[Samba] Profile problem
Anders Östling
anders.ostling at gmail.com
Sat Feb 6 09:47:24 UTC 2021
Hi all
I have started to rebuild a client’s samba environment from scratch on Debian. The plan is to use Samba AD instead of Windows AD, and to use a Samba FS for everything else. AFAIK the AD and FS setup is done correctly since I can logon from a Windows client, map home drive and map application drives.
The problem is that roaming profiles don’t work. I have linked to a screenshot taken on the Windows 10 desktop that shows
Event log error
Profile share permissions
Profile folder permissions
Folder with mapped drives (done by netlogon script run from sysvol)
The user account settings
https://drive.google.com/file/d/1vMRAGJn-01UWARN5Hs8LflMKDtaOt6vU/view?usp=sharing
ACL permissions for the Profiles share
root at fs1-hplts:/samba# getfacl Profiles/
# file: Profiles/
# owner: root
# group: root
user::rwx
user:root:rwx
user:30512:rwx
user:30513:r-x
group::---
group:root:---
group:NT\040Authority\\system:rwx
group:domain\040admins:rwx
group:domain\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:30512:rwx
default:group::---
default:group:root:---
default:group:NT\040Authority\\system:rwx
default:group:domain\040admins:rwx
default:mask::rwx
default:other::---
The samba FS config goes here (I changed the profiles share to browsable in order to view the share for troubleshooting)
[global]
workgroup = HPLTS
server role = MEMBER SERVER
security = ADS
realm = HOGANAS-PLATSLAGAREN.SE
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string ="Fileserver Samba4 %h"
log file = /var/log/samba/%m.log
log level = 5
max logsize = 2000
username map = /etc/samba/user.map
idmap config * : backend = tdb
idmap config * : range = 10000-20000
idmap config HPLTS : backend = rid
idmap config HPLTS : range = 30000-40000
encrypt passwords = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind expand groups = yes
winbind use default domain = yes
os level = 20
domain master = no
local master = no
preferred master = no
map to guest = bad user
host msdfs = no
netbios name = fS1-hplts
client min protocol = SMB2
client max protocol = SMB3
unix extensions = no
reset on zero vc = yes
hide unreadable = yes
acl group control = yes
acl map full control = yes
ea support = yes
vfs objects = acl_xattr recycle
map acl inherit = yes
store dos attributes = yes
dos filemode = yes
dos filetimes = yes
restrict anonymous = 2
strict allocate = yes
guest ok = no
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
interfaces = lo enp1s0
bind interfaces only = yes
[Users]
comment = "User home directories"
path = /samba/Users
browseable = yes
read only = no
force create mode = 0660
force directory mode = 2770
[Profiles]
comment = "User roaming profiles"
path = /samba/Profiles
browseable = yes
read only = no
force create mode = 0660
force directory mode = 2770
[Documents]
comment = "Shared documents"
path = /samba/Documents
browseable = yes
read only = no
force create mode = 0660
force directory mode = 2770
[Setup]
comment = "Setup applications"
path = /samba/Setup
[Legacy]
comment = "Legacy applications (DOS & 16-bit)"
path = /samba/Legacy
[Robotics]
comment = "Industrial systems"
path = /samba/Robotics
The samba AD config is this one
[global]
netbios name = DC1-HPLTS
realm = HOGANAS-PLATSLAGAREN.SE
server role = active directory domain controller
workgroup = HPLTS
idmap_ldb:use rfc2307 = yes
dns forwarder = 8.8.8.8
allow dns updates
[netlogon]
path = /var/lib/samba/sysvol/hoganas-platslagaren.se/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
More information about the samba
mailing list