[Samba] Need help with roaming profiles

Anders Östling anders.ostling at gmail.com
Wed Jul 1 11:54:02 UTC 2020 

FYI, I was able to solve our problem with roaming profiles on the
samba server by following this guide.

https://www.grouppolicy.biz/2011/07/how-to-reset-a-roaming-profile-in-windows-7/

Not a Samba problem , but maybe someone else can benefit from it if
they have problems with Windows 7 clients and profiles.

Best regards
Anders

On Tue, Jun 30, 2020 at 12:24 PM Anders Östling
<anders.ostling at gmail.com> wrote:
>
> On Tue, Jun 30, 2020 at 11:57 AM Rowland penny via samba
> <samba at lists.samba.org> wrote:
> >
> > On 30/06/2020 10:34, Anders Östling wrote:
> > > On Tue, Jun 30, 2020 at 11:24 AM Rowland penny via samba
> > > <samba at lists.samba.org> wrote:
> > >> On 30/06/2020 09:50, Anders Östling wrote:
> > >>
> > >>>> You have 'workgroup = HPLTS' and 'idmap config dg11', again, they must match
> > >>> As I wrote in the previous reply, that was a mistake from the initial
> > >>> deployment. However, I have a copy of the VM and when I corrected DG11
> > >>> to HLPTS and restarted the services, this happes:
> > >>>
> > >>> getent group "Oldgroup" returns a value in the 10000 range (as
> > >>> specified in the idmap config * statement).
> > >> If 'oldgroup' isn't in the the 'HLPTS' domain, this is to be expected.
> > >>> I now created a new group in the domain, and expected to get a value
> > >>> in the range 30000 (as specified in the idmap config HPTLS statement).
> > >> You should.
> > >>> Again, I probably don't understand the different backends (tdb vs rid)
> > >>> functions enough.
> > >> The default domain '*' uses tdb and is an allocating db, the 'rid'
> > >> backend for your HPTLS domain uses the AD objects RID to calculate the
> > >> Unix ID.
> > >>>    The new group was given a id of 10032, so it seems
> > >>> as if the * statement still is the used range. Is this expected
> > >>> behaviour?
> > >> No, it isn't, if the group exists in AD and the AD domain name is
> > >> 'HPTLS' , from what you have posted, I would expect the Unix ID to start
> > >> with a '3'. Have you run 'net cache flush' ?
> > > I did this on the test system but cant see any difference. Both the
> > > old and newly created groups have id's in the 10000 range.
> > >
> > > WHAT IF:
> > > I remove the server from the domain
> > > Delete the tlb and ldb databases
> > > Correct the idmap statements as recommended
> > > Rejoin the domain
> >
> > You could try that, but you shouldn't have to ;-)
> >
>
> Let's play :)
>
> > If a user exists in AD and has the RID '1107' and you have this in smb.conf:
> >
> >          idmap config * : backend = tdb
> >          idmap config * : range = 10000-20000
> >          idmap config HPLTS : backend = rid
> >          idmap config HPLTS : range = 30000-40000
> >
> > Then on a domain joined Unix machine, I would expect the users Unix ID
> > to be '31107', this would also depend on the user not being in /etc/passwd
> >
> > > I assume that all accounts and groups will get new id's in the
> > > 30000-range.
> > Yes, except for just one possible gotcha, if a user has the rid 11107,
> > then the Unix ID would be 30000 + 11107 = 41107. This is larger than
> > 40000, so it would be ignored, but you would have to have a very large
> > domain for this to happen, it is also easy to fix, just replace 40000
> > with a larger number.
>
> It's a quite small domain so that should not be an issue within the
> next 100 years.
>
> > >   Do I need to re-apply all folder and file permissions
> > > from the Windows server to get them correctly mapped?
> >
> > If you have file etc belonging to different ID's then yes.
> >
>
> I did try this, and the old id's in the 10000-range is still there on
> the folders. All users and groups are now in the 30000-range, as
> expected.
>
> The *share* permissions seems to be correct, but not folders and
> files. It will be a major PITA to correct them afterwards manually, so
> I will see if I can find a PS-script that collects the ACL's before
> the change and then re-applies them afterwards. I will continue to
> scan the net for this. I really want the installation to be as
> "correct" as possible.
>
> Anders
>
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> -----------------------------------------------------------------------------------------------------------------------
> This signature contains 100% recyclable electrons as prescribed by Mother Nature
>
> Anders Östling
> +46 768 716 165 (Mobil)
> +46 431 45 56 01  (Hem)



-- 
-----------------------------------------------------------------------------------------------------------------------
This signature contains 100% recyclable electrons as prescribed by Mother Nature

Anders Östling
+46 768 716 165 (Mobil)
+46 431 45 56 01  (Hem)

More information about the samba mailing list