Also the one's you should read :
https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-folder-redirection
Things changed with windows 10.
https://getanadmin.com/windowsserver/folder-redirection-in-window-server-2019/
Same but with more pictures.
And tripple verify if you use this like above,
Set : Disable "Grant the user exclusive rights to X"
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> L.P.H. van Belle via samba
> Verzonden: dinsdag 25 mei 2021 10:03
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] CSC & roaming profiles
>
> Good Morning Anders.
>
> Im commented in between your last reply.
>
> > -----Oorspronkelijk bericht-----
> > Van: Anders ?stling [mailto:anders.ostling at gmail.com]
> > Verzonden: zondag 23 mei 2021 19:09
> > Aan: L.P.H. van Belle
> > Onderwerp: Re: [Samba] CSC & roaming profiles
> >
> > Hi Lois
> ;-) Louis ;-)
>
> >
> > Thank your for having patience with us Samba users. I apolgize for
> > this long mail, but sometimes it help the mind to write down events,
> > and who knows, maybe you have some clever ideas on how to proceed :)
> >
> > I decided not to spend more time on troubleshooting the strange
> > permission and joining issues, but rather spend time to start from
> > scratch. So I have used most of Saturday and today to reinstall two
> > Samba AD, Windows server 2019 and a Windows 10 client, all with the
> > goal to have a working setup to document.
> > I started to provision a new domain on Samba AD DC, using
> the default
> > values. I then created a second DC and joined the domain.
> Checked that
> > replication and DNS worked as it should. No problems so
> far. I had an
> > old Samba FS domain member. Stopped the smbd and winbind
> processes and
> > removed the *.ldb/tdb as the documentation states. I then joined the
> > new domain, and it worked too without any issues. Tested
> that I could
> > access the existing shares from the DC's using smbclient.
> No problem.
> > I then installed and added the 2 windows systems, and it worked as
> > expected. Using the Windows server and RSAT/ADUC, I created a test
> > user account and a couple of groups for further tests. Logons and
> > file sharing worked fine. Now things started to get interesting.
> >
> > Let me describe the first problem I noted.
> >
> > I intend to use the Win10 client as an administrator workstation.
> > Therefore I logged in as DOMAIN/Administrator and installed all the
> > RSAT apps. I then started to map up the drives, PROGRAMS, DOCUMENTS,
> > PROFILES, SYS and USERS so that I could work with permissions easily
> > from Windows.
>
> Net logon? GPO ? But read in i seen enough ;-)
>
> > Of these 5 shares, the 4 first were mapped without
> > problem. But the USERS map gave me an ACCESS DENIED error. I double
> > and triple checked the permissions from Linux/getfacl, but found no
> > issues. When I instead opted to map the USERS drive using the test
> > user account, it worked! But since that account has no system
> > privileges, it can't be used to manage the share. So, even if it
has
> > LESS rights then Administrator, the mapping works. I repeated this a
> > couple of the times for verification, the same result every time.
> > Since I cant administer the shared folder from Windows, I
> can only use
> > get/setfacl to view the actual permissions.
>
> On this, windows checks on who's the owner of that folder.
> Read this, that shows what i mean.
> https://aventistech.com/2019/08/28/gpo-for-users-folder-redirection/
> Your solution is in this link.
> In GPO, add allow administrators to user folders can help.
>
>
>
> >
> > root at hp-srv03:/share2# getfacl Users
> > # file: Users
> > # owner: administrator
> > # group: domain\040users
> > # flags: -s-
> > user::rwx
> > user:root:rwx #effective:r-x
> > user:administrator:rwx #effective:r-x
> > user:domain\040admins:rwx #effective:r-x
> > user:domain\040users:r-x
> > group::r-x
> > group:NT\040Authority\\authenticated\040users:rwx #effective:r-x
> > group:10013:r-x
> > group:domain\040admins:rwx #effective:r-x
> > group:domain\040users:r-x
> > mask::r-x
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:user:administrator:rwx
> > default:user:domain\040admins:rwx
> > default:group::---
> > default:group:NT\040Authority\\authenticated\040users:rwx
> > default:group:10013:---
> > default:group:domain\040admins:rwx
> > default:mask::rwx
> > default:other::---
>
> You didnt check the rigths on sysvol i think, because im not
> seeing "SYSTEM"
> Compair yours with mine below. This is what i have.
>
> getfacl /var/lib/samba/sysvol/
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol/
> # owner: root
> # group: BUILTIN\\administrators
> user::rwx
> user:root:rwx
> user:BUILTIN\\administrators:rwx
> user:BUILTIN\\server\040operators:r-x
> user:NT\040AUTHORITY\\system:rwx
> user:NT\040AUTHORITY\\authenticated\040users:r-x
> group::rwx
> group:BUILTIN\\administrators:rwx
> group:BUILTIN\\server\040operators:r-x
> group:NT\040AUTHORITY\\system:rwx
> group:NT\040AUTHORITY\\authenticated\040users:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN\\administrators:rwx
> default:user:BUILTIN\\server\040operators:r-x
> default:user:NT\040AUTHORITY\\system:rwx
> default:user:NT\040AUTHORITY\\authenticated\040users:r-x
> default:group::---
> default:group:BUILTIN\\administrators:rwx
> default:group:BUILTIN\\server\040operators:r-x
> default:group:NT\040AUTHORITY\\system:rwx
> default:group:NT\040AUTHORITY\\authenticated\040users:r-x
> default:mask::rwx
> default:other::---
>
> Where you see for me BUILTIN\\administrators you can also use
> DOM\Domain Admins
> Winbind idmap and its resolving need be verified.
