samba - Dec 2014 - samba 4.1 roaming profiles

I'm configuring a new samba 4.1 server with NT4 style domain. I've
copied
most of the configuration from our working 3.6 server, making some changes
as needed for the newer samba version. So far, I have been unable to get
roaming profiles to work. It seems like the users cannot write in the
profiles directory, but I don't see why not.

Here is the relevant part of smb.cond

[global]

netbios name = gecko
workgroup = MSD
server string = FileServer
hosts allow = 127. 10.0.0.

max protocol = SMB2

allow insecure wide links = yes

log file = /var/log/samba/log.%m
max log size = 50

security = user
passdb backend = tdbsam
domain master = yes
domain logons = yes

logon script = startup.vbs
logon path = \\%L\profiles\%U

local master = yes
os level = 65
preferred master = yes
wins support = yes

map archive = no
map hidden = no
map read only = no
map system = no
store dos attributes = yes
acl allow execute always = True

[homes]
        comment = Home Directories
        path = /mnt/share/homes/%u
        browseable = no
        writable = yes
        valid users = %S
        oplocks = No
        level2 oplocks = No

[netlogon]
        comment = Network Logon Service
        path = /mnt/share/netlogon
        browseable = no
        writable = no
        write list = +ntadmins
        wide links = yes

[profiles]
        comment = Roaming Profiles
        path = /mnt/share/ntprofiles
        admin users = +ntadmins
        writable = yes
        profile acls = yes
        csc policy = disable

And here is the directory structure:

[root at geckovm share]# ls -la /mnt/share/

drwxr-xr-x  11 root      root        4096 Dec 15 12:24 homes
drwxrwxrwx   2 root      Everyone    4096 Nov 24 18:00 netlogon
drwxrwxr-x   4 root      Everyone    4096 Dec 15 12:24 ntprofiles

We do all of our administration from the linux side, so I refered to the
section for
"Profile Shares using POSIX ACLS" in this wiki article.

https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles

Thanks for any suggestions on how to proceed,

Mark

-- 
Please update your records with my new email address.

Dear Mark, 

It looks like you are trying to do the same as I did. Did you read the
thread I had some days ago with subject "How to copy roaming profiles to
new server ? ("Group policy client service failed. The logon access is
denied")" ? 

This could help you. 

Other suggestions : 

Not sure if [profiles.V2] is still required but maybe you should try to
add it ? 

We also only had /data/shares/profiles as "path" on old server, but on
the new one we have this : 

path = /data/shares/profiles/%u.V2 

As I am not expert at all I hope this will not create more problems than
solutions, but maybe you will find a hint among these points ;-) 

And this may also help you : 

http://www.ber10thal.com/blog/samba-domain-migration-to-a-new-machine/ 

Denis 

Le 15.12.2014 22:38, Mark Nienberg a ?crit : 
> I'm configuring a new samba 4.1 server with NT4 style domain. I've
copied
> most of the configuration from our working 3.6 server, making some changes
> as needed for the newer samba version. So far, I have been unable to get
> roaming profiles to work. It seems like the users cannot write in the
> profiles directory, but I don't see why not.
> 
> Here is the relevant part of smb.cond
> 
> [global]
> 
> netbios name = gecko
> workgroup = MSD
> server string = FileServer
> hosts allow = 127. 10.0.0.
> 
> max protocol = SMB2
> 
> allow insecure wide links = yes
> 
> log file = /var/log/samba/log.%m
> max log size = 50
> 
> security = user
> passdb backend = tdbsam
> domain master = yes
> domain logons = yes
> 
> logon script = startup.vbs
> logon path = \%Lprofiles%U
> 
> local master = yes
> os level = 65
> preferred master = yes
> wins support = yes
> 
> map archive = no
> map hidden = no
> map read only = no
> map system = no
> store dos attributes = yes
> acl allow execute always = True
> 
> [homes]
> comment = Home Directories
> path = /mnt/share/homes/%u
> browseable = no
> writable = yes
> valid users = %S
> oplocks = No
> level2 oplocks = No
> 
> [netlogon]
> comment = Network Logon Service
> path = /mnt/share/netlogon
> browseable = no
> writable = no
> write list = +ntadmins
> wide links = yes
> 
> [profiles]
> comment = Roaming Profiles
> path = /mnt/share/ntprofiles
> admin users = +ntadmins
> writable = yes
> profile acls = yes
> csc policy = disable
> 
> And here is the directory structure:
> 
> [root at geckovm share]# ls -la /mnt/share/
> 
> drwxr-xr-x 11 root root 4096 Dec 15 12:24 homes
> drwxrwxrwx 2 root Everyone 4096 Nov 24 18:00 netlogon
> drwxrwxr-x 4 root Everyone 4096 Dec 15 12:24 ntprofiles
> 
> We do all of our administration from the linux side, so I refered to the
> section for
> "Profile Shares using POSIX ACLS" in this wiki article.
> 
> https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles [1]
> 
> Thanks for any suggestions on how to proceed,
> 
> Mark
> 
> -- 
> Please update your records with my new email address.
 

Links:
------
[1] https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles

On Mon, Dec 15, 2014 at 2:08 PM, Denis BUCHER <dbucherml at hsolutions.ch>
wrote:
>
> It looks like you are trying to do the same as I did. Did you read the
> thread I had some days ago with subject "How to copy roaming profiles
to
> new server ? ("Group policy client service failed. The logon access is
> denied")" ?
>
Yes, I read that thread. However, I am setting up a completely new domain
at another location. Although I am using the old 3.6 config for reference,
I am not actually copying user profiles.

Thanks for the ideas though. I will look into them.

-- 
Please update your records with my new email address.