Hi I have had roaming profiles enabled on user accounts since November last year. This is a small business with approx 10 users, but a few of them are actually taking benefit of the roaming profile feature. Recently, they have had all sorts of problems with their profiles, usually Access Denied when trying to load the profiles (only those that actually roams between different computers). I have spent hours trying to find a pattern and pinpoint the exact source of the problem. During this digging, I have learned to hate Windows even more, since the profiles management is like an octopus, reaching into almost every part of the system... Anyway, I managed to get it back on track by loosing up permissions on the /share/profiles folder (temporary) but I need to find a permanent solution. During the attempts to restore the clients, I also found out that the C:/Windows/CSC directory has a function too. Another cache besides what is under C:/Users/<username>/Desktop/? At the same time, the few roaming users also got problems accessing their U:/AppData/Roaming folders. The permissions looked good, but MS apps (Excel and Word had a different opinion and refused to load documents). The temporary fix for this was also to loose up permissions on the AppData folder until I had a better understanding of what?s going on. So, while re-reading the Samba wiki page, I saw that there is a parameter, csc policy = disable, that I have not seen before. Is the wiki for profiles updated recently with that one? I found some internet posts that describes the different values, enable/manual/disable and their functions. Could this have been a reason for my client?s problem (several users on one computer, and a CSC that got confused)? If so, then I hope that disabling the function will make the clients work better once I have restored them from scratch. While I am typing, let me describe another specific user?s situation. Initially she got the same permissions error when logging on another computer. But suddenly, her normal workstation started to behave like this (maybe after a loosened up the permissions on the /share/profiles, hard to tell). She logs on the domain Get a message ?We could not log you on using a profile, a temporary profile has been created? (or quite similar to this) A blank desktop with Trashcan The netlogon script has mapped up her drives correctly The C:/Users folder now contains these folders /katarina (hers) /temp.hlts (domain name) /temp.hplts.1 /temp.hplts.2 /temp.hplts.3 She can navigate to /Users/katarina/Desktop where all her saved shortcuts are, and CTRL-A, CTRL-C. Then close explorer and CTRL-V on desktop. Everything works as before, including mapped drives and app and document shortcuts. If she logs out, then all steps need to be repeated. So for the moment, she just WIN+L at the end of the day until her computer is re-installed, and hopefully things are working again. She CAN map drive profile folder on the server manually without getting any permission error. This makes me believe that the problem is on the client side, not the server. Windows 10 2020H2 on the clients. Samba 4.13.8 on the server Windows 2019 Standard as DC End of rant. I hope that someone can give some insight and maybe advise on how to fix this mess. If not, it?s a re-install of the affected clients and praying that the CSC disable will help.
? to clarify my previous rant, the question is if the ?csc disable? is a new addition to the wiki, and if the default ?csc manual? have caused problems for other samba users /Anders Anders ?stling D?mmegatan 11 SE-25442 Helsingborg Sweden Phone: +46 768 716 165 Skype: anders.ostling at outlook.com On 19 May 2021, 10:06 +0200, Anders ?stling <anders.ostling at gmail.com>, wrote:> Hi > I have had roaming profiles enabled on user accounts since November last year. This is a small business with approx 10 users, but a few of them are actually taking benefit of the roaming profile feature. > Recently, they have had all sorts of problems with their profiles, usually Access Denied when trying to load the profiles (only those that actually roams between different computers). I have spent hours trying to find a pattern and pinpoint the exact source of the problem. During this digging, I have learned to hate Windows even more, since the profiles management is like an octopus, reaching into almost every part of the system... > > Anyway, I managed to get it back on track by loosing up permissions on the /share/profiles folder (temporary) but I need to find a permanent solution. During the attempts to restore the clients, I also found out that the C:/Windows/CSC directory has a function too. Another cache besides what is under C:/Users/<username>/Desktop/? At the same time, the few roaming users also got problems accessing their U:/AppData/Roaming folders. The permissions looked good, but MS apps (Excel and Word had a different opinion and refused to load documents). The temporary fix for this was also to loose up permissions on the AppData folder until I had a better understanding of what?s going on. > > So, while re-reading the Samba wiki page, I saw that there is a parameter, csc policy = disable, that I have not seen before. Is the wiki for profiles updated recently with that one? I found some internet posts that describes the different values, enable/manual/disable and their functions. Could this have been a reason for my client?s problem (several users on one computer, and a CSC that got confused)? If so, then I hope that disabling the function will make the clients work better once I have restored them from scratch. > > While I am typing, let me describe another specific user?s situation. Initially she got the same permissions error when logging on another computer. But suddenly, her normal workstation started to behave like this (maybe after a loosened up the permissions on the /share/profiles, hard to tell). > > She logs on the domain > Get a message ?We could not log you on using a profile, a temporary profile has been created? (or quite similar to this) > A blank desktop with Trashcan > The netlogon script has mapped up her drives correctly > > The C:/Users folder now contains these folders > /katarina (hers) > /temp.hlts (domain name) > /temp.hplts.1 > /temp.hplts.2 > /temp.hplts.3 > > She can navigate to /Users/katarina/Desktop where all her saved shortcuts are, and CTRL-A, CTRL-C. Then close explorer and CTRL-V on desktop. Everything works as before, including mapped drives and app and document shortcuts. If she logs out, then all steps need to be repeated. So for the moment, she just WIN+L at the end of the day until her computer is re-installed, and hopefully things are working again. > > She CAN map drive profile folder on the server manually without getting any permission error. This makes me believe that the problem is on the client side, not the server. > > Windows 10 2020H2 on the clients. > Samba 4.13.8 on the server > Windows 2019 Standard as DC > > End of rant. I hope that someone can give some insight and maybe advise on how to fix this mess. If not, it?s a re-install of the affected clients and praying that the CSC disable will help.
