I have a problem that I am unable to sort out. Maybe someone can
assist with advice and troubleshooting.
Client computer is Windows 10 Pro with latest updates as of today.
Servers are a Windows 2019 Standard (logon and AD server) and a Samba
4.11 running on Ubuntu (domain member.
AD account configured with account profile
\\hp-fssrv\profiles\<username>. Home directory is mapped to
\\hp-fssrv\Users\<username>.
Share permissions for Profiles are set in Windows following the Samba
Wiki to the letter.
The logon.cmd script contains
NET USE P: \\hp-fssrv\Programs
NET USE G: \\hp-fssrv\Dokument
NET USE F: \\hp-fssrv\SYS2
Now to the problem: This user have 2 computers. On the main desktop
computer, also Windows 10, the roaming profile seems to work fine and
the network drivers maps correctly.
On his new laptop there is a problem. After logging in, there is a
warning "Unable to map all network drives" and also "Could not
load
server profile, using a local profile" (not verbatim).
Windows eventlog have the usual non-informative log entries stating
that there was a problem loading the profile.
The client has 10 more clients that works fine (although not using
roaming profiles, more stationary users), so the problem could very
well be outside of Samba. But maybe one of you has experienced the
same in the past and has some advice.
I have also copied the full smb.conf in case I have done somthing stupid there.
# Global parameters
[global]
netbios name = HP-FSSRV
bind interfaces only = Yes
client max protocol = SMB3
client min protocol = SMB2
dedicated keytab file = /etc/krb5.keytab
disable spoolss = Yes
domain master = No
host msdfs = No
interfaces = lo ens3
kerberos method = secrets and keytab
load printers = No
local master = No
map to guest = Bad User
preferred master = No
printcap name = /dev/null
realm = HOGANAS-PLATSLAGAREN.SE
reset on zero vc = Yes
restrict anonymous = 2
security = ADS
server min protocol = SMB2
server role = member server
unix extensions = No
username map = /etc/samba/user.map
winbind enum groups = Yes
winbind enum users = Yes
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = HPLTS
idmap config dg11 : range = 30000-40000
idmap config dg11 : backend = rid
idmap config * : range = 10000-20000
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
acl group control = Yes
dos filemode = Yes
hide unreadable = Yes
map acl inherit = Yes
printing = bsd
strict allocate = Yes
vfs objects = acl_xattr recycle
[Users]
comment = "User home directories"
path = /share2/Users
read only = No
vfs objects = recycle
recycle:exclude = *.tmp
recycle:touch = yes
recycle:versions = yes
recycle:keeptree = yes
recycle:repository = %U/Papperskorg
[Profiles]
comment = "Roaming profiles"
path = /share2/profiles
read only = No
[Dokument]
comment = "Dokument"
path = /share2/Dokument
read only = No
vfs objects = recycle
recycle:versions = yes
recycle:keeptree = yes
recycle:repository = Papperskorg
[Program]
comment = "Applikationer"
path = /share2/Applikationer
read only = No
[SYS]
comment = "Orderprogram"
path = /share2/SYS
read only = No
[SYS2]
comment = "Industriapplikationer"
path = /share2/SYS2
read only = No
Permissions on the samba share looks like this
administrator at hp-srv03:~$ cd /share2/
administrator at hp-srv03:/share2$ getfacl profiles/
# file: profiles/
# owner: administrator
# group: root
user::rwx
user:administrator:rwx
group::---
group:root:---
group:domain\040admins:rwx
group:NT\040Authority\\system:rwx
group:domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:administrator:rwx
default:group::---
default:group:root:---
default:group:domain\040admins:rwx
default:group:NT\040Authority\\system:rwx
default:mask::rwx
--
-----------------------------------------------------------------------------------------------------------------------
This signature contains 100% recyclable electrons as prescribed by Mother Nature
Anders ?stling
+46 768 716 165 (Mobil)
+46 431 45 56 01 (Hem)
On 29/06/2020 20:00, Anders ?stling via samba wrote:> I have a problem that I am unable to sort out. Maybe someone can > assist with advice and troubleshooting. >OK, you might as well remove these lines, they are defaults: ??????? client max protocol = SMB3 ??????? client min protocol = SMB2 ??????? server min protocol = SMB2 I would also remove these: ??????? acl group control = Yes ??????? dos filemode = Yes ??????? hide unreadable = Yes You should also remove this, it should only be in a DC smb.conf: ??????? idmap_ldb:use rfc2307 = yes Now we come to what could be a couple of typo's: You have 'netbios name = HP-FSSRV' but you also posted 'administrator at hp-srv03:~$ cd /share2/' The 'netbios name' must be the same as the hostname. You also seem to be using 'administrator' as a Unix user, please do not do this, I know this happens with the 'rid' backend, but in this instance Administrator will just be a normal Unix user. You also have 'username map = /etc/samba/user.map' and 'root' should be mapped to 'Administrator' inside the user.map. Use 'root' (or sudo) on Unix and 'Administrator' on Windows, do not mix them. You have 'workgroup = HPLTS' and 'idmap config dg11', again, they must match Rowland
