Thomas DEBESSE
2016-Jun-27 20:03 UTC
[Samba] How to debug not working Roaming profiles on Samba 4 AD setup?
Hi, some months before, I was serving files and profiles using a Samba 3 PDC server (I will name it PDCSERV), this is some abstracts fro smb.conf: PDCSERV:/etc/samba/smb.conf [general] logon path = \\%N\profile logon drive = U: logon home = \\%N\%U logon script = "logon.cmd" valid users = %S [homes] path = "/home/%U/userdisk" browseable = No read only = No writeable = Yes browseable = No public = No create mask = 2700 directory mask = 0700 valid users = %S [profile] path = /home/%U/profile browsable = No writeable = Yes create mask = 0600 directory mask = 0700 profile acls = Yes csc policy = disable [profile.v2] path = /home/%U/profile.v2 browseable = No writeable = Yes create mask = 0600 directory mask = 0700 profile acls = Yes csc policy = disable Roaming profiles was working fine, they were backed up at user logout. Then I migrated my setup to a Samba 4 AD server (I will name it ADSERV) and a Samba 4 File server (I will name it FILESERV), this is some abstracts from smb.conf from ADSERV and FILESERV: ADSERV:/etc/samba/smb.conf [general] logon path = \\FILESERV\profile logon drive = U: logon home = \\FILESERV\%U logon script = "logon.cmd" valid users = %S FILESERV:/etc/samba/smb.conf [homes] path = "/home/%U/userdisk" browseable = No read only = No writeable = Yes browseable = No public = No create mask = 2700 directory mask = 0700 valid users = %S [profile] path = /home/%U/profile browsable = No writeable = Yes create mask = 0600 directory mask = 0700 profile acls = Yes csc policy = disable [profile.v2] path = /home/%U/profile.v2 browseable = No writeable = Yes create mask = 0600 directory mask = 0700 profile acls = Yes csc policy = disable>From a logged-in client, I can successfully browse \\FILESERV\homes,\\FILESERV\username (another view for \\FILESERV\homes), \\FILESERV\profile and \\FILESERV\profile.v2. But the Roaming profiles are not backed up at logout. At all. No one. Since I have a logon.cmd that mount U: to \\FILESERV\homes plus some registry key that redirect Desktop, and some files to U:\something, I never lose any user data, but I lose any user configuration when the user's computer gets replaced, since the user profile is never backed up to the server at lougout. For stuff like desktop background image it's not a big problem because users known how to set it and having it broken do not prevent them to work, but it's very annoying when users lost some configuration they need to do their job, like per-user option in printer configuration. For information, Samba assumes these options on my Samba 4 system (seen using testparm -v): [general] fstype = NTFS store dos attributes = No I don't remember what were the default on Samba 3, I have no Samba3 servers anymore. My Domain is an AD Domain with Samba 4 servers (both AD and File servers) and Windows 7/10 clients, there is no Windows servers at all. So, unless I miss something, all the things above looks legit. So my question is: how I can debug my setup ? What are the things I must look for to find what is not working? -- Thomas DEBESSE
Rowland penny
2016-Jun-27 20:48 UTC
[Samba] How to debug not working Roaming profiles on Samba 4 AD setup?