On 19/05/2021 09:06, Anders ?stling via samba wrote:> Hi > I have had roaming profiles enabled on user accounts since November last year. This is a small business with approx 10 users, but a few of them are actually taking benefit of the roaming profile feature. > Recently, they have had all sorts of problems with their profiles, usually Access Denied when trying to load the profiles (only those that actually roams between different computers). I have spent hours trying to find a pattern and pinpoint the exact source of the problem. During this digging, I have learned to hate Windows even more, since the profiles management is like an octopus, reaching into almost every part of the system... > > Anyway, I managed to get it back on track by loosing up permissions on the /share/profiles folder (temporary) but I need to find a permanent solution. During the attempts to restore the clients, I also found out that the C:/Windows/CSC directory has a function too. Another cache besides what is under C:/Users/<username>/Desktop/? At the same time, the few roaming users also got problems accessing their U:/AppData/Roaming folders. The permissions looked good, but MS apps (Excel and Word had a different opinion and refused to load documents). The temporary fix for this was also to loose up permissions on the AppData folder until I had a better understanding of what?s going on. > > So, while re-reading the Samba wiki page, I saw that there is a parameter, csc policy = disable, that I have not seen before. Is the wiki for profiles updated recently with that one? I found some internet posts that describes the different values, enable/manual/disable and their functions. Could this have been a reason for my client?s problem (several users on one computer, and a CSC that got confused)? If so, then I hope that disabling the function will make the clients work better once I have restored them from scratch. > > While I am typing, let me describe another specific user?s situation. Initially she got the same permissions error when logging on another computer. But suddenly, her normal workstation started to behave like this (maybe after a loosened up the permissions on the /share/profiles, hard to tell). > > She logs on the domain > Get a message ?We could not log you on using a profile, a temporary profile has been created? (or quite similar to this) > A blank desktop with Trashcan > The netlogon script has mapped up her drives correctly > > The C:/Users folder now contains these folders > /katarina (hers) > /temp.hlts (domain name) > /temp.hplts.1 > /temp.hplts.2 > /temp.hplts.3 > > She can navigate to /Users/katarina/Desktop where all her saved shortcuts are, and CTRL-A, CTRL-C. Then close explorer and CTRL-V on desktop. Everything works as before, including mapped drives and app and document shortcuts. If she logs out, then all steps need to be repeated. So for the moment, she just WIN+L at the end of the day until her computer is re-installed, and hopefully things are working again. > > She CAN map drive profile folder on the server manually without getting any permission error. This makes me believe that the problem is on the client side, not the server. > > Windows 10 2020H2 on the clients. > Samba 4.13.8 on the server > Windows 2019 Standard as DC > > End of rant. I hope that someone can give some insight and maybe advise on how to fix this mess. If not, it?s a re-install of the affected clients and praying that the CSC disable will help.How are you setting the permissions on the profile share and where is the share, on a DC or a Unix domain member ? I don't know why you have just noticed the 'csc policy' parameter, it has been available for years and should be set to disabled on a profiles share. Have you read this: https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles Rowland
Mandi! Anders ?stling via samba In chel di` si favelave...> I have had roaming profiles enabled on user accounts since November last year. This is a small business with approx 10 users, but a few of them are actually taking benefit of the roaming profile feature.I manage roaming profiles with some samba domains (some AD, some NT) and i confirm that is a useful feature, but sometime 'broke' and need to be fixed (client side and/or server side). Apart share permission issue, some hint/info. Firstly i've found very useful to set a quota on profiles, via GPO/MLGPO; lighter profiles mean not only shorter logon, but also lighter troubles. Surely, users have to be 'educated' (?why i cannot put my holyday 4K video on my desktop??). Secondly, it is very useful to redirect some folder to some share, eg 'Documents', 'Download' and so on; again, you can redirect folders via GPO, MLGPO or direct registry editing.> Anyway, I managed to get it back on track by loosing up permissions on the /share/profiles folder (temporary) but I need to find a permanent solution. During the attempts to restore the clients, I also found out that the C:/Windows/CSC directory has a function too. Another cache besides what is under C:/Users/<username>/Desktop/? At the same time, the few roaming users also got problems accessing their U:/AppData/Roaming folders. The permissions looked good, but MS apps (Excel and Word had a different opinion and refused to load documents). The temporary fix for this was also to loose up permissions on the AppData folder until I had a better understanding of what?s going on.But, if you keep CSC enabled, enabling folder redirection will enable automagically CSC for redirected folder; in my experience, CSC is a bit a crap, and work reilably only if there's only ONE domin user per PC. Also, for non-portable system, make not sense to me to have CSC enabled. I hope i was useful. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)