samba - Jun 2016 - How to debug not working Roaming profiles on Samba 4 AD setup?

> OK, I think your problem is that you are trying to run your AD domain as
if it is still an NT4-style domain.

This does not sound like a surprise to me. ;-)
> with AD, you would add […] to each users object in AD. You can do this
with ADUC or by creating an ldif file on the DC and then use ldbmodify to
add it.

Oh, yes, you're right, I had to do the same for the logon.cmd, I already
have a pdbedit call for logon.cmd stuff in my user creation script I wrote
myself.
I did that for the logon.cmd stuff, for each user:

pdbedit --script="logon.cmd" "${user_name}"

I suppose I can use the --profile= , --drive= and --homedir= options from
pdbedit to do the same things you recommend without having to deal with
ldif file.

Too bad these values can't be forced by a template on the AD DC. I will try
these options tonight when everyone will be logged out.
> did you know that ' writeable  = Yes' is the same as 'read only
= No' ?
There is no point in having both.

Yes, these smb.conf are more than 15 years old, modifying them continuously
when I update something through the ages, so I will not be surprised if
some stuff are superfluous or some crap is remaining.
> I would suggest you follow the Samba wiki and use ACLs instead of the old
style 'create mask' etc

I will look at it interestingly, currently I don't need more and that part,
even old, works very well. :-)

