samba - May 2025 - Windows profile not syncing on logout

Hi all,

I'm running into a puzzling issue with users' Windows profile not 
syncing correctly. Here?s our setup:

  *

    Samba version 4.19.9-Debian-4.19.9+dfsg-1~mjt+deb12

  *

    One AD DC (Samba internal DNS)

  *

    Profile data located on a separate file server (member of the domain)

  *

    Clients are all Windows 11

  *

    We also run Linux clients, they all work fine

  *

    The share |\\usersfs\profiles\...|resolves correctly and is used by
    all users successfully

All other users work fine. For the affected user:

  *

    She can login. I can see that in the logs and everything looks fine.

  *

    She works normally during the day (reads/writes files, Thunderbird
    works, etc.).

  *

    On logout, *nothing is written back*to the file server. All
    timestamps on the file server are old.

  *

    Windows event log shows no errors or warnings.

  *

    Logging out and back in still loads the old state.

We've verified:

  *

    Permissions on the profile directory on the file server

  *

    No event viewer messages during logout

  *

    Her authentication in the logs look fine

  *

    A new test user works fine, profile is created and synced normally

We also see this related issue:

  *

    Two other users report that files they delete from their profile
    reappear after logout/login

  *

    Their profile directories on the file server *do*get new timestamps
    at logout

I am trying to figure out how to further diagnose the root cause. I am 
admittedly a bit inexperienced with samba/Windows. What places do I need 
to check to find the cause of that issue?

Thanks a lot!
Simon

Here is our smb.conf from the dc:
------------------------------------------------------------------
# Global parameters
[global]

 ??????? netbios name = DC1
 ??????? realm = HOME.DOMAIN.DE
 ??????? server role = active directory domain controller
 ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
 ??????? workgroup = HOME
 ??????? idmap_ldb:use rfc2307 = yes
 ??????? log level = 1 auth_audit:5
 ??????? ntp signd socket directory = /var/lib/samba/ntp_signd

[sysvol]
 ??????? path = /var/lib/samba/sysvol
 ??????? read only = No

[netlogon]
 ??????? path = /var/lib/samba/sysvol/home.domain.de/scripts
 ??????? read only = No
------------------------------------------------------------------


And the smb.conf from the fileserver:

------------------------------------------------------------------
[global]
 ??????? log file = /var/log/samba/%m.log
 ??????? log level = 5
 ??????? max log size = 50
 ??????? realm = HOME.DOMAIN.DE
 ??????? security = ADS
 ??????? server role = member server
 ??????? winbind cache time = 10
 ??????? winbind enum groups = Yes
 ??????? winbind enum users = Yes
 ??????? winbind expand groups = 1
 ??????? winbind nss info = rfc2307
 ??????? winbind offline logon = Yes
 ??????? winbind refresh tickets = Yes
 ??????? winbind use default domain = Yes
 ??????? workgroup = HOME
 ??????? idmap config * : backend = tdb
 ??????? idmap config * : range = 1000-1999
 ??????? idmap config home : backend = ad
 ??????? idmap config home : schema_mode = rfc2307
 ??????? idmap config home : range = 10000-999999
 ??????? idmap config home : unix_nss_info = yes
 ??????? idmap config home : unix_primary_group = yes
 ??????? map acl inherit = Yes
 ??????? vfs objects = acl_xattr shadow_copy2
 ??????? min domain uid = 0
 ??????? kerberos method = secrets and keytab

##### Shares #####

[users]
 ??????? path = /tank/homes/
 ??????? read only no
 ??????? writable = yes

[profiles]
 ??????? browseable = No
 ??????? comment = User profiles
 ??????? csc policy = disable
 ??????? path = /tank/profiles/

