[Samba] How to debug not working Roaming profiles on Samba 4 AD setup?
Thomas DEBESSE
thomas.debesse at diocese-frejus-toulon.com
Tue Jun 28 11:23:43 UTC 2016
> OK, I think your problem is that you are trying to run your AD domain as
if it is still an NT4-style domain.
This does not sound like a surprise to me. ;-)
> with AD, you would add […] to each users object in AD. You can do this
with ADUC or by creating an ldif file on the DC and then use ldbmodify to
add it.
Oh, yes, you're right, I had to do the same for the logon.cmd, I already
have a pdbedit call for logon.cmd stuff in my user creation script I wrote
myself.
I did that for the logon.cmd stuff, for each user:
pdbedit --script="logon.cmd" "${user_name}"
I suppose I can use the --profile= , --drive= and --homedir= options from
pdbedit to do the same things you recommend without having to deal with
ldif file.
Too bad these values can't be forced by a template on the AD DC. I will try
these options tonight when everyone will be logged out.
> did you know that ' writeable = Yes' is the same as 'read only = No' ?
There is no point in having both.
Yes, these smb.conf are more than 15 years old, modifying them continuously
when I update something through the ages, so I will not be surprised if
some stuff are superfluous or some crap is remaining.
> I would suggest you follow the Samba wiki and use ACLs instead of the old
style 'create mask' etc
I will look at it interestingly, currently I don't need more and that part,
even old, works very well. :-)
2016-06-28 8:59 GMT+02:00 Rowland penny <rpenny at samba.org>:
> On 27/06/16 22:42, Thomas DEBESSE wrote:
>
>> Hi, thank your for your answer.
>>
>> > Are the 'File servers' joined to the domain ?
>> Yes
>>
>> > Are the smb.conf files you posted complete
>> No, they are abstracted ones, because they are very long
>>
>> > if not, can you post the complete ones, exactly as they are on the
>> computers (you can sanitize them if you need to)
>> Yes
>>
>> > Try taking a look here:
>> https://wiki.samba.org/index.php/Implementing_roaming_profiles
>> I've read that page but it does not helped me… :(
>>
>> So, following are the complete files, if you're OK with that, I just
>> applied on it a sed substitution to hide some sensitives names (and using
>> the nomenclature defined above since the server's pet names will mean
>> nothing for you), and removed some data shares that works very well and are
>> unrelated at all (by the way, I kept the unrelated "partage" share as an
>> example, even if it's unrelated to my current problem).
>>
>> So, the "PDCSERV" config was the now-disabled All-In-One Samba3 PDC
>> server. The "ADSERV" is the current AD DC Samba4 server, and the "FILESERV"
>> is the current file sharing server (hosting homes and profiles). I have
>> also some other file servers but they are totally unrelated to the current
>> described problems since they just serves optional files for some people
>> (like the "partage" share described below). I also give you my logon.cmd so
>> you see how the machinery works.
>>
>> As you can see, previous home paths were /home/users/%u and previous
>> profile paths were /home/users/%u/.profile.v2 and home paths are now
>> /home/users/%u/userdisk, and profile path are now /home/users/%u/profile.v2.
>> I just put the profile outside the home disk, which is recommended.
>>
>>
>> ---------------------------------------------------------------------------
>> PDCSERV:
>>
>> [global]
>> workgroup = DOMAIN
>> netbios name = PDCSERV
>> server string = "Server"
>>
>> wins support = yes
>> dns proxy = no
>> unix extensions = no
>>
>> log file = /var/log/samba/log.%m
>> log level = 4
>> debug level = 4
>> max log size = 5000
>> syslog = 0
>>
>> panic action = /usr/share/samba/panic-action %d
>> encrypt passwords = true
>>
>> passdb backend = smbpasswd:/etc/samba/smbpasswd
>> obey pam restrictions = yes
>> unix password sync = yes
>>
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>> pam password change = yes
>>
>> domain logons = yes
>> logon path = \\%N\profile
>> logon drive = U:
>> logon home = \\%N\%U
>> logon script = logon.cmd
>> domain master = auto
>>
>> [homes]
>> comment = Dossier Personnel de %U
>> path = /home/users/%U/.windows
>> browseable = no
>> wide links = Yes
>> follow symlinks = Yes
>> writable = yes
>> read only = no
>> create mask = 2770
>> directory mask = 2770
>> public = no
>> hide files =
>> /Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*~/$RECYCLE.BIN/
>> veto files = /.profile/.profile.v2/*.desktop/
>>
>> [netlogon]
>> path = /etc/samba/netlogon
>> guest ok = no
>> writeable = yes
>> browseable = no
>> write list = ntadmin
>>
>> [profile]
>> path = /home/users/%U/.profile
>> browsable = no
>> writeable = yes
>> create mask = 0600
>> directory mask = 0700
>> profile acls = yes
>> csc policy = disable
>> hide files =
>> /Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*.desktop/
>>
>> [profile.v2]
>> path = /home/users/%U/.profile.v2
>> browseable = no
>> writeable = yes
>> create mask = 0600
>> directory mask = 0700
>> profile acls = yes
>> csc policy = disable
>> hide files =
>> /Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*.desktop/
>>
>> [partage]