2016-06-28 8:59 GMT+02:00 Rowland penny <rpenny at samba.org>:
> On 27/06/16 22:42, Thomas DEBESSE wrote:
>
>> Hi, thank your for your answer.
>>
>> > Are the 'File servers' joined to the domain ?
>> Yes
>>
>> > Are the smb.conf files you posted complete
>> No, they are abstracted ones, because they are very long
>>
>> > if not, can you post the complete ones, exactly as they are on the
>> computers (you can sanitize them if you need to)
>> Yes
>>
>> > Try taking a look here:
>> https://wiki.samba.org/index.php/Implementing_roaming_profiles
>> I've read that page but it does not helped me… :(
>>
>> So, following are the complete files, if you're OK with that, I
just
>> applied on it a sed substitution to hide some sensitives names (and
using
>> the nomenclature defined above since the server's pet names will
mean
>> nothing for you), and removed some data shares that works very well and
are
>> unrelated at all (by the way, I kept the unrelated "partage"
share as an
>> example, even if it's unrelated to my current problem).
>>
>> So, the "PDCSERV" config was the now-disabled All-In-One
Samba3 PDC
>> server. The "ADSERV" is the current AD DC Samba4 server, and
the "FILESERV"
>> is the current file sharing server (hosting homes and profiles). I have
>> also some other file servers but they are totally unrelated to the
current
>> described problems since they just serves optional files for some
people
>> (like the "partage" share described below). I also give you
my logon.cmd so
>> you see how the machinery works.
>>
>> As you can see, previous home paths were /home/users/%u and previous
>> profile paths were /home/users/%u/.profile.v2 and home paths are now
>> /home/users/%u/userdisk, and profile path are now
/home/users/%u/profile.v2.
>> I just put the profile outside the home disk, which is recommended.
>>
>>
>>
---------------------------------------------------------------------------
>> PDCSERV:
>>
>> [global]
>>     workgroup = DOMAIN
>>     netbios name = PDCSERV
>>     server string = "Server"
>>
>>     wins support = yes
>>     dns proxy = no
>>     unix extensions = no
>>
>>     log file = /var/log/samba/log.%m
>>     log level = 4
>>     debug level = 4
>>     max log size = 5000
>>     syslog = 0
>>
>>     panic action = /usr/share/samba/panic-action %d
>>     encrypt passwords = true
>>
>>     passdb backend = smbpasswd:/etc/samba/smbpasswd
>>     obey pam restrictions = yes
>>     unix password sync = yes
>>
>>     passwd program = /usr/bin/passwd %u
>>     passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>     pam password change = yes
>>
>>     domain logons = yes
>>     logon path = \\%N\profile
>>     logon drive = U:
>>     logon home = \\%N\%U
>>     logon script = logon.cmd
>>     domain master = auto
>>
>> [homes]
>>     comment = Dossier Personnel de %U
>>     path = /home/users/%U/.windows
>>     browseable = no
>>     wide links = Yes
>>     follow symlinks = Yes
>>     writable = yes
>>     read only = no
>>     create mask = 2770
>>     directory mask = 2770
>>     public = no
>>     hide files >>
/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*~/$RECYCLE.BIN/
>>     veto files = /.profile/.profile.v2/*.desktop/
>>
>> [netlogon]
>>     path = /etc/samba/netlogon
>>     guest ok = no
>>     writeable = yes
>>     browseable = no
>>     write list = ntadmin
>>
>> [profile]
>>     path = /home/users/%U/.profile
>>     browsable = no
>>     writeable = yes
>>     create mask = 0600
>>     directory mask = 0700
>>     profile acls = yes
>>     csc policy = disable
>>     hide files >>
/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*.desktop/
>>
>> [profile.v2]
>>     path = /home/users/%U/.profile.v2
>>     browseable = no
>>     writeable = yes
>>     create mask = 0600
>>     directory mask = 0700
>>     profile acls = yes
>>     csc policy = disable
>>     hide files >>
/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*.desktop/
>>
>> [partage]
>>     path            = /home/partage
>>     comment         = "Partage Commun a tous"
>>     browsable       = yes
>>     read only       = no
>>     create mask     = 777
>>     directory mask  = 777
>>
>> [printers]
>>     comment = All Printers
>>     browseable = no
>>     path = /var/spool/samba
>>     printable = yes
>>     guest ok = no
>>     read only = yes
>>     create mask = 0700
>>
>> [print$]
>>     comment = Printer Drivers
>>     path = /var/lib/samba/printers
>>     browseable = yes
>>     read only = yes
>>     guest ok = no
>>
>>
>>
>>
---------------------------------------------------------------------------
>> ADSERV:/etc/samba/smb.conf
>>
>> [global]
>>     workgroup     = DOMAIN
>>     realm         = DOMAIN.REALM
>>     netbios name  = ADSERV
>>     server role   = active directory domain controller
>>
>>     domain logons = Yes
>>     domain master = Yes
>>
>>     wins support  = Yes
>>     dns proxy     = No
>>
>>     idmap_ldb:use rfc2307 = Yes
>>
>>     syslog    = 1
>>     log level = 4
>>
>>     panic action = /usr/share/samba/panic-action %d
>>
>>     printing        = bsd
>>     printcap name   = /dev/null
>>     load printers   = No
>>     disable spoolss = Yes
>>
>>     logon path   = \\FILESERV\profile
>>     logon drive  = U:
>>     logon home   = \\FILESERV\%U
>>     logon script = "logon.cmd"
>>
>> [netlogon]
>>     comment    = "Service d’identification réseau"
>>     path       = /var/lib/samba/sysvol/savane.saba/scripts
>>     guest ok   = No
>>     writeable  = Yes
>>     read only  = No
>>     browseable = No
>>     write list = ntadmin
>>
>> [sysvol]
>>     path       = /var/lib/samba/sysvol
>>     read only  = No
>>     browseable = No
>>
>>
>>
>>
---------------------------------------------------------------------------
>> FILESERV:/etc/samba/smb.conf
>>
>> [global]
>>     workgroup    = DOMAIN
>>     realm        = DOMAIN.REALM
>>     netbios name = FILESERV
>>     security     = ADS
>>
>>     dfree command = /usr/local/bin/smb-dfree.sh
>>
>>     log file  = /var/log/samba/log.%m
>>     log level = 4
>>     max log size = 1000
>>     syslog    = 2
>>
>>     panic action = /usr/share/samba/panic-action %d
>>
>>     server role = member server
>>
>>     local master     = No
>>     domain master    = No
>>     preferred master = No
>>
>>     encrypt passwords     = Yes
>>     dedicated keytab file = /etc/krb5.keytab
>>     kerberos method       = secrets and keytab
>>
>>     winbind refresh tickets      = Yes
>>     winbind trusted domains only = No
>>     winbind use default domain   = Yes
>>     winbind enum users           = Yes
>>     winbind enum groups          = Yes
>>
>>     idmap config *:backend          = tdb
>>     idmap config *:range            = 2000-9999
>>
>>     idmap config DOMAIN:backend     = rid
>>     idmap config DOMAIN:schema_mode = rfc2307
>>     idmap config DOMAIN:range       = 10000-30000
>>
>>     winbind nss info = template
>>     template shell   = /bin/false
>>     template homedir = /home/users/%U
>>
>>     usershare allow guests = Yes
>>
>>     printing        = bsd
>>     printcap name   = /dev/null
>>     load printers   = No
>>     disable spoolss = Yes
>>
>>     unix extensions = No
>>     hide special files = Yes
>>     hide unreadable    = Yes
>>     hide dot files     = Yes
>>     hide files >>
/Bureau/AppData/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*~/~$*/$RECYCLE.BIN/Thumbs.db/.DS_Store/*.desktop/
>>     veto files = /.fuse_*/lost+found/aquota.group/aquota.user/
>>
>> [homes]
>>     comment = "Dossier personnel de %u"
>>     path = "/home/users/%U/userdisk"
>>     browseable = No
>>     read only = No
>>     writeable = Yes
>>     browseable = No
>>     public = No
>>     wide links = Yes
>>     follow symlinks = Yes
>>     create mask = 2770
>>     directory mask = 2770
>>     force group = "users-%U"
>>     valid users = %S
>>
>> [partage]
>>     comment         = "Partage commun à tous"
>>     path            = /home/partage
>>     browsable       = Yes
>>     read only       = No
>>     create mask     = 2770
>>     directory mask  = 2770
>>
>> [profile]
>>     comment = "Profil NT5 (Windows XP)"
>>     path = /home/users/%U/profile
>>     browsable = No
>>     writeable = Yes
>>     create mask = 0600
>>     directory mask = 0700
>>     force group = "users-%U"
>>     profile acls = Yes
>>     csc policy = disable
>>
>> [profile.v2]
>>     comment = "Profil NT6 (Windows 7 etc.)"
>>     path = /home/users/%U/profile.v2
>>     browseable = No
>>     writeable = Yes
>>     create mask = 0600
>>     directory mask = 0700
>>     force group = "users-%U"
>>     profile acls = Yes
>>     csc policy = disable
>>
>>
>>
---------------------------------------------------------------------------
>> ADSERV:/var/lib/samba/sysvol/savane.saba/scripts/logon.cmd
>>
>> NET USE U: \\FILESERV\homes
>> NET USE P: \\FILESERV\partage
>>
>> REGEDIT /S \\ADSERV\netlogon\common.reg
>>
>> --
>> Thomas DEBESSE
>>
>
> OK, I think your problem is that you are trying to run your AD domain as
> if it is still an NT4-style domain.
>
> I suggest you re-read the page I pointed you to and also other pages in
> the Samba wiki.
>
> You do not use:
>
> logon path   = \\FILESERV\profile
> logon drive  = U:
> logon home   = \\FILESERV\%U
> logon script = "logon.cmd"
>
> with AD, you would add:
>
> profilePath: \\FILESERV\profile
> scriptPath: logon.cmd
> homeDrive: U:
> homeDirectory: \\FILESERV\%U
>
> to each users object in AD. You can do this with ADUC or by creating an
> ldif file on the DC and then use ldbmodify to add it.
>
> I would also look carefully at your smb.conf files, referencing 'man
> smb.conf', for an instance, did you know that ' writeable  =
Yes' is the
> same as 'read only  = No' ? There is no point in having both.
>
> I would suggest you follow the Samba wiki and use ACLs instead of the old
> style 'create mask' etc
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Thomas DEBESSE

