM
> netbios name = FILESERV
> security = ADS
>
> dfree command = /usr/local/bin/smb-dfree.sh
>
> log file = /var/log/samba/log.%m
> log level = 4
> max log size = 1000
> syslog = 2
>
> panic action = /usr/share/samba/panic-action %d
>
> server role = member server
>
> local master = No
> domain master = No
> preferred master = No
>
> encrypt passwords = Yes
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> winbind refresh tickets = Yes
> winbind trusted domains only = No
> winbind use default domain = Yes
> winbind enum users = Yes
> winbind enum groups = Yes
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> idmap config DOMAIN:backend = rid
> idmap config DOMAIN:schema_mode = rfc2307
> idmap config DOMAIN:range = 10000-30000
>
> winbind nss info = template
> template shell = /bin/false
> template homedir = /home/users/%U
>
> usershare allow guests = Yes
>
> printing = bsd
> printcap name = /dev/null
> load printers = No
> disable spoolss = Yes
>
> unix extensions = No
> hide special files = Yes
> hide unreadable = Yes
> hide dot files = Yes
> hide files =
> /Bureau/AppData/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*~/~$*/$RECYCLE.BIN/Thumbs.db/.DS_Store/*.desktop/
> veto files = /.fuse_*/lost+found/aquota.group/aquota.user/
>
> [homes]
> comment = "Dossier personnel de %u"
> path = "/home/users/%U/userdisk"
> browseable = No
> read only = No
> writeable = Yes
> browseable = No
> public = No
> wide links = Yes
> follow symlinks = Yes
> create mask = 2770
> directory mask = 2770
> force group = "users-%U"
> valid users = %S
>
> [partage]
> comment = "Partage commun à tous"
> path = /home/partage
> browsable = Yes
> read only = No
> create mask = 2770
> directory mask = 2770
>
> [profile]
> comment = "Profil NT5 (Windows XP)"
> path = /home/users/%U/profile
> browsable = No
> writeable = Yes
> create mask = 0600
> directory mask = 0700
> force group = "users-%U"
> profile acls = Yes
> csc policy = disable
>
> [profile.v2]
> comment = "Profil NT6 (Windows 7 etc.)"
> path = /home/users/%U/profile.v2
> browseable = No
> writeable = Yes
> create mask = 0600
> directory mask = 0700
> force group = "users-%U"
> profile acls = Yes
> csc policy = disable
>
> ---------------------------------------------------------------------------
> ADSERV:/var/lib/samba/sysvol/savane.saba/scripts/logon.cmd
>
> NET USE U: \\FILESERV\homes
> NET USE P: \\FILESERV\partage
>
> REGEDIT /S \\ADSERV\netlogon\common.reg
>
> --
> Thomas DEBESSE
OK, I think your problem is that you are trying to run your AD domain as
if it is still an NT4-style domain.
I suggest you re-read the page I pointed you to and also other pages in
the Samba wiki.
You do not use:
logon path = \\FILESERV\profile
logon drive = U:
logon home = \\FILESERV\%U
logon script = "logon.cmd"
with AD, you would add:
profilePath: \\FILESERV\profile
scriptPath: logon.cmd
homeDrive: U:
homeDirectory: \\FILESERV\%U
to each users object in AD. You can do this with ADUC or by creating an
ldif file on the DC and then use ldbmodify to add it.
I would also look carefully at your smb.conf files, referencing 'man
smb.conf', for an instance, did you know that ' writeable = Yes' is the
same as 'read only = No' ? There is no point in having both.
I would suggest you follow the Samba wiki and use ACLs instead of the
old style 'create mask' etc
Rowland
More information about the samba
mailing list