There is something going on with latest windows 10 update 2004 Im not sure where this is coming from but ive seen this also. Im setting up a new server since im moving data in the office and. compared to your share use i use FQDN in the share. Its same as far can i see. Disconnecting and reconnection does work as workaround for me on where the problem rises. If i detect whats going on, i'll share it. Something i did notice, some pc's arent able to update to 20.04 atm, where there was the option for it. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Anders ?stling via samba > Verzonden: maandag 29 juni 2020 21:00 > Aan: sambalist > Onderwerp: [Samba] Need help with roaming profiles > > I have a problem that I am unable to sort out. Maybe someone can > assist with advice and troubleshooting. > > Client computer is Windows 10 Pro with latest updates as of today. > Servers are a Windows 2019 Standard (logon and AD server) and a Samba > 4.11 running on Ubuntu (domain member. > AD account configured with account profile > \\hp-fssrv\profiles\<username>. Home directory is mapped to > \\hp-fssrv\Users\<username>. > > Share permissions for Profiles are set in Windows following the Samba > Wiki to the letter. > > The logon.cmd script contains > > NET USE P: \\hp-fssrv\Programs > NET USE G: \\hp-fssrv\Dokument > NET USE F: \\hp-fssrv\SYS2 > > Now to the problem: This user have 2 computers. On the main desktop > computer, also Windows 10, the roaming profile seems to work fine and > the network drivers maps correctly. > On his new laptop there is a problem. After logging in, there is a > warning "Unable to map all network drives" and also "Could not load > server profile, using a local profile" (not verbatim). > Windows eventlog have the usual non-informative log entries stating > that there was a problem loading the profile. > > The client has 10 more clients that works fine (although not using > roaming profiles, more stationary users), so the problem could very > well be outside of Samba. But maybe one of you has experienced the > same in the past and has some advice. > I have also copied the full smb.conf in case I have done > somthing stupid there. > > # Global parameters > [global] > netbios name = HP-FSSRV > bind interfaces only = Yes > client max protocol = SMB3 > client min protocol = SMB2 > dedicated keytab file = /etc/krb5.keytab > disable spoolss = Yes > domain master = No > host msdfs = No > interfaces = lo ens3 > kerberos method = secrets and keytab > load printers = No > local master = No > map to guest = Bad User > preferred master = No > printcap name = /dev/null > realm = HOGANAS-PLATSLAGAREN.SE > reset on zero vc = Yes > restrict anonymous = 2 > security = ADS > server min protocol = SMB2 > server role = member server > unix extensions = No > username map = /etc/samba/user.map > winbind enum groups = Yes > winbind enum users = Yes > winbind offline logon = Yes > winbind refresh tickets = Yes > winbind use default domain = Yes > workgroup = HPLTS > idmap config dg11 : range = 30000-40000 > idmap config dg11 : backend = rid > idmap config * : range = 10000-20000 > idmap_ldb:use rfc2307 = yes > idmap config * : backend = tdb > acl group control = Yes > dos filemode = Yes > hide unreadable = Yes > map acl inherit = Yes > printing = bsd > strict allocate = Yes > vfs objects = acl_xattr recycle > > [Users] > comment = "User home directories" > path = /share2/Users > read only = No > vfs objects = recycle > recycle:exclude = *.tmp > recycle:touch = yes > recycle:versions = yes > recycle:keeptree = yes > recycle:repository = %U/Papperskorg > > [Profiles] > comment = "Roaming profiles" > path = /share2/profiles > read only = No > > [Dokument] > comment = "Dokument" > path = /share2/Dokument > read only = No > vfs objects = recycle > recycle:versions = yes > recycle:keeptree = yes > recycle:repository = Papperskorg > > [Program] > comment = "Applikationer" > path = /share2/Applikationer > read only = No > > [SYS] > comment = "Orderprogram" > path = /share2/SYS > read only = No > > [SYS2] > comment = "Industriapplikationer" > path = /share2/SYS2 > read only = No > > Permissions on the samba share looks like this > > administrator at hp-srv03:~$ cd /share2/ > administrator at hp-srv03:/share2$ getfacl profiles/ > # file: profiles/ > # owner: administrator > # group: root > user::rwx > user:administrator:rwx > group::--- > group:root:--- > group:domain\040admins:rwx > group:NT\040Authority\\system:rwx > group:domain\040users:rwx > mask::rwx > other::--- > default:user::rwx > default:user:administrator:rwx > default:group::--- > default:group:root:--- > default:group:domain\040admins:rwx > default:group:NT\040Authority\\system:rwx > default:mask::rwx > -- > -------------------------------------------------------------- > --------------------------------------------------------- > This signature contains 100% recyclable electrons as > prescribed by Mother Nature > > Anders ?stling > +46 768 716 165 (Mobil) > +46 431 45 56 01 (Hem) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hello Rowland, Thank you very much for the relentless support you're providing for the community. You wrote: "The 'netbios name' must be the same as the hostname." For years, my samba file server (now version 4.11.9) netbios name differs from the hostname (although it has a DNS CNAME record pointing to the host name) and everything is working fine (I'm not using roaming profiles, and using POSIX permissions). It's used for home directories and other shares, all mapped using group policies. Clients are different versions and distributions of Linux and Windows (including 2004). DCs are Windows 2012 R2s. I reread smb.conf and couldn't find any references that "netbios name" should be the same as the hostname. Is it a roaming profiles requirement or I'm missing something? Best regards, Matt On Mon, Jun 29, 2020 at 3:36 PM Rowland penny via samba < samba at lists.samba.org> wrote:> On 29/06/2020 20:00, Anders ?stling via samba wrote: > > I have a problem that I am unable to sort out. Maybe someone can > > assist with advice and troubleshooting. > > > OK, you might as well remove these lines, they are defaults: > > client max protocol = SMB3 > client min protocol = SMB2 > server min protocol = SMB2 > > I would also remove these: > > acl group control = Yes > dos filemode = Yes > hide unreadable = Yes > > You should also remove this, it should only be in a DC smb.conf: > > idmap_ldb:use rfc2307 = yes > > Now we come to what could be a couple of typo's: > > You have 'netbios name = HP-FSSRV' but you also posted > 'administrator at hp-srv03:~$ cd /share2/' > > The 'netbios name' must be the same as the hostname. > > You also seem to be using 'administrator' as a Unix user, please do not > do this, I know this happens with the 'rid' backend, but in this > instance Administrator will just be a normal Unix user. You also have > 'username map = /etc/samba/user.map' and 'root' should be mapped to > 'Administrator' inside the user.map. Use 'root' (or sudo) on Unix and > 'Administrator' on Windows, do not mix them. > > You have 'workgroup = HPLTS' and 'idmap config dg11', again, they must > match > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi Rowland (and others) On Mon, Jun 29, 2020 at 9:36 PM Rowland penny via samba <samba at lists.samba.org> wrote:> > On 29/06/2020 20:00, Anders ?stling via samba wrote: > > I have a problem that I am unable to sort out. Maybe someone can > > assist with advice and troubleshooting. > > > OK, you might as well remove these lines, they are defaults: > > client max protocol = SMB3 > client min protocol = SMB2 > server min protocol = SMB2Done. However, by removing options that are (now) default, would not that risk to come back and cause problems in case you decide to change the defaults (for any reason)? Is there a problem with being explicit? Maybe I am just a bit conservative here :)> > I would also remove these: > > acl group control = Yes > dos filemode = Yes > hide unreadable = YesDone> > You should also remove this, it should only be in a DC smb.conf: > > idmap_ldb:use rfc2307 = yesRemoved> Now we come to what could be a couple of typo's: > > You have 'netbios name = HP-FSSRV' but you also posted > 'administrator at hp-srv03:~$ cd /share2/' > The 'netbios name' must be the same as the hostname. >Typo. The netbios name is in fact HP-SRV03 and HP-FSSRV is a CNAME that points to the actual hostname. I prefer to have it this way in case I need to migrate some services to other hosts. Do you think that this could cause harm in any way?> You also seem to be using 'administrator' as a Unix user, please do not > do this, I know this happens with the 'rid' backend, but in this > instance Administrator will just be a normal Unix user. You also have > 'username map = /etc/samba/user.map' and 'root' should be mapped to > 'Administrator' inside the user.map. Use 'root' (or sudo) on Unix and > 'Administrator' on Windows, do not mix them. >The local admin account on the LInux box is called administrator and is only used for ssh access into the virtual Samba host.I almost always switch to root using sudo when doing admin tasks on the server. The file user.map is correct and maps the root account from HPLTS\Administrator.> You have 'workgroup = HPLTS' and 'idmap config dg11', again, they must matchThis is a configuration error since day 0 when the test domain was called DG11. I forgot to change that to HPLTS, but AFAIK see, there have not been any visible problems. I figured that the IDMAP CONFIG * would be used as a catch all, and id's in the 10000-range is used (as specified for the wildcard domain). I must confess that I know way too little about idmap to feel confident though... Could ANYONE of these deficiencies be the reason for the issues with the roaming profile? Another thing that hit me last night was that the problematic laptop is nly used on wfi, while all others are using wired networks. Maybe a timing problem when Windows tries to load the profile before the network drives are ready? Just a thought...