[Samba] Windows profile not syncing on logout

Tue May 27 11:22:48 UTC 2025

On Tue, 27 May 2025 12:32:51 +0200
Simon Hakenes via samba <samba at lists.samba.org> wrote:

> Hi all,
> 
> I'm running into a puzzling issue with users' Windows profile not 
> syncing correctly. Here’s our setup:
> 
>   *
> 
>     Samba version 4.19.9-Debian-4.19.9+dfsg-1~mjt+deb12
> 
>   *
> 
>     One AD DC (Samba internal DNS)

Bad idea, you should always run at least two DCs for failover purposes.

> 
>   *
> 
>     Profile data located on a separate file server (member of the
> domain)
> 
>   *
> 
>     Clients are all Windows 11
> 
>   *
> 
>     We also run Linux clients, they all work fine
> 
>   *
> 
>     The share |\\usersfs\profiles\...|resolves correctly and is used
> by all users successfully
> 
> All other users work fine. For the affected user:
> 
>   *
> 
>     She can login. I can see that in the logs and everything looks
> fine.
> 
>   *
> 
>     She works normally during the day (reads/writes files, Thunderbird
>     works, etc.).
> 
>   *
> 
>     On logout, *nothing is written back*to the file server. All
>     timestamps on the file server are old.
> 
>   *
> 
>     Windows event log shows no errors or warnings.
> 
>   *
> 
>     Logging out and back in still loads the old state.
> 
> We've verified:
> 
>   *
> 
>     Permissions on the profile directory on the file server
> 
>   *
> 
>     No event viewer messages during logout
> 
>   *
> 
>     Her authentication in the logs look fine
> 
>   *
> 
>     A new test user works fine, profile is created and synced normally
> 
> We also see this related issue:
> 
>   *
> 
>     Two other users report that files they delete from their profile
>     reappear after logout/login
> 
>   *
> 
>     Their profile directories on the file server *do*get new
> timestamps at logout
> 
> I am trying to figure out how to further diagnose the root cause. I
> am admittedly a bit inexperienced with samba/Windows. What places do
> I need to check to find the cause of that issue?
> 
> Thanks a lot!
> Simon
> 
> Here is our smb.conf from the dc:
> ------------------------------------------------------------------
> # Global parameters
> [global]
> 
>          netbios name = DC1
>          realm = HOME.DOMAIN.DE
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate

Interesting, above you say that you are using the Samba internal dns,
but you have a 'server services' line (which isn't standard if using
the Samba internal dns server) without 'dns' anywhere in it. There is
also no 'dns forwarder' line.

>          workgroup = HOME
>          idmap_ldb:use rfc2307 = yes
>          log level = 1 auth_audit:5
>          ntp signd socket directory = /var/lib/samba/ntp_signd

There is no need to set that, it is the default.

> 
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> 
> [netlogon]
>          path = /var/lib/samba/sysvol/home.domain.de/scripts
>          read only = No
> ------------------------------------------------------------------
> 
> 
> And the smb.conf from the fileserver:
> 
> ------------------------------------------------------------------
> [global]
>          log file = /var/log/samba/%m.log
>          log level = 5
>          max log size = 50
>          realm = HOME.DOMAIN.DE
>          security = ADS
>          server role = member server
>          winbind cache time = 10
>          winbind enum groups = Yes
>          winbind enum users = Yes
>          winbind expand groups = 1
>          winbind nss info = rfc2307
>          winbind offline logon = Yes
>          winbind refresh tickets = Yes
>          winbind use default domain = Yes
>          workgroup = HOME
>          idmap config * : backend = tdb
>          idmap config * : range = 1000-1999
>          idmap config home : backend = ad
>          idmap config home : schema_mode = rfc2307
>          idmap config home : range = 10000-999999
>          idmap config home : unix_nss_info = yes
>          idmap config home : unix_primary_group = yes
>          map acl inherit = Yes
>          vfs objects = acl_xattr shadow_copy2
>          min domain uid = 0
>          kerberos method = secrets and keytab
> 
> ##### Shares #####
> 
> [users]
>          path = /tank/homes/
>          read only no

Unless that is a typo, it should be 'read only = no'

>          writable = yes

But thankfully it is corrected by its synonym.

> 
> [profiles]
>          browseable = No
>          comment = User profiles
>          csc policy = disable
>          path = /tank/profiles/
> 
>          read only = No
> 
> ------------------------------------------------------------------
> 

Rowland