[Samba] GPO / Sysvol problems

Gregory Sloop gregs at sloop.net
Thu Jan 24 18:55:23 UTC 2019 

This is the samba conf file (not on the DC's, but on the box where profiles are being stored - which is where our problem is, IMO) - does anything in here need addressing?

[I've slightly sanitized some names.]

I'm trying to gather relevant samba logs from this same box, as well as anything that looks relevant from the Windows station event logs.
But I thought starting here might be worth-while.

I don't see anything that strikes me as really wrong, but I'm pretty out of my comfort zone here.

--

[global]
    server min protocol = SMB2_02
    server max protocol = SMB3
    interfaces = 127.0.0.1 10.8.22.4 127.0.0.1
    bind interfaces only = yes
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 1884710
    logging = file
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = yes
    ntlm auth = no
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = FreeNAS Server
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    unix extensions = no
    acl allow execute always = true
    dos filemode = yes
    multicast dns register = no
    domain logons = no
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = member server
    workgroup = AD
    realm = AD.AB.LOCAL
    security = ADS
    client use spnego = yes
    local master = no
    domain master = no
    preferred master = no
    ads dns update = yes
    winbind cache time = 7200
    winbind offline logon = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes
    winbind use default domain = no
    winbind refresh tickets = yes
    idmap config AD: backend = rid
    idmap config AD: range = 20000-90000000
    allow trusted domains = no
    client ldap sasl wrapping = plain
    template shell = /bin/sh
    template homedir = /home/%D/%U
    netbios name = AB-FREENAS
    netbios aliases = AB-FREENAS
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 3
    

[ab-profiles]
    path = "/mnt/abac-zfs-01/ad-profiles"
    comment = ab-profiles
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    access based share enum = no
    vfs objects = zfs_space zfsacl streams_xattr
    hide dot files = no
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare
    

[abac-share1]
    path = "/mnt/abac-zfs-01/ad-shared-folders"
    comment = abac-share1
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    access based share enum = no
    vfs objects = acl_xattr zfs_space zfsacl streams_xattr
    hide dot files = no
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare

More information about the samba mailing list