Hi all, I have an issue at multiple sites that has been plaguing me for a while. My goto setup for AD w/windows desktops is to employ roaming profiles with redirected folders and a few mapped drives; all via GPO. And that's pretty much it. 3 GPOs linked to the entire domain with authenticated users as security filter. The file servers are a domain member and serve both the file shares and redirected folders shares. The issue: every now and then I get a user reaching out to say that their redirected folders "have disappeared". When I login I can see that they're getting access denied on all the redirected folders (Documents, Favorites, Cookies and Downloads). When I look at the User Shell Folders registry keys I can see that the path is directed at the DC rather than the file server as it should be. The path is exactly the same except instead of the file server domain member name it is the name of the DC. Almost every time, I second guess myself and go check the GPO to ensure the path is in fact the file server and not the DC and of course, it is as it should be; pointing to the file server. My solution thus far is to delete the keys, sign-out/in and voila! Fixed. Until it happens again which is very disruptive and one of those recurring issues we all live to hate. So...How is it possible that the GPO isn't respected under whatever circumstance is occurring to cause this? I guess I'm also wondering if there is such a thing as to redirect to the %logonserver% if the path fails maybe? What's odd (and this is obviously circumstantial) I can always navigate to the users redirected folders using the path(copy/paste) that is supposed to be applied in the GPO in question. So I can only conclude that somehow during a brief period of time the path was perhaps not available, hence some sort of failsafe or self preservation is applied. I wouldn't speculate if it wasn't for the registry keys. There is *nothing* I configured telling windows to revert the redirected folders to the DC. Remember, this is happening in multiple sites with totally independent config. The only common link between is me and there is nothing I'm intentionally doing to have this "failsafe" occur. The only thing I can think of is that these configs have existed for a very long time. They even pre-date Samba AD DC so they had roaming profiles and redirected folders(to the samba3 server at the time). That may seem like the obvious source of the problem however, the thing is, the old smb.conf files would have been moved aside at the time of promoting to DC AND back in samba3 days, I was not using GPOs. Everything was either scripted and offered up at login(which I have confirmed has been removed) or manually entered locally. Is it possible there is some sort of caching function that could possibly live that long OR somehow the users registry that was manually edited can be resurrected? I don't know if that makes any sense even... Sorry for the novel and thanks in advance, Phil
On 20/02/2020 14:10, Philippe LeCavalier via samba wrote:> Hi all, > > I have an issue at multiple sites that has been plaguing me for a while.Hi, whilst you tell us what is wrong, you do not give us anything to work with. What OS ? What versions of Windows ? What are the DCs, it sounds like Samba, but what version ? What are the fileservers running ? Can you post any smb.conf files in use. Rowland
+Rowlands mail and.. ;-) Hmm, interesting, most probley not samba but a windows setup problem. But i need bit more info here. First per site you have 1 or multiple DC's? The amount of members is not needed. Second, if you have multiple DC's. how did you sync sysvol. Thirth, at the time when this happens and a user reports it. Any related windows event id's .. There must be some... Nnow, i do simular here. I redirect even more in addition to yours, the Desktop also for example. And i havent seen this in hmm, about 4-5 years.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Philippe LeCavalier via samba > Verzonden: donderdag 20 februari 2020 15:10 > Aan: samba > Onderwerp: [Samba] GPO redirected folders reg path issue > > Hi all, > > I have an issue at multiple sites that has been plaguing me > for a while. My > goto setup for AD w/windows desktops is to employ roaming > profiles with > redirected folders and a few mapped drives; all via GPO. And > that's pretty > much it. 3 GPOs linked to the entire domain with > authenticated users as > security filter. The file servers are a domain member and > serve both the > file shares and redirected folders shares. > > The issue: every now and then I get a user reaching out to > say that their > redirected folders "have disappeared". When I login I can see > that they're > getting access denied on all the redirected folders > (Documents, Favorites, > Cookies and Downloads). When I look at the User Shell Folders > registry keys > I can see that the path is directed at the DC rather than the > file server > as it should be. The path is exactly the same except instead > of the file > server domain member name it is the name of the DC. Almost > every time, I > second guess myself and go check the