[Samba] User profiles question

Vinicius Bones Silva vbs at e-trust.com.br
Fri Mar 31 15:16:09 UTC 2017


I'm facing an issue where most users receive the error "The Group Policy Client service 
failed the logon. Access denied.". The fix so far is to delete a registry folder on the 
client machine, but there are cases where this does not work. For one user, I had to 
delete the account and create it again. The domain uses 3 centos7 + samba 4.5.5, with a 
fileserver running 4.4.4.

Reading https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles shows me that our 
setup does not thing different from the suggested configuration:

We do not have a profiles share. Instead, we put the user profile inside the user's home 

Are there recomendations regarding the profile location? Is it ok to have the user profile 
inside the home drive, insteado of a specific share?

Here's the fileserver smb.conf, if it helps:

         netbios name = ULTRON
         security = ADS
         workgroup = E-TRUST
         realm = E-TRUST.COM.BR
         #dns forwarder =
         server role = member server

         # Default idmap config used for BUILTIN and local accounts/groups
         #idmap config *:backend = ad
         idmap config *:range = 2000-9999

         # Use settings from AD for login shell and home directory
         idmap_ldb:use rfc2307 = yes

         # idmap config for domain E-TRUST
         idmap config E-TRUST:backend = ad
         idmap config E-TRUST:schema_mode = rfc2307
         idmap config E-TRUST:range = 10000-40000

         # Winbind Configuration
         winbind enum groups = yes
         winbind enum users = yes
         winbind use default domain = yes
         winbind nss info = rfc2307

         #[cp 13.Oct.2016] Reduzido o cache do Winbindd
         idmap cache time = 30
         idmap negative cache time = 30
         winbind cache time = 30

         # Necessario no domain member apenas
         vfs objects = acl_xattr
         map acl inherit = yes
         store dos attributes = yes
         log level = 5
         log file = /var/log/samba/%M.log

         #[vbs 30.11.2016]180417 - remove vulnerabilidade
         #"26920 - Microsoft Windows SMB NULL Session Authentication"
         restrict anonymous = 2

    comment = Diretorios de usuarios
    path = /compartilhamentos/home/
    browseable = no
    writable = yes
    guest ok = no
    create mask = 600
    directory mask = 700


Vinicius Silva

BRA: + 55 51 2117.1000 | 55 11 5521.2021
USA: + 1 888 259.5801
vbs at e-trust.com.br
skype: vinicius.bones.silva


	Smiley face

www.e-trust.com.br <http://www.e-trust.com.br/>

Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você recebeu esta 
mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer atitude com 
base nestas informações. Solicitamos que você apague a mensagem imediatamente e avise a 
E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões, conclusões ou 
informações contidas nesta mensagem não necessariamente refletem a posição oficial da 
E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser confirmada 
pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.

This message may contain privileged and confidential information for the use of the 
intended recipients only. If you are not an intended recipient then you should not 
disseminate, copy, or take any action based on its contents. If you have received this 
message in error then please notify E-TRUST by sending an e-mail message to 
suporte at e-trust.com.br immediately. Views and opinions expressed in this message do not 
necessarily reflect the position of E-TRUST. If this message is digitally signed, its 
authenticity can be confirmed by E-TRUST Private Certificate Authority, available at 

More information about the samba mailing list