[Samba] CSC & roaming profiles

L.P.H. van Belle belle at bazuin.nl
Wed May 19 08:41:17 UTC 2021 

Anders, 

I suggest have a look that this script i made. 
https://raw.githubusercontent.com/thctlo/samba4/master/samba-setup-share-folders.sh 
It setups up a base structure with needed rights. Compair them with yours. 
Note, i use AD-backend on the member servers. 

To reduce problems, ( you never can fully, simply because of windows.. )
1) Setup the profiles with the rights as shown in the script. 
2) read this.. https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/folder-redirection-rup-overview 
And the sections below it. 

> U:/AppData/Roaming.. 
On this, windows expect the user to be the owner on the userhome dirs. 

> Get a message ?We could not log you on using a profile, a 
> temporary profile has been created? (or quite similar to this)

Same for profiles, but there you can set also in GPO.
GPO:  Add the adminstrators security group to roaming user profiles. 
That helps for the profiles itself. 


Check this script to fix the rights on the userhomedir
https://github.com/thctlo/samba4/blob/master/samba-fix-userhome-recursive.sh
I seen same as you, i must follow an oder on how i create a new user for example. 

I create the user, fist thing then i set the UID/GID for the users. 
Then i can make the homefolder and profiles folder

If the user homedir is created, directly when you added the user, 
like when you make a copy of a other user and \server.fqdn\users\%username% is used in RSAT 
Then the rights are wrong, in these cases i or run above script or change it manual. 


I hope that this will help you. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Anders Östling via samba
> Verzonden: woensdag 19 mei 2021 10:07
> Aan: Patrik via samba
> Onderwerp: [Samba] CSC & roaming profiles
> 
> Hi
> I have had roaming profiles enabled on user accounts since 
> November last year. This is a small business with approx 10 
> users, but a few of them are actually taking benefit of the 
> roaming profile feature.
> Recently, they have had all sorts of problems with their 
> profiles, usually Access Denied when trying to load the 
> profiles (only those that actually roams between different 
> computers). I have spent hours trying to find a pattern and 
> pinpoint the exact source of the problem. During this 
> digging, I have learned to hate Windows even more, since the 
> profiles management is like an octopus, reaching into almost 
> every part of the system...
> 
> Anyway, I managed to get it back on track by loosing up 
> permissions on the /share/profiles folder (temporary) but I 
> need to find a permanent solution. During the attempts to 
> restore the clients, I also found out that the C:/Windows/CSC 
> directory has a function too. Another cache besides what is 
> under C:/Users/<username>/Desktop/? At the same time, the few 
> roaming users also got problems accessing their 
> U:/AppData/Roaming folders. The permissions looked good, but 
> MS apps (Excel and Word had a different opinion and refused 
> to load documents). The temporary fix for this was also to 
> loose up permissions on the AppData folder until I had a 
> better understanding of what?s going on.
> 
> So, while re-reading the Samba wiki page, I saw that there is 
> a parameter, csc policy = disable, that I have not seen 
> before. Is the wiki for profiles updated recently with that 
> one? I found some internet posts that describes the different 
> values, enable/manual/disable and their functions. Could this 
> have been a reason for my client?s problem (several users on 
> one computer, and a CSC that got confused)? If so, then I 
> hope that disabling the function will make the clients work 
> better once I have restored them from scratch.
> 
> While I am typing, let me describe another specific user?s 
> situation. Initially she got the same permissions error when 
> logging on another computer. But suddenly, her normal 
> workstation started to behave like this (maybe after a 
> loosened up the permissions on the /share/profiles, hard to tell).
> 
> She logs on the domain
> Get a message ?We could not log you on using a profile, a 
> temporary profile has been created? (or quite similar to this)
> A blank desktop with Trashcan
> The netlogon script has mapped up her drives correctly
> 
> The C:/Users folder now contains these folders
> /katarina (hers)
> /temp.hlts (domain name)
> /temp.hplts.1
> /temp.hplts.2
> /temp.hplts.3
> 
> She can navigate to /Users/katarina/Desktop where all her 
> saved shortcuts are, and CTRL-A, CTRL-C. Then close explorer 
> and CTRL-V on desktop. Everything works as before, including 
> mapped drives and app and document shortcuts. If she logs 
> out, then all steps need to be repeated. So for the moment, 
> she just WIN+L at the end of the day until her computer is 
> re-installed, and hopefully things are working again.
> 
> She CAN map drive profile folder on the server manually 
> without getting any permission error. This makes me believe 
> that the problem is on the client side, not the server.
> 
> Windows 10 2020H2 on the clients.
> Samba 4.13.8 on the server
> Windows 2019 Standard as DC
> 
> End of rant. I hope that someone can give some insight and 
> maybe advise on how to fix this mess. If not, it?s a 
> re-install of the affected clients and praying that the CSC 
> disable will help.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list