On 27/06/16 21:03, Thomas DEBESSE wrote:> Hi, some months before, I was serving files and profiles using a Samba 3 > PDC server (I will name it PDCSERV), this is some abstracts fro smb.conf: > > PDCSERV:/etc/samba/smb.conf > > [general] > logon path = \\%N\profile > logon drive = U: > logon home = \\%N\%U > logon script = "logon.cmd" > valid users = %S > > [homes] > path = "/home/%U/userdisk" > browseable = No > read only = No > writeable = Yes > browseable = No > public = No > create mask = 2700 > directory mask = 0700 > valid users = %S > > [profile] > path = /home/%U/profile > browsable = No > writeable = Yes > create mask = 0600 > directory mask = 0700 > profile acls = Yes > csc policy = disable > > [profile.v2] > path = /home/%U/profile.v2 > browseable = No > writeable = Yes > create mask = 0600 > directory mask = 0700 > profile acls = Yes > csc policy = disable > > Roaming profiles was working fine, they were backed up at user logout. > > Then I migrated my setup to a Samba 4 AD server (I will name it ADSERV) and > a Samba 4 File server (I will name it FILESERV), this is some abstracts > from smb.conf from ADSERV and FILESERV: > > ADSERV:/etc/samba/smb.conf > > [general] > logon path = \\FILESERV\profile > logon drive = U: > logon home = \\FILESERV\%U > logon script = "logon.cmd" > valid users = %S > > FILESERV:/etc/samba/smb.conf > > [homes] > path = "/home/%U/userdisk" > browseable = No > read only = No > writeable = Yes > browseable = No > public = No > create mask = 2700 > directory mask = 0700 > valid users = %S > > [profile] > path = /home/%U/profile > browsable = No > writeable = Yes > create mask = 0600 > directory mask = 0700 > profile acls = Yes > csc policy = disable > > [profile.v2] > path = /home/%U/profile.v2 > browseable = No > writeable = Yes > create mask = 0600 > directory mask = 0700 > profile acls = Yes > csc policy = disable > > From a logged-in client, I can successfully browse \\FILESERV\homes, > \\FILESERV\username (another view for \\FILESERV\homes), \\FILESERV\profile > and \\FILESERV\profile.v2. > > But the Roaming profiles are not backed up at logout. At all. No one. > > Since I have a logon.cmd that mount U: to \\FILESERV\homes plus some > registry key that redirect Desktop, and some files to U:\something, I never > lose any user data, but I lose any user configuration when the user's > computer gets replaced, since the user profile is never backed up to the > server at lougout. For stuff like desktop background image it's not a big > problem because users known how to set it and having it broken do not > prevent them to work, but it's very annoying when users lost some > configuration they need to do their job, like per-user option in printer > configuration. > > For information, Samba assumes these options on my Samba 4 system (seen > using testparm -v): > > [general] > fstype = NTFS > store dos attributes = No > > I don't remember what were the default on Samba 3, I have no Samba3 servers > anymore. > > My Domain is an AD Domain with Samba 4 servers (both AD and File servers) > and Windows 7/10 clients, there is no Windows servers at all. > > So, unless I miss something, all the things above looks legit. So my > question is: how I can debug my setup ? What are the things I must look for > to find what is not working? >Are the 'File servers' joined to the domain ? Are the smb.conf files you posted complete, if not, can you post the complete ones, exactly as they are on the computers (you can sanitize them if you need to) Try taking a look here: https://wiki.samba.org/index.php/Implementing_roaming_profiles Rowland
Thomas DEBESSE
2016-Jun-27 21:42 UTC
[Samba] How to debug not working Roaming profiles on Samba 4 AD setup?
Hi, thank your for your answer.> Are the 'File servers' joined to the domain ?Yes> Are the smb.conf files you posted completeNo, they are abstracted ones, because they are very long> if not, can you post the complete ones, exactly as they are on thecomputers (you can sanitize them if you need to) Yes> Try taking a look here:https://wiki.samba.org/index.php/Implementing_roaming_profiles I've read that page but it does not helped me… :( So, following are the complete files, if you're OK with that, I just applied on it a sed substitution to hide some sensitives names (and using the nomenclature defined above since the server's pet names will mean nothing for you), and removed some data shares that works very well and are unrelated at all (by the way, I kept the unrelated "partage" share as an example, even if it's unrelated to my current problem). So, the "PDCSERV" config was the now-disabled All-In-One Samba3 PDC server. The "ADSERV" is the current AD DC Samba4 server, and the "FILESERV" is the current file sharing server (hosting homes and profiles). I have also some other file servers but they are totally unrelated to the current described problems since they just serves optional files for some people (like the "partage" share described below). I also give you my logon.cmd so you see how the machinery works. As you can see, previous home paths were /home/users/%u and previous profile paths were /home/users/%u/.profile.v2 and home paths are now /home/users/%u/userdisk, and profile path are now /home/users/%u/profile.v2. I just put the profile outside the home disk, which is recommended. --------------------------------------------------------------------------- PDCSERV: [global] workgroup = DOMAIN netbios name = PDCSERV server string = "Server" wins support = yes dns proxy = no unix extensions = no log file = /var/log/samba/log.