> Rowland >Thank Rowlan for your tremendous effort in supporting us all! Anders> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- ----------------------------------------------------------------------------------------------------------------------- This signature contains 100% recyclable electrons as prescribed by Mother Nature Anders ?stling +46 768 716 165 (Mobil) +46 431 45 56 01 (Hem)
On 30/06/2020 09:50, Anders ?stling wrote:>> You have 'workgroup = HPLTS' and 'idmap config dg11', again, they must match > As I wrote in the previous reply, that was a mistake from the initial > deployment. However, I have a copy of the VM and when I corrected DG11 > to HLPTS and restarted the services, this happes: > > getent group "Oldgroup" returns a value in the 10000 range (as > specified in the idmap config * statement).If 'oldgroup' isn't in the the 'HLPTS' domain, this is to be expected.> I now created a new group in the domain, and expected to get a value > in the range 30000 (as specified in the idmap config HPTLS statement).You should.> Again, I probably don't understand the different backends (tdb vs rid) > functions enough.The default domain '*' uses tdb and is an allocating db, the 'rid' backend for your HPTLS domain uses the AD objects RID to calculate the Unix ID.> The new group was given a id of 10032, so it seems > as if the * statement still is the used range. Is this expected > behaviour?No, it isn't, if the group exists in AD and the AD domain name is 'HPTLS' , from what you have posted, I would expect the Unix ID to start with a '3'. Have you run 'net cache flush' ?> In the meantime, I will try to read up on the backend's and > get a better understanding.tdb is only used for the '*' domain, ID's start from the lower number you set in smb.conf rid is used for the DOMAIN domain (HPTLS in your case), ID's are calculated by adding the objects rid to the lower number you set in smb.conf. For instance Domain Users ID will be 30000 + 513 = 30513 Rowland
On Tue, Jun 30, 2020 at 11:24 AM Rowland penny via samba <samba at lists.samba.org> wrote:> > On 30/06/2020 09:50, Anders ?stling wrote: > > >> You have 'workgroup = HPLTS' and 'idmap config dg11', again, they must match > > As I wrote in the previous reply, that was a mistake from the initial > > deployment. However, I have a copy of the VM and when I corrected DG11 > > to HLPTS and restarted the services, this happes: > > > > getent group "Oldgroup" returns a value in the 10000 range (as > > specified in the idmap config * statement). > If 'oldgroup' isn't in the the 'HLPTS' domain, this is to be expected. > > I now created a new group in the domain, and expected to get a value > > in the range 30000 (as specified in the idmap config HPTLS statement). > You should. > > Again, I probably don't understand the different backends (tdb vs rid) > > functions enough. > The default domain '*' uses tdb and is an allocating db, the 'rid' > backend for your HPTLS domain uses the AD objects RID to calculate the > Unix ID. > > The new group was given a id of 10032, so it seems > > as if the * statement still is the used range. Is this expected > > behaviour? > No, it isn't, if the group exists in AD and the AD domain name is > 'HPTLS' , from what you have posted, I would expect the Unix ID to start > with a '3'. Have you run 'net cache flush' ?I did this on the test system but cant see any difference. Both the old and newly created groups have id's in the 10000 range. WHAT IF: I remove the server from the domain Delete the tlb and ldb databases Correct the idmap statements as recommended Rejoin the domain I assume that all accounts and groups will get new id's in the 30000-range. Do I need to re-apply all folder and file permissions from the Windows server to get them correctly mapped? Thank you for your patience! Anders> > In the meantime, I will try to read up on the backend's and > > get a better understanding. > > tdb is only used for the '*' domain, ID's start from the lower number > you set in smb.conf > > rid is used for the DOMAIN domain (HPTLS in your case), ID's are > calculated by adding the objects rid to the lower number you set in > smb.conf. For instance Domain Users ID will be 30000 + 513 = 30513 > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- ----------------------------------------------------------------------------------------------------------------------- This signature contains 100% recyclable electrons as prescribed by Mother Nature Anders ?stling +46 768 716 165 (Mobil) +46 431 45 56 01 (Hem)