>
> >
> > [Users]
> > comment = "User home directories"
> > guest ok = No
> > path = /share2/Users
> > read only = No
> >
> > This is still unsolved, but just maybe has something to do
> > with next issue
> >
> > I then installed a second identical Win 10 to use for User
> > verification. Joined it to the domain and can login as Administrator
> > on that one. Logged in as Test user and the U drive was mapped
> > correctly. Then I ran the sysvolcheck on teh second DC , for no
> > specific reason, and got this
> >
> > root at HP-SRV11:/home/administrator# samba-tool ntacl sysvolcheck
> > ERROR(<class 'TypeError'>): uncaught exception - (2,
'No
> such file or
> > directory')
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
> > 186, in _run
> > return self.run(*args, **kwargs)
> > File
> > "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
> > 446, in run
> > lp)
> > File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> > line 1877, in checksysvolacl
> > direct_db_access)
> > File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> > line 1827, in check_gpos_acl
> > domainsid, direct_db_access)
> > File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> > line 1766, in check_dir_acl
> > fsacl = getntacl(lp, path, session_info,
> > direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
> > File "/usr/lib/python3/dist-packages/samba/ntacls.py",
line
> > 115, in getntacl
> > xattr.XATTR_NTACL_NAME)
> >
> > Ran sysvolreset again and that seems to have fixed it, because next
> > sysvolcheck was silent.
>
> Why you got above one, i cant tell, but its to me a right
> again somewhere on sysvol.
> (see how my rights are set.
> The most easy way to overcome that, you can add this to the
> sysvol (and netlogon) share
> acl_xattr:ignore system acls = yes in smb.conf
>
> Then run 1 time more samba sysvol reset and then set rights
> from within windows
> After that, no sysvolreset anymore
>
> >
> > Now to the second problem
> >
> > But when I tried the Test user account, again on the Win10 client, I
> > get a message "The Group Policy client service failed the
sign-in.
> > Access is denied. (OK)".
>
> Which is so far i can see, correct, if sysvol does not have
> SYSTEM also in the ACL's.
>
> >
> > So, this made me go back to the sysvol and run check the permissions
> > etc. On the first DC, sysvolcheck showed errors but sysvolreset
> > corrected these. On the second, sysvolreset did not correct
> the error.
> > So maybe there is something wrong with the Policies directory that
> > causes both the isses (mapping of U and Login). I am not sure and
> > there is a ton of posts on the net regarding sysvol permissions.
> > Anyway the permissions looks like this
> >
> > (FIRST DC)
> > root at HP-SRV10:/var/lib/samba# ls -l /var/lib/samba/
> > total 1412
> > -rw------- 1 root root 421888 maj 20 10:43
> > account_policy.tdb
> > drwxr-x--- 2 root root 4096 maj 20 11:58 bind-dns
> > drwxr-xr-x 4 root root 4096 maj 20 10:43 DriverStore
> > -rw------- 1 root root 696 maj 20 10:43
> > group_mapping.tdb
> > drwxr-x--- 2 root root 4096 maj 22 14:34 ntp_signd
> > drwxr-xr-x 12 root root 4096 maj 20 10:43 printers
> > drwxr-xr-x 7 root root 4096 maj 22 14:34 private
> > -rw------- 1 root root 528384 maj 20 10:43 registry.tdb
> > -rw------- 1 root root 421888 maj 23 18:17 share_info.tdb
> > drwxrwx---+ 3 root 3000002 4096 maj 23 18:31 sysvol
> > drwxrwx--T 2 root sambashare 4096 maj 20 10:43 usershares
> > -rw------- 1 root root 32768 maj 22 14:34
> > winbindd_cache.tdb
> > drwxr-x--- 2 root winbindd_priv 4096 maj 22 14:34
> > winbindd_privileged
> > root at HP-SRV10:/var/lib/samba# ls -l
> > /var/lib/samba/sysvol/hoganas-platslagaren.se/Policies/
> > total 72
> > drwxrwx---+ 4 3000000 3000000 4096 maj 22 14:17
> > {31B2F340-016D-11D2-945F-00C04FB984F9}
> > drwxrwx---+ 4 root 3000002 4096 maj 21 18:31
> > {6AC1786C-016F-11D2-945F-00C04fB984F9}
> > drwxrwx---+ 4 3000000 3000000 4096 maj 22 14:17
> > {6AC1786C-016F-11D2-945F-00C04FB984F9}
> > drwxrwx---+ 4 root 3000002 4096 maj 21 14:56
> > {813AF46F-8D5D-4F8D-A79C-E01DCC1D9A4D}
> > drwxrwx---+ 4 root 3000002 4096 maj 21 18:31
> > {A71EE201-8245-490C-8583-5231DE44FC96}
> > drwxrwx---+ 4 root 3000002 4096 maj 22 11:50
> > {C31E5DB1-6D0D-4F10-9AF4-BCBB2DE83960}
> > drwxrwx---+ 4 root 3000002 4096 maj 21 18:31
> > {C345C1AB-7A67-450E-A863-1C6ED57BE11E}
> > drwxrwx---+ 4 root 3000002 4096 maj 21 20:03
> > {E2C539EE-9AEE-4064-B177-6DBA12121388}
> > drwxrwx---+ 4 root 3000002 4096 maj 21 18:31
> > {FE5BEAC4-A519-4F0D-82B3-A240568ABF2B}
> >
> > (SECOND DC)
> > root at HP-SRV11:/home/administrator# ls -l /var/lib/samba/
> > total 1412
> > -rw------- 1 root root 421888 maj 20 10:43
> > account_policy.tdb
> > drwxr-x--- 2 root root 4096 maj 20 11:58 bind-dns
> > drwxr-xr-x 4 root root 4096 maj 20 10:43 DriverStore
> > -rw------- 1 root root 696 maj 20 10:43
> > group_mapping.tdb
> > drwxr-x--- 2 root root 4096 maj 23 10:49 ntp_signd
> > drwxr-xr-x 12 root root 4096 maj 20 10:43 printers
> > drwxr-xr-x 7 root root 4096 maj 23 10:49 private
> > -rw------- 1 root root 528384 maj 20 10:43 registry.tdb
> > -rw------- 1 root root 421888 maj 23 18:18 share_info.tdb
> > drwxrwx---+ 3 root 3000000 4096 maj 23 18:33 sysvol
> > drwxrwx--T 2 root sambashare 4096 maj 20 10:43 usershares
> > -rw------- 1 root root 32768 maj 23 10:49
> > winbindd_cache.tdb
> > drwxr-x--- 2 root winbindd_priv 4096 maj 23 10:49
> > winbindd_privileged
>
>
> This also shows the rights are not correct, or you the idmap
> sync didnt go correctly.
