[Samba] CSC & roaming profiles

L.P.H. van Belle belle at bazuin.nl
Wed May 19 09:03:20 UTC 2021 

https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/folder-redirection-rup-overview 

The link again, if it gives 404 link got broken then but in that 404 page you do see the correct one. 


Can you show and output of getfacl on the userhomedir and profilefolder? of an user.


Greetz, 

Louis
 

Van: Anders Östling [mailto:anders.ostling at gmail.com] 
Verzonden: woensdag 19 mei 2021 10:59
Aan: L.P.H. van Belle
Onderwerp: Re: [Samba] CSC & roaming profiles




Anders Östling 
Dämmegatan 11
SE-25442 Helsingborg
Sweden
Phone: +46 768 716 165
Skype: anders.ostling at outlook.com




On 19 May 2021, 10:42 +0200, L.P.H. van Belle via samba <samba at lists.samba.org>, wrote:
Anders,

I suggest have a look that this script i made.
https://raw.githubusercontent.com/thctlo/samba4/master/samba-setup-share-folders.sh
It setups up a base structure with needed rights. Compair them with yours.
Note, i use AD-backend on the member servers.

I am using the RID backend, don t ask why. I guess I picked it from some template. So I guess that the script is not applicable to me. But I have will a close look at your script and the specific settings.

To reduce problems, ( you never can fully, simply because of windows.. )
1) Setup the profiles with the rights as shown in the script.
2) read this.. https://docs.microsoft.com/en-us/windows-server/storage/flder-redirection/folder-redirection-rup-overview 
404 on that one 

 

And the sections below it.

U:/AppData/Roaming..On this, windows expect the user to be the owner on the userhome dirs.

They are

Get a message ?We could not log you on using a profile, a
temporary profile has been created? (or quite similar to this)
Same for profiles, but there you can set also in GPO.
GPO: Add the adminstrators security group to roaming user profiles.
That helps for the profiles itself.

I will check that too

Check this script to fix the rights on the userhomedir
https://github.com/thctlo/samba4/blob/master/samba-fix-userhome-recursive.sh
I seen same as you, i must follow an oder on how i create a new user for example.

I create the user, fist thing then i set the UID/GID for the users.
Then i can make the homefolder and profiles folder

If the user homedir is created, directly when you added the user,
like when you make a copy of a other user and \server.fqdn\users\%username% is used in RSAT
Then the rights are wrong, in these cases i or run above script or change it manual.


I hope that this will help you.

We will know in a couple of day. Thank you for your advise Lois!

Greetz,

Louis

-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces at lists.samba.org] Namens
Anders Östling via samba
Verzonden: woensdag 19 mei 2021 10:07
Aan: Patrik via samba
Onderwerp: [Samba] CSC & roaming profiles

Hi
I have had roaming profiles enabled on user accounts since
November last year. This is a small business with approx 10
users, but a few of them are actually taking benefit of the
roaming profile feature.
Recently, they have had all sorts of problems with their
profiles, usually Access Denied when trying to load the
profiles (only those that actually roams between different
computers). I have spent hours trying to find a pattern and
pinpoint the exact source of the problem. During this
digging, I have learned to hate Windows even more, since the
profiles management is like an octopus, reaching into almost
every part of the system...

Anyway, I managed to get it back on track by loosing up
permissions on the /share/profiles folder (temporary) but I
need to find a permanent solution. During the attempts to
restore the clients, I also found out that the C:/Windows/CSC
directory has a function too. Another cache besides what is
under C:/Users/<username>/Desktop/? At the same time, the few
roaming users also got problems accessing their
U:/AppData/Roaming folders. The permissions looked good, but
MS apps (Excel and Word had a different opinion and refused
to load documents). The temporary fix for this was also to
loose up permissions on the AppData folder until I had a
better understanding of what?s going on.

So, while re-reading the Samba wiki page, I saw that there is
a parameter, csc policy = disable, that I have not seen
before. Is the wiki for profiles updated recently with that
one? I found some internet posts that describes the different
values, enable/manual/disable and their functions. Could this
have been a reason for my client?s problem (several users on
one computer, and a CSC that got confused)? If so, then I
hope that disabling the function will make the clients work
better once I have restored them from scratch.

While I am typing, let me describe another specific user?s
situation. Initially she got the same permissions error when
logging on another computer. But suddenly, her normal
workstation started to behave like this (maybe after a
loosened up the permissions on the /share/profiles, hard to tell).

She logs on the domain
Get a message ?We could not log you on using a profile, a
temporary profile has been created? (or quite similar to this)
A blank desktop with Trashcan
The netlogon script has mapped up her drives correctly

The C:/Users folder now contains these folders
/katarina (hers)
/temp.hlts (domain name)
/temp.hplts.1
/temp.hplts.2
/temp.hplts.3

She can navigate to /Users/katarina/Desktop where all her
saved shortcuts are, and CTRL-A, CTRL-C. Then close explorer
and CTRL-V on desktop. Everything works as before, including
mapped drives and app and document shortcuts. If she logs
out, then all steps need to be repeated. So for the moment,
she just WIN+L at the end of the day until her computer is
re-installed, and hopefully things are working again.

She CAN map drive profile folder on the server manually
without getting any permission error. This makes me believe
that the problem is on the client side, not the server.

Windows 10 2020H2 on the clients.
Samba 4.13.8 on the server
Windows 2019 Standard as DC

End of rant. I hope that someone can give some insight and
maybe advise on how to fix this mess. If not, it?s a
re-install of the affected clients and praying that the CSC
disable will help.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba




--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list