samba - Feb 2013 - Unable to re-connect to roaming profile in samba4

I've just configured Samba4 on Ubuntu (4.0.0+dfsg1-1), and can't seem
to get roaming profiles working (I followed the guide at
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO )

1. Logons work just fine.
2. DNS is configured and working, running through SAMBA_INTERNAL
3. Clients can talk to the server and see/access shares at
\\server.corp.domain.com
4. Clients are all Windows 8 and NTP time synced
5. Permissions seem "OK" (the profiles directory is currently chmod
777 -- without that, only the Administrator seemed to be able to
create their own profile ...)
6. General users can log in/out (which creates a profile, if profiles
is chmod 777) but a subsequent login can't access it, with a generic
Windows 8 roaming profile error.

Not really sure where to go from here. I've tried:
- Rebuilding the domain & re-joining machines
- Ultra-lax permissions
- Adding users via the samba-tool versus AD tools in Windows

At client logon, the samba4 logs (with a debug level of 4) show a collection of:

Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED]

and a few

Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]

(Not sure if they're related)


Notably, the client machines (all on Win 8) show nearly nothing in the
Event Log, except a Group Policy failure:
"""
The processing of Group Policy failed. Windows attempted to read the
file
\\corp.domain.com\sysvol\corp.domain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
from a domain controller and was not successful. Group Policy settings
may not be applied until this event is resolved. This issue may be
transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain
controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
"""

(Manually connecting to that gpi.ini file works perfectly)



Not really sure what's going on here. The only oddities I see are:
* I can't get the old "add user script" function to work.
As a result, client usernames seem to just have a UID on the linux
side (their profiles show up as: drwxr-xr-x 14 3000015 users 4.0K Feb
7 20:34 test.V2)
Any way around that?
* When profiles are created, they're appended with ".V2" -- Do I
need
to add ".V2" to the profile path setting, e.g. %USERNAME%.V2? (I
can't
imagine that's the case ...)


I've pasted my smb.conf to: http://pastebin.com/DQDkGxsv

Any advice?


Thanks!
Nick

Still can't figure this out.

The client-side logs show two entries:

1. The error in the first message "The processing of Group Policy
failed."

2. A DNS processing failure:
"""The system failed to register host (A or AAAA) resource
records
(RRs) for network adapter with settings ..."""

At debug level 5, Samba4 shows no DNS problems, and says "Got a dns
update request." "All updates allowed."
http://pastebin.com/fYrd9F1W


- Nick


On Thu, Feb 7, 2013 at 8:59 PM, Nick Semenkovich <semenko at
syndetics.net> wrote:
> I've just configured Samba4 on Ubuntu (4.0.0+dfsg1-1), and can't
seem
> to get roaming profiles working (I followed the guide at
> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO )
>
> 1. Logons work just fine.
> 2. DNS is configured and working, running through SAMBA_INTERNAL
> 3. Clients can talk to the server and see/access shares at
> \\server.corp.domain.com
> 4. Clients are all Windows 8 and NTP time synced
> 5. Permissions seem "OK" (the profiles directory is currently
chmod
> 777 -- without that, only the Administrator seemed to be able to
> create their own profile ...)
> 6. General users can log in/out (which creates a profile, if profiles
> is chmod 777) but a subsequent login can't access it, with a generic
> Windows 8 roaming profile error.
>
> Not really sure where to go from here. I've tried:
> - Rebuilding the domain & re-joining machines
> - Ultra-lax permissions
> - Adding users via the samba-tool versus AD tools in Windows
>
> At client logon, the samba4 logs (with a debug level of 4) show a
collection of:
>
> Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED'
> single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED]
>
> and a few
>
> Terminating connection - 'kdc_tcp_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> single_terminate: reason[kdc_tcp_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
>
> (Not sure if they're related)
>
>
> Notably, the client machines (all on Win 8) show nearly nothing in the
> Event Log, except a Group Policy failure:
> """
> The processing of Group Policy failed. Windows attempted to read the
> file
\\corp.domain.com\sysvol\corp.domain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
> from a domain controller and was not successful. Group Policy settings
> may not be applied until this event is resolved. This issue may be
> transient and could be caused by one or more of the following:
> a) Name Resolution/Network Connectivity to the current domain controller.
> b) File Replication Service Latency (a file created on another domain
> controller has not replicated to the current domain controller).
> c) The Distributed File System (DFS) client has been disabled.
> """
>
> (Manually connecting to that gpi.ini file works perfectly)
>
>
>
> Not really sure what's going on here. The only oddities I see are:
> * I can't get the old "add user script" function to work.
> As a result, client usernames seem to just have a UID on the linux
> side (their profiles show up as: drwxr-xr-x 14 3000015 users 4.0K Feb
> 7 20:34 test.V2)
> Any way around that?
> * When profiles are created, they're appended with ".V2" --
Do I need
> to add ".V2" to the profile path setting, e.g. %USERNAME%.V2? (I
can't
> imagine that's the case ...)
>
>
> I've pasted my smb.conf to: http://pastebin.com/DQDkGxsv
>
> Any advice?
>
>
> Thanks!
> Nick