>
> DC1: > drwxrwx---+ 3 root 3000002 4096 maj 23 18:31 sysvol
> DC2: > drwxrwx---+ 3 root 3000000 4096 maj 23 18:33 sysvol
>
>
> Both these UID there should be the same.
>
> > root at HP-SRV11:/home/administrator# ls -l
> > /var/lib/samba/sysvol/hoganas-platslagaren.se/Policies/
> > total 64
> > drwxrwx---+ 4 root 3000000 4096 maj 21 18:31
> > {31B2F340-016D-11D2-945F-00C04FB984F9}
> > drwxrwx---+ 4 root 3000000 4096 maj 21 18:31
> > {6AC1786C-016F-11D2-945F-00C04fB984F9}
> > drwxrwx---+ 4 root 3000000 4096 maj 21 14:56
> > {813AF46F-8D5D-4F8D-A79C-E01DCC1D9A4D}
> > drwxrwx---+ 4 root 3000000 4096 maj 21 18:31
> > {A71EE201-8245-490C-8583-5231DE44FC96}
> > drwxrwx---+ 4 root 3000000 4096 maj 22 12:00
> > {C31E5DB1-6D0D-4F10-9AF4-BCBB2DE83960}
> > drwxrwx---+ 4 root 3000000 4096 maj 21 18:31
> > {C345C1AB-7A67-450E-A863-1C6ED57BE11E}
> > drwxrwx---+ 4 root 3000000 4096 maj 21 20:03
> > {E2C539EE-9AEE-4064-B177-6DBA12121388}
> > drwxrwx---+ 4 root 3000000 4096 maj 21 18:31
> > {FE5BEAC4-A519-4F0D-82B3-A240568ABF2B}
> >
> > Some thought that I have is that adding in the existing Samba file
> > server (even if the TDB/LDB was deleted) causes some issues. The
> > second thought is that, due to all posts on the net, SYSVOL
> is still a
> > gamble and too fragile to stable production. Maybe I am
> wrong, I sure
> > hope so...
> >
> > Again, sorry for the long mail but I really want to solve
> this, and I
> > am no quitter, nor afraid of looking to solutions either by
> > trial-and-error or reading up on other samba users
> problems/solutions.
> > This is what make this community so great, dont u agree?
>
> Set the rights as i told you and it will work.
> In order DC1.
> Stop samba, create copy of idmap
> Start samba-ad-dc.
> Setup the rights as shown above from within windows.
>
> On DC2, stop samba,
> Sync sysvol (and netlogon) to DC2 and make sure the rights
> are the same.
> Copy idmap to DC2.
> Start samba, check again.
>
> You also seen this :
> https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)
>
> You have start now fix things, what i see is all fixable.
>
>
> Greetz,
>
> Louis
>
>
>
>
> >
> > /Anders
> >
> > On Thu, May 20, 2021 at 12:32 PM L.P.H. van Belle
> > <belle at bazuin.nl> wrote:
> > >
> > > it looks good, but i dont know about these error.
> > >
> > > post this to the samba list, maybe Rowland seen it before,
> > i did a quick check in bugzilla bug i didnt see any bugs on
> > these messages.
> > >
> > > It's mainly this part.
> > > dsdb_replicated_objects_convert: Ignoring object outside
> > partition c45055a1-bf66-42f3-9acf-1e3ed0d187d8
> > CN=Schema,CN=Configuration,DC=hoganas-platslagaren,DC=se:
> > WERR_DS_ADD_REPLICA_INHIBITED
> > > Replicating critical objects from the base DN of the domain
> > > Partition[DC=hoganas-platslagaren,DC=se] objects[114/115]
> > linked_values[24/72]
> > > Partition[DC=hoganas-platslagaren,DC=se] objects[321/2729]
> > linked_values[67/72]
> > > Failed to commit objects: DOS code 0x000021bf
> > > Missing target object - retrying with DRS_GET_TGT
> > >
> > > Also, dont forget to sync sysvol to samba. ;-)
> > >
> > > Greetz,
> > >
> > > Louis
> > >
> > >
> > >
> > > ________________________________
> > > Van: Anders ?stling [mailto:anders.ostling at gmail.com]
> > > Verzonden: donderdag 20 mei 2021 12:02
> > > Aan: L.P.H. van Belle
> > > Onderwerp: Re: [Samba] CSC & roaming profiles
> > >
> > > Hi
> > >
> > > Domain join failed due to "configuration error", I
assume
> > that this was the too-high domain/forest level
> > >
> > > I managed to downgrade domain and forest to 2008, and it
> > seemed to work fine after that. There is one error that I
> > dont know if it is relevant or not
> > >
> > > root at HP-SRV10:/etc# rm /etc/samba/smb.conf
> > > root at HP-SRV10:/etc# samba-tool domain join
> > hoganas-platslagaren.se DC -U "HPTLS\administrator"
> > > INFO 2021-05-20 11:58:45,853 pid:5543
> > /usr/lib/python3/dist-packages/samba/join.py #106: Finding a
> > writeable DC for domain 'hoganas-platslagaren.se'
> > > INFO 2021-05-20 11:58:45,859 pid:5543
> > /usr/lib/python3/dist-packages/samba/join.py #108: Found DC
> > HP-SRV02.hoganas-platslagaren.se
> > > Password for [HPTLS\administrator]:
> > > INFO 2021-05-20 11:58:50,793 pid:5543
> > /usr/lib/python3/dist-packages/samba/join.py #1541:
> workgroup is HPLTS
> > > INFO 2021-05-20 11:58:50,794 pid:5543
> > /usr/lib/python3/dist-packages/samba/join.py #1544: realm is
> > hoganas-platslagaren.se
> > > Adding CN=HP-SRV10,OU=Domain
> > Controllers,DC=hoganas-platslagaren,DC=se
