[Samba] Domain Logout, then domain login again, profile corrupt -> replaced by TEMP profile

Bjoern Trimborn samba at bjoern-trimborn.de
Wed Jun 7 19:45:15 UTC 2017 

Am 07.06.2017 um 09:18 schrieb Jobst Schmalenbach via samba:
> Hi
> 
> I have had this problem for a while, but waited to post this until I upgraded to see whether the upgrade would fix it.
> I upgraded samba to the 4.2.X stream from 3.6.X stream, but it happens on both, 3.6.X and 4.2.10.
> 
> Whenever someone logs out, then in again the profile gets corrupted and a new TEMP profile is created (the dreadful "creating new desktop"). Now I do not know where this problem is - the desktop or the server.
> It also happens if you wait 1/2 hour or so, never tried it longer.
> 
> I can quickly fix this by:
> 
>  - tell the user to log out
>  - rsync -avHAX the profile with yesterdays profile
>  - tell the user to log in again
> 
> Now if I log out on my workstation, then on the server I do a "smb reload", then log in again this problem does not happen.
> 
> This morning a person logged out of his workstation, went over to the bigscreen in one of our training rooms and logged in there, then logged out, went over to his machine but got the dreadful "preparing desktop" on login ....
> 
> Anybody got any idea?
> 
> thanks
> Jobst
> 
> Here is some info:
> ~~~~~~~~~~~~~~~~~~
> All latest patches installed on everything.
> 
> OS server: CentOS 6.X
> OS Workstations: Windows 7 Prof
> Samba: 4.2.10 (was 3.6.23)
> Other: roaming profiles (as we log into other stations, e.g. training rooms)
> 
> smb.conf (important bits):
> [global]
>   workgroup = LALA
>   server string = Domain Server
>   netbios name = LALAMACHINE
>   username map = /etc/samba/smbusers
>   interfaces = eth0, lo
>   bind interfaces only = yes
>   # these flags were recommended.
>   socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072
> 
>   # Logging, what, how much, etc
>   log level = 1
>   syslog = 0
>   log file = /var/log/samba/samba.log
>   max log size = 10000000
> 
>   # Auditing
>   vfs objects = full_audit
>   full_audit:prefix = %u|%I|%m|%S
>   full_audit:failure = none
>   full_audit:facility = LOCAL4
>   full_audit:priority = NOTICE
>   full_audit:success = none
>   full_audit:failure = none
> 
>   idmap config *: backend       = tdb
>   idmap config *: range         = 1000000-1999999
>   idmap config LALA : default = Yes
>   idmap config LALA : backend = <idmap backend>
>   idmap config LALA : range   = 500-999999
> 
>   winbind use default domain = Yes
>   winbind nested groups = Yes
>   winbind normalize names = no
> 
>   # domain stuff
>   logon script = user.cmd
>   logon path = \\lalamachine\profiles\%u
>   logon drive = Z:
>   logon home = \\lalamachine\%u\samba-homeshare
>   domain logons = Yes
>   os level = 200
>   domain master = Yes
>   dns proxy = No
>   wins support = Yes
>   security = user
>   encrypt passwords = Yes
>   hosts allow = 192.168.0., 127.
>   guest account = nobody
>   usershare allow guests = No
> 
>   # printer setup
>   load printers = Yes
>   printing = cups
>   printcap name = cups
>   printcap = cups
>   printcap cache time = 750
>   cups options = raw
>   read raw = yes
>   write raw = yes
>   oplocks = yes
>   max xmit = 65535
>   dead time = 15
>   getwd cache = yes
> 
>   # Samba implements the CIFS UNIX
>   unix extensions = no
> 
> [netlogon]
>   comment = Network Logon Service
>   path = /samba/NetLogon
>   browseable = Yes
>   guest ok = yes
>   admin users = root
>   full_audit:success = none
>   full_audit:failure = none
>   # this is required for log files to be written to
>   read only = No
>   write list = @lalausers, @lalaadmins
> 
> [profiles]
>   comment = Roaming Profile Share
>   path = /samba/Profiles/
>   read only = No
>   create mask = 0600
>   directory mask = 0700
>   browseable = yes
>   # you MUST disable caching on shares that have roaming profiles stored
>   csc policy = disable
>   guest ok = no
>   valid users = @lalausers, @lalaadmins
>   admin users = root
>   store dos attributes = yes
>   profile acls = yes
>   full_audit:success = none
>   full_audit:failure = none
> 
> 

