samba - Aug 2010 - Windows Vista keeps on deleting cached roaming profile

I have a couple of Windows Vista Computers that i freshly (re)installed,
updated to SP2 + all updates, and joined to my domain...
i also got an empty profile on the server (the storage folder is there, but
there are no files inside)

When i log into the domain Windows creates all files and folders just fine
and stores a cache of that profile in c:\users\username (like it should),
And when i log out, Windows will write all the files it just created
(pictures, desktop, ntuser.dat) to the server perfectly

however if i login to the computer locally (not using the domain), and when
i go to the c:\users\ folder the folder of the username is gone.... :( while
i like it to stay there!

so far i tried:
- reinstalling windows multiple times
- setting the following GPO's (although i never touched those)
  - computer\Administrative Templates\System\User Profiles\Delete
userprofiles older than a specific number of days ==> disabled
  - computer\Administrative Templates\System\User Profiles\Delete cached
copies of roaming profiles ==> disabled
  - computer\Administrative Templates\System\User Profiles\Leave Windows
Installer and group Policy software ==> enabled
  - computer\Administrative Templates\System\User Profiles\Only allow local
user Profiles ==> disabled
  - computer\Administrative Templates\System\User Profiles\Prevent Roaming
profile changes propagating to the server ==> disabled
  - computer\Administrative Templates\System\User Profiles\Wait for remote
user profile ==> enabled
  - computer\Administrative Templates\System\User Profiles\Slow network
connection timeout for user profiles ==> disabled
  - User\Administrative Templates\System\User Profiles\Limit Profile Size
==> disabled
- adding the following registry setting:
  - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\
DeleteRoamingCache=0

This is with:
- Gentoo Linux
- Samba 3.5.2 (clustered with CTDB 1.0.114)
- LDAP backend

> I have a couple of Windows Vista Computers that i freshly (re)installed,
> updated to SP2 + all updates, and joined to my domain...
> i also got an empty profile on the server (the storage folder is
there, but
> there are no files inside)
Read through this thread:

  http://lists.samba.org/archive/samba/2010-May/156130.html

and see if anything in there helps.  Note, use "sort by subject" and
read all entries in the thread, the thread links do not always find all
thread entries.

Relevant parts of my smb.conf:

        logon script = scripts\everybody.bat
        logon path = \\%L\profiles\%U\%a
        domain logons = Yes
        os level = 64
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        ldap ssl = no
        csc policy = disable
        hide files = /desktop.ini/Desktop.ini/

[netlogon]
        comment = Contains login script which just mounts PDB area
        path = /u1/usr/netlogon

[homes]
        comment = Home Directories
        read only = No
        create mask = 0700
        directory mask = 0700
        browseable = No
        browsable = No

[profiles]
        comment = user's profile directories, by windows version
        path = /u1/usr/profiles
        read only = No
        create mask = 0700
        directory mask = 0700
        browseable = No
        browsable = No
        profile acls = Yes



Home directories are in /u1/usr/people, profiles are in
/u1/usr/profiles.  For reasons I do not recall the file protections are
a little odd in profiles:

ls -al profiles  #edited to just show one user entry
total 16
drwxr-xrwx 4 root   root     4096 2010-05-27 09:48 ./
drwxrwxr-x 5 root   root     4096 2010-05-12 15:32 ../
drwx------ 4 mathog biostaff 4096 2010-05-27 15:12 mathog/


My everybody.bat file is irrelevant to your problem, all it does is
mount a data directory from the samba server.  However, if you have a
script in there it could conceivably be causing problems if it causes
errors.

Regards,

David Mathog
mathog at caltech.edu
Manager, Sequence Analysis Facility, Biology Division, Caltech

On second thought, the previous method was for older WIndows.  Use
the group policy editor and look at:

   Computer Configuration -> Administrative Templates -> System ->
User Proiles -> Delete user profiles ...

If that is enabled, then the user profiles would disappear in the 
specified number of days.

Regards,

David Mathog

Well i turned out to be my LDAP server after all,

after another week (that is almost 2 weeks in total) i've found that if a
user is in a secondary LDAP group with a GID of 514, Windows vista will
delete the cached roaming profile :-S No ADS on the same subnet, no policys,
no registry hacks, none of that.