> > > Adding
> > CN=HP-SRV10,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN> >
Configuration,DC=hoganas-platslagaren,DC=se
> > > Adding CN=NTDS
> > Settings,CN=HP-SRV10,CN=Servers,CN=Default-First-Site-Name,CN> >
Sites,CN=Configuration,DC=hoganas-platslagaren,DC=se
> > > Adding SPNs to CN=HP-SRV10,OU=Domain
> > Controllers,DC=hoganas-platslagaren,DC=se
> > > Setting account password for HP-SRV10$
> > > Enabling account
> > > Calling bare provision
> > > INFO 2021-05-20 11:58:51,081 pid:5543
> > /usr/lib/python3/dist-packages/samba/provision/__init__.py
> > #2105: Looking up IPv4 addresses
> > > INFO 2021-05-20 11:58:51,081 pid:5543
> > /usr/lib/python3/dist-packages/samba/provision/__init__.py
> > #2122: Looking up IPv6 addresses
> > > WARNING 2021-05-20 11:58:51,082 pid:5543
> > /usr/lib/python3/dist-packages/samba/provision/__init__.py
> > #2129: No IPv6 address will be assigned
> > > INFO 2021-05-20 11:58:51,261 pid:5543
> > /usr/lib/python3/dist-packages/samba/provision/__init__.py
> > #2273: Setting up share.ldb
> > > INFO 2021-05-20 11:58:51,292 pid:5543
> > /usr/lib/python3/dist-packages/samba/provision/__init__.py
> > #2277: Setting up secrets.ldb
> > > INFO 2021-05-20 11:58:51,317 pid:5543
> > /usr/lib/python3/dist-packages/samba/provision/__init__.py
> > #2282: Setting up the registry
> > > INFO 2021-05-20 11:58:51,401 pid:5543
> > /usr/lib/python3/dist-packages/samba/provision/__init__.py
> > #2285: Setting up the privileges database
> > > INFO 2021-05-20 11:58:51,444 pid:5543
> > /usr/lib/python3/dist-packages/samba/provision/__init__.py
> > #2288: Setting up idmap db
> > > INFO 2021-05-20 11:58:51,474 pid:5543
> > /usr/lib/python3/dist-packages/samba/provision/__init__.py
> > #2295: Setting up SAM db
> > > INFO 2021-05-20 11:58:51,481 pid:5543
> > /usr/lib/python3/dist-packages/samba/provision/__init__.py
> > #880: Setting up sam.ldb partitions and settings
> > > INFO 2021-05-20 11:58:51,483 pid:5543
> > /usr/lib/python3/dist-packages/samba/provision/__init__.py
> > #892: Setting up sam.ldb rootDSE
> > > INFO 2021-05-20 11:58:51,489 pid:5543
> > /usr/lib/python3/dist-packages/samba/provision/__init__.py
> > #1305: Pre-loading the Samba 4 and AD schema
> > > Unable to determine the DomainSID, can not enforce
> > uniqueness constraint on local domainSIDs
> > >
> > > INFO 2021-05-20 11:58:51,528 pid:5543
> > /usr/lib/python3/dist-packages/samba/provision/__init__.py
> > #2348: A Kerberos configuration suitable for Samba AD has
> > been generated at /var/lib/samba/private/krb5.conf
> > > INFO 2021-05-20 11:58:51,528 pid:5543
> > /usr/lib/python3/dist-packages/samba/provision/__init__.py
> > #2349: Merge the contents of this file with your system
> > krb5.conf or replace it with this one. Do not create a symlink!
> > > Provision OK for domain DN DC=hoganas-platslagaren,DC=se
> > > Starting replication
> > >
> > Schema-DN[CN=Schema,CN=Configuration,DC=hoganas-platslagaren,D
> > C=se] objects[402/1500] linked_values[0/0]
> > >
> > Schema-DN[CN=Schema,CN=Configuration,DC=hoganas-platslagaren,D
> > C=se] objects[804/1500] linked_values[0/0]
> > >
> > Schema-DN[CN=Schema,CN=Configuration,DC=hoganas-platslagaren,D
> > C=se] objects[1206/1500] linked_values[0/0]
> > >
> > Schema-DN[CN=Schema,CN=Configuration,DC=hoganas-platslagaren,D
> > C=se] objects[1599/1500] linked_values[0/0]
> > >
> > Schema-DN[CN=Schema,CN=Configuration,DC=hoganas-platslagaren,D
> > C=se] objects[1774/1500] linked_values[0/0]
> > > Analyze and apply schema objects
> > > Partition[CN=Configuration,DC=hoganas-platslagaren,DC=se]
> > objects[402/3381] linked_values[0/35]
> > > Partition[CN=Configuration,DC=hoganas-platslagaren,DC=se]
> > objects[804/3381] linked_values[0/35]
> > > Partition[CN=Configuration,DC=hoganas-platslagaren,DC=se]
> > objects[1206/3381] linked_values[0/35]
> > > Partition[CN=Configuration,DC=hoganas-platslagaren,DC=se]
> > objects[1608/3381] linked_values[0/35]
> > > Partition[CN=Configuration,DC=hoganas-platslagaren,DC=se]
> > objects[1806/3381] linked_values[35/35]
> > > dsdb_replicated_objects_convert: Ignoring object outside
> > partition c45055a1-bf66-42f3-9acf-1e3ed0d187d8
> > CN=Schema,CN=Configuration,DC=hoganas-platslagaren,DC=se:
> > WERR_DS_ADD_REPLICA_INHIBITED
> > > Replicating critical objects from the base DN of the domain
> > > Partition[DC=hoganas-platslagaren,DC=se] objects[114/115]
> > linked_values[24/72]
> > > Partition[DC=hoganas-platslagaren,DC=se] objects[321/2729]
> > linked_values[67/72]