Hi

I had the same issue on win7 and win10 clients.
if the user shut down the client, then on the next login he was unable
to load his profile.

'smbstatus -L' shows me that the NTUSER.DAT and NTUSER.INI from this
profile had a lock on this file (DENY_WRITE or DENY_ALL) cant remember
the exact value, too long ago.

But I was only able to observe this behavior on clients with SSD or
really fast HDD.

My workaround for this is to set "oplocks = no" on our profile share.

Another solution was to delay the shut down with a GPO script on 'client
shutdown' and a sleep timer up to 10 seconds.

Here my smb.conf file:
---
[global]
    netbios name = FILES
    security = ADS
    workgroup = INTRANET
    realm = INTRANET.TESTVM.DE

    username map = /etc/samba/user.map

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    idmap config * : backend = tdb
    idmap config * : range = 1000000-2000000

    # idmap config for the domain
    idmap config INTRANET:backend = rid
    idmap config INTRANET:range = 3000000-4000000

    # Template settings for login shell and home directory
    winbind nss info = template
    template shell = /bin/bash
    template homedir = /home/profiles_linux/%U

    winbind use default domain = yes
    winbind refresh tickets = yes

    vfs objects = dfs_samba4,acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # network
    interfaces = lo eth0
    bind interfaces only = yes
    smb ports = 445

    # Auditing
    full_audit:prefix = %u|%I|%S
    full_audit:facility = local5
    full_audit:priority = notice
    full_audit:success = mkdir rename unlink rmdir pwrite
    full_audit:failure = none

[profiles_windows]
    acl allow execute always = true
    comment = windows profiles
    path = /home/profiles_windows
    read only = no
    create mask = 0600
    directory mask = 0700
    profile acls = yes
    csc policy = disable
    vfs object                  = recycle
        recycle:repository      = ../recycler/%U/%S
        recycle:keeptree        = yes
        recycle:versions        = no
        recycle:touch_mtime     = yes
        recycle:maxsize         = 104857600
    # The next option is a workaround for windows7/10 with SSD
    # Windows? does not tend to ensure that all locks for the user
profile (ntuser.dat and ntuser.ini) are broken on a fast shut down.
    # Another method is to install a delay for the shutdown process of
Windows by using a GPO Script.
    oplocks = no

[profiles_linux]
    comment = linux profiles
    path = /home/profiles_linux
    read only = no
    create mask = 0600
    directory mask = 0700
    vfs object                  = recycle
        recycle:repository      = ../recycler/%U/%S
        recycle:keeptree        = yes
        recycle:versions        = yes
        recycle:touch_mtime     = yes
        recycle:maxsize         = 104857600

[profiles_data]
    acl allow execute always = true
    comment = users's profile files
    path = /home/profiles_data
    read only = no
    create mask = 0600
    directory mask = 0700
    vfs object                  = recycle
        recycle:repository      = ../recycler/%U/%S
        recycle:keeptree        = yes
        recycle:versions        = yes
        recycle:touch_mtime     = yes
        recycle:maxsize         = 104857600

[shares]
    comment = users's files
    path = /home/shares
    read only = no
    vfs object                  = recycle,full_audit
        recycle:repository      = ../recycler/%U/%S
        recycle:keeptree        = yes
        recycle:versions        = yes
        recycle:touch_mtime     = yes
        recycle:maxsize         = 104857600
---

Bjoern

More information about the samba mailing list