[Samba] CSC & roaming profiles
L.P.H. van Belle
belle at bazuin.nl
Wed May 19 08:41:17 UTC 2021
Anders,
I suggest have a look that this script i made.
https://raw.githubusercontent.com/thctlo/samba4/master/samba-setup-share-folders.sh
It setups up a base structure with needed rights. Compair them with yours.
Note, i use AD-backend on the member servers.
To reduce problems, ( you never can fully, simply because of windows.. )
1) Setup the profiles with the rights as shown in the script.
2) read this.. https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/folder-redirection-rup-overview
And the sections below it.
> U:/AppData/Roaming..
On this, windows expect the user to be the owner on the userhome dirs.
> Get a message ?We could not log you on using a profile, a
> temporary profile has been created? (or quite similar to this)
Same for profiles, but there you can set also in GPO.
GPO: Add the adminstrators security group to roaming user profiles.
That helps for the profiles itself.
Check this script to fix the rights on the userhomedir
https://github.com/thctlo/samba4/blob/master/samba-fix-userhome-recursive.sh
I seen same as you, i must follow an oder on how i create a new user for example.
I create the user, fist thing then i set the UID/GID for the users.
Then i can make the homefolder and profiles folder
If the user homedir is created, directly when you added the user,
like when you make a copy of a other user and \server.fqdn\users\%username% is used in RSAT
Then the rights are wrong, in these cases i or run above script or change it manual.
I hope that this will help you.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Anders Östling via samba
> Verzonden: woensdag 19 mei 2021 10:07
> Aan: Patrik via samba
> Onderwerp: [Samba] CSC & roaming profiles
>
> Hi
> I have had roaming profiles enabled on user accounts since
> November last year. This is a small business with approx 10
> users, but a few of them are actually taking benefit of the
> roaming profile feature.
> Recently, they have had all sorts of problems with their
> profiles, usually Access Denied when trying to load the
> profiles (only those that actually roams between different
> computers). I have spent hours trying to find a pattern and
> pinpoint the exact source of the problem. During this
> digging, I have learned to hate Windows even more, since the
> profiles management is like an octopus, reaching into almost
> every part of the system...
>
> Anyway, I managed to get it back on track by loosing up
> permissions on the /share/profiles folder (temporary) but I
> need to find a permanent solution. During the attempts to
> restore the clients, I also found out that the C:/Windows/CSC
> directory has a function too. Another cache besides what is
> under C:/Users/<username>/Desktop/? At the same time, the few
> roaming users also got problems accessing their
> U:/AppData/Roaming folders. The permissions looked good, but
> MS apps (Excel and Word had a different opinion and refused
> to load documents). The temporary fix for this was also to
> loose up permissions on the AppData folder until I had a
> better understanding of what?s going on.
>
> So, while re-reading the Samba wiki page, I saw that there is
> a parameter, csc policy = disable, that I have not seen
> before. Is the wiki for profiles updated recently with that
> one? I found some internet posts that describes the different
> values, enable/manual/disable and their functions. Could this
> have been a reason for my client?s problem (several users on
> one computer, and a CSC that got confused)? If so, then I
> hope that disabling the function will make the clients work
> better once I have restored them from scratch.
>
> While I am typing, let me describe another specific user?s
> situation. Initially she got the same permissions error when
> logging on another computer. But suddenly, her normal
> workstation started to behave like this (maybe after a
> loosened up the permissions on the /share/profiles, hard to tell).
>
> She logs on the domain
> Get a message ?We could not log you on using a profile, a
> temporary profile has been created? (or quite similar to this)
> A blank desktop with Trashcan
> The netlogon script has mapped up her drives correctly
>
> The C:/Users folder now contains these folders
> /katarina (hers)
> /temp.hlts (domain name)
> /temp.hplts.1
> /temp.hplts.2
> /temp.hplts.3
>
> She can navigate to /Users/katarina/Desktop where all her
> saved shortcuts are, and CTRL-A, CTRL-C. Then close explorer
> and CTRL-V on desktop. Everything works as before, including
> mapped drives and app and document shortcuts. If she logs
> out, then all steps need to be repeated. So for the moment,
> she just WIN+L at the end of the day until her computer is
> re-installed, and hopefully things are working again.
>
> She CAN map drive profile folder on the server manually
> without getting any permission error. This makes me believe
> that the problem is on the client side, not the server.
>
> Windows 10 2020H2 on the clients.
> Samba 4.13.8 on the server
> Windows 2019 Standard as DC
>
> End of rant. I hope that someone can give some insight and
> maybe advise on how to fix this mess. If not, it?s a
> re-install of the affected clients and praying that the CSC
> disable will help.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list