[Samba] ad dc roaming new user profile folders not being created on login
rpenny at samba.org
Fri Jan 24 18:00:34 UTC 2020
On 24/01/2020 16:53, Philippe LeCavalier via samba wrote:
> 1.1) ad dc server details
> samba 4.2.14+dfsg-0+deb8u13 amd64
> 3.16.0-10-amd64 #1 SMP Debian 3.16.76-1 (2019-11-12) x86_64
OUCH, the latest Samba version is 4.11.x
You need to update your DC
> # Global parameters
> workgroup = INTRANET
> realm = INTRANET.BLANKED.CA
> netbios name = SVR11
> server role = active directory domain controller
> dns forwarder = 184.108.40.206
> idmap_ldb:use rfc2307 = yes
You need to remove everything from here:
> map acl inherit = yes
> client ldap sasl wrapping = sign
> # Default idmap config for local BUILTIN accounts and groups
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> # idmap config for the INTRANET domain
> idmap config INTRANET:backend = ad
> idmap config INTRANET:schema_mode = rfc2307
> idmap config INTRANET:range = 10000-999999
> # Template settings for login shell and home directory
> winbind nss info = template
> template shell = /bin/bash
> path = /var/lib/samba/sysvol/intranet.blanked.ca/scripts
> read only = No
> path = /var/lib/samba/sysvol
> read only = No
> path = /data/profiles
> read only = no
> 2) user create script
> echo Surname?
> read surname
> echo Given Name?
> read givenname
> echo username?
> read username
> samba-tool user create $username --surname=$surname --given-name=$givenname --profile-path=\\\\SVR.intranet.BLANKED.ca\\profiles\\$username
> samba-tool user setexpiry $username --noexpiry
What about the password ?
> ***on a side note to this one, I also tested creating test accounts using AD user and computers on a windows 7 domain member with RSAT (which is what I used to do before that script) and saw no difference
> Here is the only error I've managed to find. The problem I have with diving into that one is that in the 15+ years since I've implemented roaming profile sin samba I've never had to open the "Component Services" tool. So I have a lot of reservations about doing so. Here's the error I get on any computer I log into using a newly created account since this issue has come up. I do not get this on user account for which profiles are successfully working.
> The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
> and APPID
> to the user INTRANET\klund SID (S-1-5-21-2383363326-2467922837-4208427301-1227) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
> 3) FS permissions on the profiles share are set as per: https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles#Using_Windows_ACLs
> 4) Turns out I was missing libnss-winbind and libpam-winbind all this time. After installing those, getent and all winbind type queries are working successfully. Hopefully my issue isn't related to having fixed that issue!
Try installing libpam-krb5 as well
More information about the samba