> > > Failed to commit objects: DOS code 0x000021bf
> > > Missing target object - retrying with DRS_GET_TGT
> > > Partition[DC=hoganas-platslagaren,DC=se] objects[636/2729]
> > linked_values[134/72]
> > > Partition[DC=hoganas-platslagaren,DC=se] objects[715/2729]
> > linked_values[139/72]
> > > dsdb_replicated_objects_convert: Ignoring object outside
> > partition a45c5820-5828-449e-a83c-4edbe88bc727
> > CN=Configuration,DC=hoganas-platslagaren,DC=se:
> > WERR_DS_ADD_REPLICA_INHIBITED
> > > dsdb_replicated_objects_convert: Ignoring object outside
> > partition ce610c6f-2c84-437d-8229-6245fe2c3b71
> > DC=DomainDnsZones,DC=hoganas-platslagaren,DC=se:
> > WERR_DS_ADD_REPLICA_INHIBITED
> > > dsdb_replicated_objects_convert: Ignoring object outside
> > partition 1a852b62-0fc3-4d63-ad78-52384d9178fd
> > DC=ForestDnsZones,DC=hoganas-platslagaren,DC=se:
> > WERR_DS_ADD_REPLICA_INHIBITED
> > > Done with always replicated NC (base, config, schema)
> > > Replicating DC=DomainDnsZones,DC=hoganas-platslagaren,DC=se
> > > Partition[DC=DomainDnsZones,DC=hoganas-platslagaren,DC=se]
> > objects[101/101] linked_values[0/0]
> > > Replicating DC=ForestDnsZones,DC=hoganas-platslagaren,DC=se
> > > Partition[DC=ForestDnsZones,DC=hoganas-platslagaren,DC=se]
> > objects[21/21] linked_values[0/0]
> > > Exop on[CN=RID
> > Manager$,CN=System,DC=hoganas-platslagaren,DC=se] objects[3]
> > linked_values[0]
> > > Committing SAM database
> > > Repacking database from v1 to v2 format (first record
> > CN=ms-DS-Repl-Attribute-Meta-Data,CN=Schema,CN=Configuration,D
> > C=hoganas-platslagaren,DC=se)
> > > Repack: re-packed 10000 records so far
> > > Repacking database from v1 to v2 format (first record
> > CN=default-Display,CN=406,CN=DisplaySpecifiers,CN=Configuratio
> > n,DC=hoganas-platslagaren,DC=se)
> > > Repacking database from v1 to v2 format (first record
> > DC=20,DC=2.0.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones
> > ,DC=hoganas-platslagaren,DC=se)
> > > Repacking database from v1 to v2 format (first record
> > DC=_ldap._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.hoga
> > nas-platslagaren.se,CN=MicrosoftDNS,DC=ForestDnsZones,DC=hogan
> > as-platslagaren,DC=se)
> > > Repacking database from v1 to v2 format (first record
> > CN=Group Policy Creator
> Owners,CN=Users,DC=hoganas-platslagaren,DC=se)
> > > INFO 2021-05-20 11:59:07,867 pid:5543
> > /usr/lib/python3/dist-packages/samba/join.py #1115: Adding 1
> > remote DNS records for HP-SRV10.hoganas-platslagaren.se
> > > INFO 2021-05-20 11:59:07,890 pid:5543
> > /usr/lib/python3/dist-packages/samba/join.py #1178: Adding
> > DNS A record HP-SRV10.hoganas-platslagaren.se for IPv4 IP: 10.0.2.3
> > > INFO 2021-05-20 11:59:08,012 pid:5543
> > /usr/lib/python3/dist-packages/samba/join.py #1206: Adding
> > DNS CNAME record
> > 01074a83-48cc-4605-98e5-97c23ef6df06._msdcs.hoganas-platslagar
> > en.se for HP-SRV10.hoganas-platslagaren.se
> > > INFO 2021-05-20 11:59:08,137 pid:5543
> > /usr/lib/python3/dist-packages/samba/join.py #1230: All other
> > DNS records (like _ldap SRV records) will be created
> > samba_dnsupdate on first startup
> > > INFO 2021-05-20 11:59:08,138 pid:5543
> > /usr/lib/python3/dist-packages/samba/join.py #1236:
> > Replicating new DNS records in
> > DC=DomainDnsZones,DC=hoganas-platslagaren,DC=se
> > > Partition[DC=DomainDnsZones,DC=hoganas-platslagaren,DC=se]
> > objects[1/101] linked_values[0/0]
> > > INFO 2021-05-20 11:59:08,168 pid:5543
> > /usr/lib/python3/dist-packages/samba/join.py #1236:
> > Replicating new DNS records in
> > DC=ForestDnsZones,DC=hoganas-platslagaren,DC=se
> > > Partition[DC=ForestDnsZones,DC=hoganas-platslagaren,DC=se]
> > objects[1/21] linked_values[0/0]
> > > INFO 2021-05-20 11:59:08,192 pid:5543
> > /usr/lib/python3/dist-packages/samba/join.py #1251: Sending
> > DsReplicaUpdateRefs for all the replicated partitions
> > > INFO 2021-05-20 11:59:08,202 pid:5543
> > /usr/lib/python3/dist-packages/samba/join.py #1281: Setting
> > isSynchronized and dsServiceName
> > > INFO 2021-05-20 11:59:08,216 pid:5543
> > /usr/lib/python3/dist-packages/samba/join.py #1296: Setting
> > up secrets database
> > > INFO 2021-05-20 11:59:08,258 pid:5543
> > /usr/lib/python3/dist-packages/samba/join.py #1558: Joined
> > domain HPLTS (SID S-1-5-21-687474044-2168480911-1327640110) as a DC
> > > root at HP-SRV10:/etc#
> > >
> > > On 2021-05-20 09:49, L.P.H. van Belle wrote:
> > >
> > > Good Morning Anders,
> > >
> > > Well, the idea is fine offcourse, but it does have a few
> > point to research and test first.
> > > You can join all windows server "as member server" to
Samba
> > AD-DC's, you still cant join (as far i know) a 2012R2 AD if
> > Schema is also 2012.
> > >
> > > Depending on what SQL you use, you might need to extend the
> > samba schema's to support it, if its MS Sql.
> > > there are more that use that, only i cant tell that, thats
> > more a list question and i see few on the list passing by on this.
> > > Also, lots use Azure these days, thats also thing to
> research first.
> > >
> > > I use my W10 pc to manage some things with delegated
> > rights, and as you, i have a other pc(VM guest) only for
> management.
> > > Since i use AD backends, I still use a W7 pc for
> > management, i like/need the Unix-Tab in RSAT tools, and thats
> > the only reason.
> > >
> > > File/Folder permissions if you can join a samba in current
> > AD, well, that wont change then, you can do same as before
> > and no rights wil change.
> > >
> > > Keep eye on this 2 bugreports.
> > > https://bugzilla.samba.org/show_bug.cgi?id=13618
> > > https://bugzilla.samba.org/show_bug.cgi?id=13619
> > >
> > > So if your W2012 server now run the 2008R2 Schema, only
> > then your samba AD-DC servers can join.
> > >
> > > I hope this helps you a bit.
> > >
> > >
> > > Greetz,
> > >
> > > Louis
> > >
> > > ________________________________
> > > Van: Anders ?stling [ MailScanner heeft een e-mail met
> > mogelijk een poging tot fraude gevonden van "gmail.com"
> > MailScanner heeft een e-mail met mogelijk een poging tot
> > fraude gevonden van "gmail.com" mailto:anders.ostling at
gmail.com]
> > > Verzonden: woensdag 19 mei 2021 22:27
> > > Aan: L.P.H. van Belle
> > > Onderwerp: Re: [Samba] CSC & roaming profiles
> > >
> > > Lois, may I ask you for advice and/or opinion?
> > >
> > > We have a Windows 2019 that hosts a database ERP
> > application that only runs on Windows. For historical
> > reasons, that server is also a DC. There is also a second Win
> > 2012 server whos only role nowadays is to be a partner DC. No
> > apps or services are running on that one. We have kept it
> > just in case we need a failover windows server in case the
> > 2019 breaks down. The 2019 is a VM while the 2012 is a
> > physical server.
> > >
> > > Our Samba server holds all other files and data, including
> > a number of server based legacy apps (running under vDOS just fine).
> > >
> > > Now, we decide to demote the Windows server from the DC
> > role and deploy a Samba AD DC instead, what would that mean
> > in terms of user and permission management? Today, I am using
> > the 2019 for such tasks, but I guess it would be possible to
> > do the same from a Windows 10 client using the RSAT tools,
> > right? It is a path that I would like to go, but on the other
> > hand I dont want to break anything too bad.
> > >
> > > 1- Install a new Samba AD DC and join the domain
> > > 2- Transfer the FSMO roles to the samba DC
> > > 3- Demote the Windows AD to a normal server
> > > 4- Setup a new virtual Windows 10 client for
> administrative purposes
> > >
> > > How does this sound? I wont hold you accountable, just
> > asking for an opinion :)
> > >
> > > /Anders
> > >
> > > On Wed, May 19, 2021 at 12:03 PM L.P.H. van Belle
> > <belle at bazuin.nl> wrote:
> > >>
> > >> If you go for that, just copy them and run the fix-scripts.
> > >> Thats how i moved all my data from server last time, thats
> > why i also created the scripts. :-)
> > >>
> > >> on 1) yeah, i have a dedicated server for my data only
> > member servers in my case.
> > >> on 2) after you did run that script, look also at the
> > rights from within windows, also look at the advanced rights
> > there, that might help finding rights that are off.
> > >> i focus in my setup on "everything" is group based.
you
> > see what i mean when you lookup the rights.
> > >>
> > >> on 3) does not really matter how you copy. if its only
> > usershome and profiles the shown scripts are sufficent.
> > >> If you also moving "companydata" thats an other
script i use.
> > >>
> > >> Thats bit more work and preparation, in onder what that
> > script does is:
> > >> it finds all subfolders in "SAMBA_BASE" (
> > /srv/samba/companydata/ ) in this folder, the i do ls -d and
> > every subfolder in there has a same group name in ad.
> > >>
> > >>
> > >> for FindFoldersDepartments in $(ls -d
"${SAMBA_BASE}/*" ; do
> > >>
> > >> # Remove old ACL's.
> > >> echo "Removing old ACL's for:
${FindFoldersDepartments}"
> > >> setfacl --recursive --remove-all
> > "${SAMBA_BASE}/${FindFoldersDepartments}"
> > >>
> > >> # Make sure we removed Other (everyone) from all files
> > and folders.
> > >> echo "Recursively removing access for other
(everyone)
> > for: ${FindFoldersDepartments}"
> > >> chmod -R o-rwx
"${SAMBA_BASE}/${FindFoldersDepartments}/"
> > >>
> > >> # Set basic POSIX Rights
> > >> # set all owner rights to root:root (=
> > Administrator:Domain Admins )
> > >> # without it, migrated files might still have there
> > old UID/GIDs on them.
