[Samba] ad dc roaming new user profile folders not being created on login

Rowland penny rpenny at samba.org
Fri Jan 24 18:00:34 UTC 2020


On 24/01/2020 16:53, Philippe LeCavalier via samba wrote:
> references
> (1)
>
> 1.1) ad dc server details
> samba 4.2.14+dfsg-0+deb8u13  amd64
> 3.16.0-10-amd64 #1 SMP Debian 3.16.76-1 (2019-11-12) x86_64

OUCH, the latest Samba version is 4.11.x

You need to update your DC

>
> 1.2)smb.conf
> # Global parameters
> [global]
> workgroup = INTRANET
> realm = INTRANET.BLANKED.CA
> netbios name = SVR11
> server role = active directory domain controller
> dns forwarder = 8.8.8.8
> idmap_ldb:use rfc2307 = yes
You need to remove everything from here:
> map acl inherit = yes
> client ldap sasl wrapping = sign
>
> # Default idmap config for local BUILTIN accounts and groups
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
>
> # idmap config for the INTRANET domain
> idmap config INTRANET:backend = ad
> idmap config INTRANET:schema_mode = rfc2307
> idmap config INTRANET:range = 10000-999999
>
> # Template settings for login shell and home directory
> winbind nss info = template
To here.
> template shell = /bin/bash
>
> [netlogon]
> path = /var/lib/samba/sysvol/intranet.blanked.ca/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [profiles]
> path = /data/profiles
> read only = no
>
>
> 2) user create script
> #/bin/bash
> echo Surname?
> read surname
> echo Given Name?
> read givenname
> echo username?
> read username
> samba-tool user create $username --surname=$surname --given-name=$givenname --profile-path=\\\\SVR.intranet.BLANKED.ca\\profiles\\$username
> samba-tool user setexpiry $username --noexpiry
What about the password ?
>
> ***on a side note to this one, I also tested creating test accounts using AD user and computers on a windows 7 domain member with RSAT (which is what I used to do before that script) and saw no difference
>
> Here is the only error I've managed to find. The problem I have with diving into that one is that in the 15+ years since I've implemented roaming profile sin samba I've never had to open the "Component Services" tool. So I have a lot of reservations about doing so. Here's the error I get on any computer I log into using a newly created account since this issue has come up. I do not get this on user account for which profiles are successfully working.
>
> The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
> {C2F03A33-21F5-47FA-B4BB-156362A2F239}
>   and APPID
> {316CDED5-E4AE-4B15-9113-7055D84DCC97}
>   to the user INTRANET\klund SID (S-1-5-21-2383363326-2467922837-4208427301-1227) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
>
> 3) FS permissions on the profiles share are set as per: https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles#Using_Windows_ACLs
>
> 4) Turns out I was missing libnss-winbind and libpam-winbind all this time. After installing those, getent and all winbind type queries are working successfully. Hopefully my issue isn't related to having fixed that issue!
Try installing libpam-krb5 as well

Rowland







More information about the samba mailing list