Paul R. Ganci
2015-Jun-17 02:35 UTC
[Samba] Ugh - half connected Win 7 machines to Samba 4.1.18 AD
I have been at my wits end now since Sunday trying to debug an issue that occurred when I tried to update from sernet-samba-4.1.18 to sernet-samba-4.2.2 on my small network. I have one administrator account and two user accounts which I will call account1 and account2. Before I updated I was able to login into any of 3 Windows 7 Professional boxes and 5 linux boxes running CentOS 6.6 using any of the accounts without any issue. Also before I updated I backed up my samba database (/var/lib/samba on a CentOS 6.6 system). The update went fine but when I tried to login into a linux box with account1 I discovered that user home directories on the server were broken (see the thread "winbind on the DC again ... sorry"). I worked around this problem but then discovered that the roaming profile for account2 was broken. So at this point I decided back out the upgrade. So to that end I shutdown the AD, moved the backup into place, downgraded to sernet-samba-4.1.18 and restarted the AD. It was at this point all hell breaks loose. For the administrator and account1 there is absolutely no problem. Everything works exactly as expected and in the same manner prior to the upgrade. I can log into any machine (Windows 7 or Linux) and home directories are found and roaming profiles work just like they are supposed to work. The problem is with account2. There is no problem with Linux boxes. The home directory is found and has the proper permissions and everything is good. The problem is with the roaming profile of account1 on any of the Windows 7 boxes. On the main box upon which account1 is used the profile looks like it gets loaded. However when the user logs out the profile cannot be completely synchronized. Only the NTUSER.dat, NTUSER.ini, etc seem to get moved to the Profile area. On the other 2 Windows 7 boxes the user is logged in with a "Temporary Profile". I tried to do what others suggested which was to remove the Windows 7 box from the domain, remove the offending profile and delete the Profilelist key in the registry, add the machine back to the domain and then login to get these two Windows7 boxes to recreate the profile to no avail. Every time only a temporary profile is created. What is strange is that the Temporary Profile has the correct SID for account2. No matter what I do I can't get the account2 Profile to synchronize from the 1st Windows 7 box to the AD nor can I get the other two Windows 7 Professional to recreate the Profile (other than a temporary one) on the AD. I also will point out that there is no problem with credentials on any of these machines for any of account1, account2 or administrator and the account home directory is available and seems to be okay. So I am lost here as to why 2 of the accounts (account1 and administrator) are fine and the one account2 is so broken on the Windows boxes? Worse is that I have discovered that if I use samba-tool to create a new user and use ADUC to setup the profile, etc. I have the exact same problem on all three Windows 7 boxes. On the first login only a temporary profile gets created. I cannot get a permanent, roaming profile to be created on the AD. And worse yet if I create a new user on the Windows 7 box using ADUC it does not show up on the AD at all. I am open to all suggestions as to how to go about debugging and fixing this problem. It seems that somehow the Windows 7 boxes are now half connected to the AD. I can get user credentials and see home directories, but I cannot use roaming profiles for users created with samba-tool and don't see users created with ADUC at all. Thank you for your help.
Paul R. Ganci
2015-Jun-17 03:30 UTC
[Samba] Ugh - half connected Win 7 machines to Samba 4.1.18 AD
On 06/16/2015 08:35 PM, Paul R. Ganci wrote:> And worse yet if I create a new user on the Windows 7 box using ADUC > it does not show up on the AD at all.This statement is not true. If I do: > net ADS USER account3 [...] The new user created shows up on the AD. Also >wbinfo -n account3 gives the SID S-1-5-21-729452656-3029571206-2736118167-1146 I must have made a typo when asking for this information the 1st time. Also for this new account3 created from the Windows 7 Professional box ADUC a roaming profile could be created. So I am not sure what happened but it looks like the AD is working properly for newly created accounts, for the administrator and for the original user account1. I would still appreciate ideas on how to salvage the roaming profile for account2. Sorry for the misinformation and thanks.
Paul R. Ganci
2015-Jun-17 05:19 UTC
[Samba] Ugh - half connected Win 7 machines to Samba 4.1.18 AD
On 06/16/2015 08:35 PM, Paul R. Ganci wrote:> On the main box upon which account1 is used the profile looks like it > gets loaded. However when the user logs out the profile cannot be > completely synchronized. Only the NTUSER.dat, NTUSER.ini, etc seem to > get moved to the Profile area. On the other 2 Windows 7 boxes the user > is logged in with a "Temporary Profile".Okay I guess this is Murphy's law. Post something to a list and then the problem fixes itself. Everything seems to be working now. The only thing that I can think might have fixed the problem is that in another thread it was mentioned to do: >net cache flush That is the only thing I can recall doing tonight that could have fixed the problem.