> > >> echo "Re-apply (recursive) root:root on the
> > Departments folder for: ${FindFoldersDepartments}"
> > >> chown -R root:root
"${SAMBA_BASE}/${FindFoldersDepartments}"
> > >> # Set Creator Group.
> > >> chmod -R 2770
"${SAMBA_BASE}/${FindFoldersDepartments}/"
> > >>
> > >> ...
> > >> This is a part i use to get he needed SID/GID.
> > >>
> > >> function _apply_rights(){
> > >> # Find the SID of the group/folder
> > >> SID_DEPARTMENT="$(wbinfo -n
> > ${FindFoldersDepartments}|awk '{ print $1 }')"
> > >> if [ -z "$SID_DEPARTMENT" ]
> > >> then
> > >> echo "#4# Error unable to get SID for group :
> > ${FindFoldersDepartments}"
> > >> else
> > >> echo "#5# Found group ${FindFoldersDepartments}:
> > $SID_DEPARTMENT"
> > >> fi
> > >>
> > >> from here i get the old rights, with getfacl put that in
> > files, correct it and re-apply it.
> > >> this part does need work, because this is different per
> > setup/company.
> > >>
> > >> On 4) looks fine, but i suggest, just add my part, in new
> > share, get 1 users and there profiles
> > >> copy in to the new location and adjust the user in AD.
> > >> less work and faster checkup.
> > >>
> > >> 5) netlogon? uh.. i dont use netlogon at all, only GPO
> > here. only tip i can give here is. use FQDN everywhere.
> > >>
> > >> 6) you might need to reboot, login and reboot again before
> > everything is set in windows.
> > >> but that depends on what you use..
> > >>
> > >> I hope this helps a bit more ;-)
> > >>
> > >> Greetz ,
> > >>
> > >> Louis
> > >>
> > >>
> > >> ________________________________
> > >> Van: Anders ?stling [mailto:anders.ostling at gmail.com]
> > >> Verzonden: woensdag 19 mei 2021 11:24
> > >> Aan: L.P.H. van Belle; Rowland penny
> > >> Onderwerp: Re: [Samba] CSC & roaming profiles
> > >>
> > >> Since the permissions may have come into a inconsistent
> > state, I think that a better way could be to start from
> > scratch by doing this
> > >>
> > >> 1- Create a new virtual disk (the server is a VM under
> > KVM/QEMU) for just profiles and home directories.
> > >> 2- Use your (lois) script to create folders and set
> > permissions for all users
> > >> 3- Copy existing files from the production disk to
> > Profiles and Users to ensure that they inherit correct
> > permissions. What would be the best way to do this? XCOPY, cp
> > -R or something else?
> > >> 4- Add new share definitions to the smb.conf to point the
> > shares to the new disk
> > >> 5- Update the netlogon script
> > >> 6- Reboot the clients
> > >>
> > >> /Anders
> > >>
> > >> Anders ?stling
> > >>
> > >> D?mmegatan 11
> > >> SE-25442 Helsingborg
> > >> Sweden
> > >> Phone: +46 768 716 165
> > >> Skype: anders.ostling at outlook.com
> > >>
> > >> On 19 May 2021, 11:04 +0200, L.P.H. van Belle via samba
> > <samba at lists.samba.org>, wrote:
> > >>
> > >>
> > https://docs.microsoft.com/en-us/windows-server/storage/folder
> > -redirection/folder-redirection-rup-overview
> > >>
> > >> The link again, if it gives 404 link got broken then but
> > in that 404 page you do see the correct one.
> > >>
> > >>
> > >> Can you show and output of getfacl on the userhomedir and
> > profilefolder? of an user.
> > >>
> > >>
> > >> Greetz,
> > >>
> > >> Louis
> > >>
> > >>
> > >> Van: Anders ?stling [mailto:anders.ostling at gmail.com]
> > >> Verzonden: woensdag 19 mei 2021 10:59
> > >> Aan: L.P.H. van Belle
> > >> Onderwerp: Re: [Samba] CSC & roaming profiles
> > >>
> > >>
> > >>
> > >>
> > >> Anders ?stling
> > >> D?mmegatan 11
> > >> SE-25442 Helsingborg
> > >> Sweden
> > >> Phone: +46 768 716 165
> > >> Skype: anders.ostling at outlook.com
> > >>
> > >>
> > >>
> > >>
> > >> On 19 May 2021, 10:42 +0200, L.P.H. van Belle via samba
> > <samba at lists.samba.org>, wrote:
> > >> Anders,
> > >>
> > >> I suggest have a look that this script i made.
> > >>
> > https://raw.githubusercontent.com/thctlo/samba4/master/samba-s
> > etup-share-folders.sh
> > >> It setups up a base structure with needed rights. Compair
> > them with yours.
> > >> Note, i use AD-backend on the member servers.
> > >>
> > >> I am using the RID backend, don t ask why. I guess I
> > picked it from some template. So I guess that the script is
> > not applicable to me. But I have will a close look at your
> > script and the specific settings.
> > >>
> > >> To reduce problems, ( you never can fully, simply because
> > of windows.. )
> > >> 1) Setup the profiles with the rights as shown in the script.
> > >> 2) read this..
> > https://docs.microsoft.com/en-us/windows-server/storage/flder-
> > redirection/folder-redirection-rup-overview
> > >> 404 on that one
> > >>
> > >>
> > >>
> > >> And the sections below it.
> > >>
> > >> U:/AppData/Roaming..On this, windows expect the user to be
> > the owner on the userhome dirs.
> > >>
> > >> They are
> > >>
> > >> Get a message ?We could not log you on using a profile, a
> > >> temporary profile has been created? (or quite similar to
this)
> > >> Same for profiles, but there you can set also in GPO.
> > >> GPO: Add the adminstrators security group to roaming
> user profiles.
> > >> That helps for the profiles itself.