GPO to ensure the path > is in fact the > file server and not the DC and of course, it is as it should be; > pointing to the file server. My solution thus far is to > delete the keys, > sign-out/in and voila! Fixed. Until it happens again which is very > disruptive and one of those recurring issues we all live to hate. > > So...How is it possible that the GPO isn't respected under whatever > circumstance is occurring to cause this? I guess I'm also wondering if > there is such a thing as to redirect to the %logonserver% if > the path fails > maybe? What's odd (and this is obviously circumstantial) I can always > navigate to the users redirected folders using the > path(copy/paste) that is > supposed to be applied in the GPO in question. So I can only > conclude that > somehow during a brief period of time the path was perhaps > not available, > hence some sort of failsafe or self preservation is applied. > I wouldn't > speculate if it wasn't for the registry keys. There is *nothing* I > configured telling windows to revert the redirected folders to the DC. > Remember, this is happening in multiple sites with totally independent > config. The only common link between is me and there is nothing I'm > intentionally doing to have this "failsafe" occur. The only > thing I can > think of is that these configs have existed for a very long > time. They even > pre-date Samba AD DC so they had roaming profiles and > redirected folders(to > the samba3 server at the time). That may seem like the > obvious source of > the problem however, the thing is, the old smb.conf files > would have been > moved aside at the time of promoting to DC AND back in samba3 > days, I was > not using GPOs. Everything was either scripted and offered up at > login(which I have confirmed has been removed) or manually > entered locally. > Is it possible there is some sort of caching function that > could possibly > live that long OR somehow the users registry that was > manually edited can > be resurrected? I don't know if that makes any sense even... > Sorry for the novel and thanks in advance, Phil > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On Thu, Feb 20, 2020 at 9:28 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 20/02/2020 14:10, Philippe LeCavalier via samba wrote: > > Hi all, > > > > I have an issue at multiple sites that has been plaguing me for a while. > > Hi, whilst you tell us what is wrong, you do not give us anything to > work with.Agreed. I'm posting this from a remote site where I don't have easy access to either of the two main sites this is occurring on. I'll gather that info up asap and get back to you (and Louis) Oh and Louis, I'm redirecting Desktop as well. So that's actually the first error that pops up is access denied for \\%logonserver%\home\%username%\desktop. Now that I'm rereading myself, I wonder if the Home in the path is some sort of trigger. Generally for practical reasons, I run QNAPs as file servers and QNAP still uses the %home% variable so I make use of that feature to redirect to \\QNAP\home and in the GPO it is \\QNAP\%USERNAME% which has worked very well until those folders get redirected to the DC in err. Phil
We are not much off. But you have mixed "samba/window" and "windows/windows" settings. Samba/windows \\%logonserver%\home\%username%\desktop Windows/windows \\hostname.fqdn.tld\users\%username%\desktop Guess, which one i use. ;-) Now, do get where this is coming from. So use this (add CNAME for you member server ), Note, you MUST setup PTR records. \\ALIAS-CNAME.fqdn.tld\users\%username%\desktop And offcourse this is not correct. \\%logonserver%\home\%username%\desktop. You "logon" server = the DC. Not the member. So my advice, setup as suggested, and im sure you never see this again. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Philippe LeCavalier via samba > Verzonden: donderdag 20 februari 2020 16:05 > Aan: samba > Onderwerp: Re: [Samba] GPO redirected folders reg path issue > > On Thu, Feb 20, 2020 at 9:28 AM Rowland penny via samba < > samba at lists.samba.org> wrote: > > > On 20/02/2020 14:10, Philippe LeCavalier via samba wrote: > > > Hi all, > > > > > > I have an issue at multiple sites that has been plaguing > me for a while. > > > > Hi, whilst you tell us what is wrong, you do not give us anything to > > work with. > > Agreed. I'm posting this from a remote site where I don't > have easy access > to either of the two main sites this is occurring on. I'll > gather that info > up asap and get back to you (and Louis) Oh and Louis, I'm redirecting > Desktop as well. So that's actually the first error that pops > up is access > denied for \\%logonserver%\home\%username%\desktop. Now that > I'm rereading > myself, I wonder if the Home in the path is some sort of > trigger. Generally > for practical reasons, I run QNAPs as file servers and QNAP > still uses the > %home% variable so I make use of that feature to redirect to > \\QNAP\home > and in the GPO it is \\QNAP\%USERNAME% which has worked very > well until > those folders get redirected to the DC in err. > Phil > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >