[Samba] CSC & roaming profiles

Wed May 19 08:20:07 UTC 2021

… to clarify my previous rant, the question is if the “csc disable” is a new addition to the wiki, and if the default “csc manual” have caused problems for other samba users

/Anders

Anders Östling

Dämmegatan 11
SE-25442 Helsingborg
Sweden
Phone: +46 768 716 165
Skype: anders.ostling at outlook.com

On 19 May 2021, 10:06 +0200, Anders Östling <anders.ostling at gmail.com>, wrote:
> Hi
> I have had roaming profiles enabled on user accounts since November last year. This is a small business with approx 10 users, but a few of them are actually taking benefit of the roaming profile feature.
> Recently, they have had all sorts of problems with their profiles, usually Access Denied when trying to load the profiles (only those that actually roams between different computers). I have spent hours trying to find a pattern and pinpoint the exact source of the problem. During this digging, I have learned to hate Windows even more, since the profiles management is like an octopus, reaching into almost every part of the system...
>
> Anyway, I managed to get it back on track by loosing up permissions on the /share/profiles folder (temporary) but I need to find a permanent solution. During the attempts to restore the clients, I also found out that the C:/Windows/CSC directory has a function too. Another cache besides what is under C:/Users/<username>/Desktop/? At the same time, the few roaming users also got problems accessing their U:/AppData/Roaming folders. The permissions looked good, but MS apps (Excel and Word had a different opinion and refused to load documents). The temporary fix for this was also to loose up permissions on the AppData folder until I had a better understanding of what’s going on.
>
> So, while re-reading the Samba wiki page, I saw that there is a parameter, csc policy = disable, that I have not seen before. Is the wiki for profiles updated recently with that one? I found some internet posts that describes the different values, enable/manual/disable and their functions. Could this have been a reason for my client’s problem (several users on one computer, and a CSC that got confused)? If so, then I hope that disabling the function will make the clients work better once I have restored them from scratch.
>
> While I am typing, let me describe another specific user’s situation. Initially she got the same permissions error when logging on another computer. But suddenly, her normal workstation started to behave like this (maybe after a loosened up the permissions on the /share/profiles, hard to tell).
>
> She logs on the domain
> Get a message “We could not log you on using a profile, a temporary profile has been created” (or quite similar to this)
> A blank desktop with Trashcan
> The netlogon script has mapped up her drives correctly
>
> The C:/Users folder now contains these folders
> /katarina (hers)
> /temp.hlts (domain name)
> /temp.hplts.1
> /temp.hplts.2
> /temp.hplts.3
>
> She can navigate to /Users/katarina/Desktop where all her saved shortcuts are, and CTRL-A, CTRL-C. Then close explorer and CTRL-V on desktop. Everything works as before, including mapped drives and app and document shortcuts. If she logs out, then all steps need to be repeated. So for the moment, she just WIN+L at the end of the day until her computer is re-installed, and hopefully things are working again.
>
> She CAN map drive profile folder on the server manually without getting any permission error. This makes me believe that the problem is on the client side, not the server.
>
> Windows 10 2020H2 on the clients.
> Samba 4.13.8 on the server
> Windows 2019 Standard as DC
>
> End of rant. I hope that someone can give some insight and maybe advise on how to fix this mess. If not, it’s a re-install of the affected clients and praying that the CSC disable will help.