Don't ask me what signals are sent from samba 3.5.2. to trigger this action,
or what parts of the source of Samba are responsible for this, but i am just
glad that i found the error, and am able to fix it now.

oh i've set up the same group settings/GID into another non-ldap Samba 3.5.2
domain, and from there out Windows doesn't remove the profiles, so it seems
to be a LDAP related problem.

thnx for your help all!

2010/8/24 Cain, Marc <mcain at sccd.ctc.edu>
> Hmm.
>
> The Windows server that would most likely be the culprit is the AD server
> and the conditions for that would most likely have to be that the local
> computer is finding a computer account on the AD server at boot time
(that's
> when Computer GPO settings are applied), before logon, and the AD server
> would have to have a GPO on it that explicitly enables the "delete
cached
> copies of roaming profiles" settings.
>
> Since the AD server is there and since it is probably the only place such a
> GPO would exist it's where I'd look.  But not knowing how your
systems are
> setup I'm at a loss to explain this or how it the local machine might
be
> doing such a thing.  All I know is that the local GPO can only be
overridden
> in the by another GPO.
>
>
> On Aug 24, 2010, at 5:13 AM, erik bergsma wrote:
>
> Hi Marc,
>
> .pol files are in the <vista age, and no longer relevant (that costed me
a
> week to figure out btw, completely other story), and i dont even have those
> anywhere on my server.
>
> i am having a hard time imagining how my samba 3.5 setup is able to
> push/override/send the gpo though.... samba 3.5 itself doesnt have GPO
> support (that is in samba 4), my login.bat have only some mapping inside
> them (net use x //server/%username% etc) and also i am not using
AD/kerberos
> in any way in my setup... got any pointers on how my server is able to
> deliver those GPO's?
>
> i got a windows server 2003 and a windows ADS server 2008 in the same
> subnet, but that cant make a difference right?
>
>
>
>
> Erik
>
> 2010/8/23 Cain, Marc <mcain at sccd.ctc.edu>
>
>> Hi Erik,
>>
>> This is most likely not a an LDAP backend problem since Windows Group
>> Policy determines the behavior of how roaming user profiles are
treated.
>>
>> Cached copies of roaming profiles are left in the user folder on the
local
>> drive by default unless a Group Policy setting is made:
>>
>> Computer\Administrative Templates\System\User Profiles\Delete cached
>> copies of roaming profiles.
>>
>> This Group Policy can be overridden in one of two ways:  either by
copying
>> another group policy over the local group policy via logon script at
logon
>> or through setting a Group Policy on the server: typically active
directory
>> servers -- though there were methods of doing this on samba by creating
a
>> default .pol file I've no experience with this and can't speak
to it.  The
>> server policy will take precedence over the local Group Policy
settings.
>>
>> Since you're seeing two different behaviors on two different
servers it
>> seems to me that one of the servers is somehow delivering a second set
of
>> GPOs to the workstation.  At least this is, from what I know, the only
way
>> it can happen.
>>
>> Marc Cain
>>
>>
>> On Aug 23, 2010, at 5:07 AM, erik bergsma wrote:
>>
>> > @ Dave: thnx for your pointers but i already tried those (See my
first
>> post)
>> > with no luck...
>> >
>> > @ All: the problem becomes weirder and weirder:
>> > i have set up a new PDC with the same samba version, (only
difference is
>> > that its not clustered, and doesn't have the LDAP back end),
and when i
>> > create a profile on that domain, the user profile will stay cached
on
>> > c:\users\
>> >
>> > however when i join the same machine to the domain that is having
the
>> > problems, and create a new profile as well for a new user, the
cached
>> user
>> > profile gets deleted again from c:\users\
>> >
>> > so to conclude that; the problem is either my CTDB or my LDAP back
end,
>> > which make no sense what so ever :(
>> >
>> > 2010/8/19 David Mathog <mathog at caltech.edu>
>> >
>> >> On second thought, the previous method was for older WIndows. 
Use
>> >> the group policy editor and look at:
>> >>
>> >> Computer Configuration -> Administrative Templates ->
System ->
>> >> User Proiles -> Delete user profiles ...
>> >>
>> >> If that is enabled, then the user profiles would disappear in
the
>> specified
>> >> number of days.
>> >>
>> >> Regards,
>> >>
>> >> David Mathog
>> >>
>> >>
>> >>
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
>