>> path = /home/partage
>> comment = "Partage Commun a tous"
>> browsable = yes
>> read only = no
>> create mask = 777
>> directory mask = 777
>>
>> [printers]
>> comment = All Printers
>> browseable = no
>> path = /var/spool/samba
>> printable = yes
>> guest ok = no
>> read only = yes
>> create mask = 0700
>>
>> [print$]
>> comment = Printer Drivers
>> path = /var/lib/samba/printers
>> browseable = yes
>> read only = yes
>> guest ok = no
>>
>>
>>
>> ---------------------------------------------------------------------------
>> ADSERV:/etc/samba/smb.conf
>>
>> [global]
>> workgroup = DOMAIN
>> realm = DOMAIN.REALM
>> netbios name = ADSERV
>> server role = active directory domain controller
>>
>> domain logons = Yes
>> domain master = Yes
>>
>> wins support = Yes
>> dns proxy = No
>>
>> idmap_ldb:use rfc2307 = Yes
>>
>> syslog = 1
>> log level = 4
>>
>> panic action = /usr/share/samba/panic-action %d
>>
>> printing = bsd
>> printcap name = /dev/null
>> load printers = No
>> disable spoolss = Yes
>>
>> logon path = \\FILESERV\profile
>> logon drive = U:
>> logon home = \\FILESERV\%U
>> logon script = "logon.cmd"
>>
>> [netlogon]
>> comment = "Service d’identification réseau"
>> path = /var/lib/samba/sysvol/savane.saba/scripts
>> guest ok = No
>> writeable = Yes
>> read only = No
>> browseable = No
>> write list = ntadmin
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>> browseable = No
>>
>>
>>
>> ---------------------------------------------------------------------------
>> FILESERV:/etc/samba/smb.conf
>>
>> [global]
>> workgroup = DOMAIN
>> realm = DOMAIN.REALM
>> netbios name = FILESERV
>> security = ADS
>>
>> dfree command = /usr/local/bin/smb-dfree.sh
>>
>> log file = /var/log/samba/log.%m
>> log level = 4
>> max log size = 1000
>> syslog = 2
>>
>> panic action = /usr/share/samba/panic-action %d
>>
>> server role = member server
>>
>> local master = No
>> domain master = No
>> preferred master = No
>>
>> encrypt passwords = Yes
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> winbind refresh tickets = Yes
>> winbind trusted domains only = No
>> winbind use default domain = Yes
>> winbind enum users = Yes
>> winbind enum groups = Yes
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9999
>>
>> idmap config DOMAIN:backend = rid
>> idmap config DOMAIN:schema_mode = rfc2307
>> idmap config DOMAIN:range = 10000-30000
>>
>> winbind nss info = template
>> template shell = /bin/false
>> template homedir = /home/users/%U
>>
>> usershare allow guests = Yes
>>
>> printing = bsd
>> printcap name = /dev/null
>> load printers = No
>> disable spoolss = Yes
>>
>> unix extensions = No
>> hide special files = Yes
>> hide unreadable = Yes
>> hide dot files = Yes
>> hide files =
>> /Bureau/AppData/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*~/~$*/$RECYCLE.BIN/Thumbs.db/.DS_Store/*.desktop/
>> veto files = /.fuse_*/lost+found/aquota.group/aquota.user/
>>
>> [homes]
>> comment = "Dossier personnel de %u"
>> path = "/home/users/%U/userdisk"
>> browseable = No
>> read only = No
>> writeable = Yes
>> browseable = No
>> public = No
>> wide links = Yes
>> follow symlinks = Yes
>> create mask = 2770
>> directory mask = 2770
>> force group = "users-%U"
>> valid users = %S
>>
>> [partage]
>> comment = "Partage commun à tous"
>> path = /home/partage
>> browsable = Yes
>> read only = No
>> create mask = 2770
>> directory mask = 2770
>>
>> [profile]
>> comment = "Profil NT5 (Windows XP)"
>> path = /home/users/%U/profile
>> browsable = No
>> writeable = Yes
>> create mask = 0600
>> directory mask = 0700
>> force group = "users-%U"
>> profile acls = Yes
>> csc policy = disable
>>
>> [profile.v2]
>> comment = "Profil NT6 (Windows 7 etc.)"
>> path = /home/users/%U/profile.v2
>> browseable = No
>> writeable = Yes
>> create mask = 0600
>> directory mask = 0700
>> force group = "users-%U"
>> profile acls = Yes
>> csc policy = disable
>>
>>
>> ---------------------------------------------------------------------------
>> ADSERV:/var/lib/samba/sysvol/savane.saba/scripts/logon.cmd
>>
>> NET USE U: \\FILESERV\homes
>> NET USE P: \\FILESERV\partage
>>
>> REGEDIT /S \\ADSERV\netlogon\common.reg
>>
>> --
>> Thomas DEBESSE
>>
>
> OK, I think your problem is that you are trying to run your AD domain as
> if it is still an NT4-style domain.
>
> I suggest you re-read the page I pointed you to and also other pages in
> the Samba wiki.
>
> You do not use:
>
> logon path = \\FILESERV\profile
> logon drive = U:
> logon home = \\FILESERV\%U
> logon script = "logon.cmd"
>
> with AD, you would add:
>
> profilePath: \\FILESERV\profile
> scriptPath: logon.cmd
> homeDrive: U:
> homeDirectory: \\FILESERV\%U
>
> to each users object in AD. You can do this with ADUC or by creating an
> ldif file on the DC and then use ldbmodify to add it.
>
> I would also look carefully at your smb.conf files, referencing 'man
> smb.conf', for an instance, did you know that ' writeable = Yes' is the
> same as 'read only = No' ? There is no point in having both.
>
> I would suggest you follow the Samba wiki and use ACLs instead of the old
> style 'create mask' etc
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Thomas DEBESSE
More information about the samba
mailing list