%m log level = 4 debug level = 4 max log size = 5000 syslog = 0 panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = smbpasswd:/etc/samba/smbpasswd obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes domain logons = yes logon path = \\%N\profile logon drive = U: logon home = \\%N\%U logon script = logon.cmd domain master = auto [homes] comment = Dossier Personnel de %U path = /home/users/%U/.windows browseable = no wide links = Yes follow symlinks = Yes writable = yes read only = no create mask = 2770 directory mask = 2770 public = no hide files /Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*~/$RECYCLE.BIN/ veto files = /.profile/.profile.v2/*.desktop/ [netlogon] path = /etc/samba/netlogon guest ok = no writeable = yes browseable = no write list = ntadmin [profile] path = /home/users/%U/.profile browsable = no writeable = yes create mask = 0600 directory mask = 0700 profile acls = yes csc policy = disable hide files /Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*.desktop/ [profile.v2] path = /home/users/%U/.profile.v2 browseable = no writeable = yes create mask = 0600 directory mask = 0700 profile acls = yes csc policy = disable hide files /Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*.desktop/ [partage] path = /home/partage comment = "Partage Commun a tous" browsable = yes read only = no create mask = 777 directory mask = 777 [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no --------------------------------------------------------------------------- ADSERV:/etc/samba/smb.conf [global] workgroup = DOMAIN realm = DOMAIN.REALM netbios name = ADSERV server role = active directory domain controller domain logons = Yes domain master = Yes wins support = Yes dns proxy = No idmap_ldb:use rfc2307 = Yes syslog = 1 log level = 4 panic action = /usr/share/samba/panic-action %d printing = bsd printcap name = /dev/null load printers = No disable spoolss = Yes logon path = \\FILESERV\profile logon drive = U: logon home = \\FILESERV\%U logon script = "logon.cmd" [netlogon] comment = "Service d’identification réseau" path = /var/lib/samba/sysvol/savane.saba/scripts guest ok = No writeable = Yes read only = No browseable = No write list = ntadmin [sysvol] path = /var/lib/samba/sysvol read only = No browseable = No --------------------------------------------------------------------------- FILESERV:/etc/samba/smb.conf [global] workgroup = DOMAIN realm = DOMAIN.REALM netbios name = FILESERV security = ADS dfree command = /usr/local/bin/smb-dfree.sh log file = /var/log/samba/log.%m log level = 4 max log size = 1000 syslog = 2 panic action = /usr/share/samba/panic-action %d server role = member server local master = No domain master = No preferred master = No encrypt passwords = Yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind refresh tickets = Yes winbind trusted domains only = No winbind use default domain = Yes winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config DOMAIN:backend = rid idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 10000-30000 winbind nss info = template template shell = /bin/false template homedir = /home/users/%U usershare allow guests = Yes printing = bsd printcap name = /dev/null load printers = No disable spoolss = Yes unix extensions = No hide special files = Yes hide unreadable = Yes hide dot files = Yes hide files /Bureau/AppData/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*~/~$*/$RECYCLE.BIN/Thumbs.db/.DS_Store/*.desktop/ veto files = /.fuse_*/lost+found/aquota.group/aquota.user/ [homes] comment = "Dossier personnel de %u" path = "/home/users/%U/userdisk" browseable = No read only = No writeable = Yes browseable = No public = No wide links = Yes follow symlinks = Yes create mask = 2770 directory mask = 2770 force group = "users-%U" valid users = %S [partage] comment = "Partage commun à tous" path = /home/partage browsable = Yes read only = No create mask = 2770 directory mask = 2770 [profile] comment = "Profil NT5 (Windows XP)" path = /home/users/%U/profile browsable = No writeable = Yes create mask = 0600 directory mask = 0700 force group = "users-%U" profile acls = Yes csc policy = disable [profile.v2] comment = "Profil NT6 (Windows 7 etc.)" path = /home/users/%U/profile.v2 browseable = No writeable = Yes create mask = 0600 directory mask = 0700 force group = "users-%U" profile acls = Yes csc policy = disable --------------------------------------------------------------------------- ADSERV:/var/lib/samba/sysvol/savane.saba/scripts/logon.cmd NET USE U: \\FILESERV\homes NET USE P: \\FILESERV\partage REGEDIT /S \\ADSERV\netlogon\common.reg -- Thomas DEBESSE
Maybe Matching Threads
- How to debug not working Roaming profiles on Samba 4 AD setup?
- How to debug not working Roaming profiles on Samba 4 AD setup?
- How to debug not working Roaming profiles on Samba 4 AD setup?
- How to debug not working Roaming profiles on Samba 4 AD setup?
- acl, no rights and possibility to delete files