> > >>
> > >> I will check that too
> > >>
> > >> Check this script to fix the rights on the userhomedir
> > >>
> > https://github.com/thctlo/samba4/blob/master/samba-fix-userhom
> > e-recursive.sh
> > >> I seen same as you, i must follow an oder on how i create
> > a new user for example.
> > >>
> > >> I create the user, fist thing then i set the UID/GID for
> the users.
> > >> Then i can make the homefolder and profiles folder
> > >>
> > >> If the user homedir is created, directly when you added the
user,
> > >> like when you make a copy of a other user and
> > \server.fqdn\users\%username% is used in RSAT
> > >> Then the rights are wrong, in these cases i or run above
> > script or change it manual.
> > >>
> > >>
> > >> I hope that this will help you.
> > >>
> > >> We will know in a couple of day. Thank you for your advise
Lois!
> > >>
> > >> Greetz,
> > >>
> > >> Louis
> > >>
> > >> -----Oorspronkelijk bericht-----
> > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > >> Anders ?stling via samba
> > >> Verzonden: woensdag 19 mei 2021 10:07
> > >> Aan: Patrik via samba
> > >> Onderwerp: [Samba] CSC & roaming profiles
> > >>
> > >> Hi
> > >> I have had roaming profiles enabled on user accounts since
> > >> November last year. This is a small business with approx 10
> > >> users, but a few of them are actually taking benefit of the
> > >> roaming profile feature.
> > >> Recently, they have had all sorts of problems with their
> > >> profiles, usually Access Denied when trying to load the
> > >> profiles (only those that actually roams between different
> > >> computers). I have spent hours trying to find a pattern and
> > >> pinpoint the exact source of the problem. During this
> > >> digging, I have learned to hate Windows even more, since the
> > >> profiles management is like an octopus, reaching into almost
> > >> every part of the system...
> > >>
> > >> Anyway, I managed to get it back on track by loosing up
> > >> permissions on the /share/profiles folder (temporary) but I
> > >> need to find a permanent solution. During the attempts to
> > >> restore the clients, I also found out that the C:/Windows/CSC
> > >> directory has a function too. Another cache besides what is
> > >> under C:/Users/<username>/Desktop/? At the same time,
the few
> > >> roaming users also got problems accessing their
> > >> U:/AppData/Roaming folders. The permissions looked good, but
> > >> MS apps (Excel and Word had a different opinion and refused
> > >> to load documents). The temporary fix for this was also to
> > >> loose up permissions on the AppData folder until I had a
> > >> better understanding of what?s going on.
> > >>
> > >> So, while re-reading the Samba wiki page, I saw that there is
> > >> a parameter, csc policy = disable, that I have not seen
> > >> before. Is the wiki for profiles updated recently with that
> > >> one? I found some internet posts that describes the different
> > >> values, enable/manual/disable and their functions. Could this
> > >> have been a reason for my client?s problem (several users on
> > >> one computer, and a CSC that got confused)? If so, then I
> > >> hope that disabling the function will make the clients work
> > >> better once I have restored them from scratch.
> > >>
> > >> While I am typing, let me describe another specific user?s
> > >> situation. Initially she got the same permissions error when
> > >> logging on another computer. But suddenly, her normal
> > >> workstation started to behave like this (maybe after a
> > >> loosened up the permissions on the /share/profiles, hard
> to tell).
> > >>
> > >> She logs on the domain
> > >> Get a message ?We could not log you on using a profile, a
> > >> temporary profile has been created? (or quite similar to
this)
> > >> A blank desktop with Trashcan
> > >> The netlogon script has mapped up her drives correctly
> > >>
> > >> The C:/Users folder now contains these folders
> > >> /katarina (hers)
> > >> /temp.hlts (domain name)
> > >> /temp.hplts.1
> > >> /temp.hplts.2
> > >> /temp.hplts.3
> > >>
> > >> She can navigate to /Users/katarina/Desktop where all her
> > >> saved shortcuts are, and CTRL-A, CTRL-C. Then close explorer
> > >> and CTRL-V on desktop. Everything works as before, including
> > >> mapped drives and app and document shortcuts. If she logs
> > >> out, then all steps need to be repeated. So for the moment,
> > >> she just WIN+L at the end of the day until her computer is
> > >> re-installed, and hopefully things are working again.
> > >>
> > >> She CAN map drive profile folder on the server manually
> > >> without getting any permission error. This makes me believe
> > >> that the problem is on the client side, not the server.
> > >>
> > >> Windows 10 2020H2 on the clients.
> > >> Samba 4.13.8 on the server
> > >> Windows 2019 Standard as DC
> > >>
> > >> End of rant. I hope that someone can give some insight and
> > >> maybe advise on how to fix this mess. If not, it?s a
> > >> re-install of the affected clients and praying that the CSC
> > >> disable will help.
> > >> --
> > >> To unsubscribe from this list go to the following URL
> and read the
> > >> instructions: https://lists.samba.org/mailman/options/samba
> > >>
> > >>
> > >>
> > >>
> > >> --
> > >> To unsubscribe from this list go to the following URL
> and read the
> > >> instructions: https://lists.samba.org/mailman/options/samba
> > >> --
> > >> To unsubscribe from this list go to the following URL
> and read the
> > >> instructions: https://lists.samba.org/mailman/options/samba
> > >
> > >
> > >
> > > --
> > > ------ -------------------- 8 ------------------ ------
> > > "A wise man once told me - Any idiot can do backups, but it
> > takes a genius to successfully restore"
> > >
> > > Anders ?stling
> > > +46 768 716 165 (Mobil)
> > > +46 431 45 56 01 (Hem)
> > >
> >
> >
> > --
> > ------ -------------------- 8 ------------------ ------
> > "A wise man once told me - Any idiot can do backups, but it takes
a
> > genius to successfully restore"
> >
> > Anders ?stling
> > +46 768 716 165 (Mobil)
> > +46 431 45 56 01 (Hem)
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>