Hi,
I'm facing an issue where most users receive the error "The Group
Policy Client service
failed the logon. Access denied.". The fix so far is to delete a registry
folder on the
client machine, but there are cases where this does not work. For one user, I
had to
delete the account and create it again. The domain uses 3 centos7 + samba 4.5.5,
with a
fileserver running 4.4.4.
Reading https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles shows me
that our
setup does not thing different from the suggested configuration:
We do not have a profiles share. Instead, we put the user profile inside the
user's home
folder.
Are there recomendations regarding the profile location? Is it ok to have the
user profile
inside the home drive, insteado of a specific share?
Here's the fileserver smb.conf, if it helps:
[global]
netbios name = ULTRON
security = ADS
workgroup = E-TRUST
realm = E-TRUST.COM.BR
#dns forwarder = 192.168.2.27
server role = member server
# Default idmap config used for BUILTIN and local accounts/groups
#idmap config *:backend = ad
idmap config *:range = 2000-9999
# Use settings from AD for login shell and home directory
idmap_ldb:use rfc2307 = yes
# idmap config for domain E-TRUST
idmap config E-TRUST:backend = ad
idmap config E-TRUST:schema_mode = rfc2307
idmap config E-TRUST:range = 10000-40000
# Winbind Configuration
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
winbind nss info = rfc2307
#[cp 13.Oct.2016] Reduzido o cache do Winbindd
idmap cache time = 30
idmap negative cache time = 30
winbind cache time = 30
# Necessario no domain member apenas
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
log level = 5
log file = /var/log/samba/%M.log
#[vbs 30.11.2016]180417 - remove vulnerabilidade
#"26920 - Microsoft Windows SMB NULL Session Authentication"
restrict anonymous = 2
[home]
comment = Diretorios de usuarios
path = /compartilhamentos/home/
browseable = no
writable = yes
guest ok = no
create mask = 600
directory mask = 700
--
Vinicius Silva
SOC
BRA: + 55 51 2117.1000 | 55 11 5521.2021
USA: + 1 888 259.5801
vbs at e-trust.com.br
skype: vinicius.bones.silva
Smiley face
www.e-trust.com.br <http://www.e-trust.com.br/>
Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você
recebeu esta
mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer
atitude com
base nestas informações. Solicitamos que você apague a mensagem imediatamente e
avise a
E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões, conclusões
ou
informações contidas nesta mensagem não necessariamente refletem a posição
oficial da
E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser
confirmada
pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.
This message may contain privileged and confidential information for the use of
the
intended recipients only. If you are not an intended recipient then you should
not
disseminate, copy, or take any action based on its contents. If you have
received this
message in error then please notify E-TRUST by sending an e-mail message to
suporte at e-trust.com.br immediately. Views and opinions expressed in this
message do not
necessarily reflect the position of E-TRUST. If this message is digitally
signed, its
authenticity can be confirmed by E-TRUST Private Certificate Authority,
available at
www.e-trust.com.br.