 ??????? read only = No

------------------------------------------------------------------

On Tue, 27 May 2025 12:32:51 +0200
Simon Hakenes via samba <samba at lists.samba.org> wrote:
> Hi all,
> 
> I'm running into a puzzling issue with users' Windows profile not 
> syncing correctly. Here?s our setup:
> 
>   *
> 
>     Samba version 4.19.9-Debian-4.19.9+dfsg-1~mjt+deb12
> 
>   *
> 
>     One AD DC (Samba internal DNS)
Bad idea, you should always run at least two DCs for failover purposes.
> 
>   *
> 
>     Profile data located on a separate file server (member of the
> domain)
> 
>   *
> 
>     Clients are all Windows 11
> 
>   *
> 
>     We also run Linux clients, they all work fine
> 
>   *
> 
>     The share |\\usersfs\profiles\...|resolves correctly and is used
> by all users successfully
> 
> All other users work fine. For the affected user:
> 
>   *
> 
>     She can login. I can see that in the logs and everything looks
> fine.
> 
>   *
> 
>     She works normally during the day (reads/writes files, Thunderbird
>     works, etc.).
> 
>   *
> 
>     On logout, *nothing is written back*to the file server. All
>     timestamps on the file server are old.
> 
>   *
> 
>     Windows event log shows no errors or warnings.
> 
>   *
> 
>     Logging out and back in still loads the old state.
> 
> We've verified:
> 
>   *
> 
>     Permissions on the profile directory on the file server
> 
>   *
> 
>     No event viewer messages during logout
> 
>   *
> 
>     Her authentication in the logs look fine
> 
>   *
> 
>     A new test user works fine, profile is created and synced normally
> 
> We also see this related issue:
> 
>   *
> 
>     Two other users report that files they delete from their profile
>     reappear after logout/login
> 
>   *
> 
>     Their profile directories on the file server *do*get new
> timestamps at logout
> 
> I am trying to figure out how to further diagnose the root cause. I
> am admittedly a bit inexperienced with samba/Windows. What places do
> I need to check to find the cause of that issue?
> 
> Thanks a lot!
> Simon
> 
> Here is our smb.conf from the dc:
> ------------------------------------------------------------------
> # Global parameters
> [global]
> 
>  ??????? netbios name = DC1
>  ??????? realm = HOME.DOMAIN.DE
>  ??????? server role = active directory domain controller
>  ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
Interesting, above you say that you are using the Samba internal dns,
but you have a 'server services' line (which isn't standard if using
the Samba internal dns server) without 'dns' anywhere in it. There is
also no 'dns forwarder' line.
 
>  ??????? workgroup = HOME
>  ??????? idmap_ldb:use rfc2307 = yes
>  ??????? log level = 1 auth_audit:5
>  ??????? ntp signd socket directory = /var/lib/samba/ntp_signd
There is no need to set that, it is the default.
> 
> [sysvol]
>  ??????? path = /var/lib/samba/sysvol
>  ??????? read only = No
> 
> [netlogon]
>  ??????? path = /var/lib/samba/sysvol/home.domain.de/scripts
>  ??????? read only = No
> ------------------------------------------------------------------
> 
> 
> And the smb.conf from the fileserver:
> 
> ------------------------------------------------------------------
> [global]
>  ??????? log file = /var/log/samba/%m.log
>  ??????? log level = 5
>  ??????? max log size = 50
>  ??????? realm = HOME.DOMAIN.DE
>  ??????? security = ADS
>  ??????? server role = member server
>  ??????? winbind cache time = 10
>  ??????? winbind enum groups = Yes
>  ??????? winbind enum users = Yes
>  ??????? winbind expand groups = 1
>  ??????? winbind nss info = rfc2307
>  ??????? winbind offline logon = Yes
>  ??????? winbind refresh tickets = Yes
>  ??????? winbind use default domain = Yes
>  ??????? workgroup = HOME
>  ??????? idmap config * : backend = tdb
>  ??????? idmap config * : range = 1000-1999
>  ??????? idmap config home : backend = ad
>  ??????? idmap config home : schema_mode = rfc2307
>  ??????? idmap config home : range = 10000-999999
>  ??????? idmap config home : unix_nss_info = yes
>  ??????? idmap config home : unix_primary_group = yes
>  ??????? map acl inherit = Yes
>  ??????? vfs objects = acl_xattr shadow_copy2
>  ??????? min domain uid = 0
>  ??????? kerberos method = secrets and keytab
> 
> ##### Shares #####
> 
> [users]
>  ??????? path = /tank/homes/
>  ??????? read only no
Unless that is a typo, it should be 'read only = no'
>  ??????? writable = yes
But thankfully it is corrected by its synonym.
> 
> [profiles]
>  ??????? browseable = No
>  ??????? comment = User profiles
>  ??????? csc policy = disable
>  ??????? path = /tank/profiles/
> 
>  ??????? read only = No
> 
> ------------------------------------------------------------------
> 
Rowland