On 28/06/16 12:23, Thomas DEBESSE wrote:
> > OK, I think your problem is that you are trying to run your AD 
> domain as if it is still an NT4-style domain.
>
> This does not sound like a surprise to me. ;-)
>
> > with AD, you would add […] to each users object in AD. You can do 
> this with ADUC or by creating an ldif file on the DC and then use 
> ldbmodify to add it.
>
> Oh, yes, you're right, I had to do the same for the logon.cmd, I 
> already have a pdbedit call for logon.cmd stuff in my user creation 
> script I wrote myself.
> I did that for the logon.cmd stuff, for each user:
>
> pdbedit --script="logon.cmd" "${user_name}"
>
> I suppose I can use the --profile= , --drive= and --homedir= options 
> from pdbedit to do the same things you recommend without having to 
> deal with ldif file.
>
> Too bad these values can't be forced by a template on the AD DC. I 
> will try these options tonight when everyone will be logged out.
If you need to create new users, you could investigate 'samba-tool user 
create --help' on a Samba DC, or you can write a script around pdbedit 
to update your users.

>
> > did you know that ' writeable  = Yes' is the same as 'read
only  =
> No' ? There is no point in having both.
>
> Yes, these smb.conf are more than 15 years old, modifying them 
> continuously when I update something through the ages, so I will not 
> be surprised if some stuff are superfluous or some crap is remaining.
>
> > I would suggest you follow the Samba wiki and use ACLs instead of 
> the old style 'create mask' etc
>
> I will look at it interestingly, currently I don't need more and that 
> part, even old, works very well. :-)
>
You could add IDMU to ADUC on a windows machine, this will get you the 
'Unix Attributes' tabs

Rowland

Rowland penny said:
> If you need to create new users, you could investigate 'samba-tool user
create --help' on a Samba DC, or you can write a script around pdbedit to
update your users.

I did that for my own user:

pdbedit --drive='U:' --homedir='\\FILESERV\thd'
--profile='\\FILESERV\profile' --user='thd'

And it worked ! :-) Thank you very much, I will do that for all my users
soon to fix them, and update my user creation script with that pdbedit call
for future user creation like already do for the logon script path.

--
Thomas DEBESSE