samba - Jun 2017 - Domain Logout, then domain login again, profile corrupt -> replaced by TEMP profile

Hi

I have had this problem for a while, but waited to post this until I upgraded to
see whether the upgrade would fix it.
I upgraded samba to the 4.2.X stream from 3.6.X stream, but it happens on both,
3.6.X and 4.2.10.

Whenever someone logs out, then in again the profile gets corrupted and a new
TEMP profile is created (the dreadful "creating new desktop"). Now I
do not know where this problem is - the desktop or the server.
It also happens if you wait 1/2 hour or so, never tried it longer.

I can quickly fix this by:

 - tell the user to log out
 - rsync -avHAX the profile with yesterdays profile
 - tell the user to log in again

Now if I log out on my workstation, then on the server I do a "smb
reload", then log in again this problem does not happen.

This morning a person logged out of his workstation, went over to the bigscreen
in one of our training rooms and logged in there, then logged out, went over to
his machine but got the dreadful "preparing desktop" on login ....

Anybody got any idea?

thanks
Jobst

Here is some info:
~~~~~~~~~~~~~~~~~~
All latest patches installed on everything.

OS server: CentOS 6.X
OS Workstations: Windows 7 Prof
Samba: 4.2.10 (was 3.6.23)
Other: roaming profiles (as we log into other stations, e.g. training rooms)

smb.conf (important bits):
[global]
  workgroup = LALA
  server string = Domain Server
  netbios name = LALAMACHINE
  username map = /etc/samba/smbusers
  interfaces = eth0, lo
  bind interfaces only = yes
  # these flags were recommended.
  socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072
SO_SNDBUF=131072

  # Logging, what, how much, etc
  log level = 1
  syslog = 0
  log file = /var/log/samba/samba.log
  max log size = 10000000

  # Auditing
  vfs objects = full_audit
  full_audit:prefix = %u|%I|%m|%S
  full_audit:failure = none
  full_audit:facility = LOCAL4
  full_audit:priority = NOTICE
  full_audit:success = none
  full_audit:failure = none

  idmap config *: backend       = tdb
  idmap config *: range         = 1000000-1999999
  idmap config LALA : default = Yes
  idmap config LALA : backend = <idmap backend>
  idmap config LALA : range   = 500-999999

  winbind use default domain = Yes
  winbind nested groups = Yes
  winbind normalize names = no

  # domain stuff
  logon script = user.cmd
  logon path = \\lalamachine\profiles\%u
  logon drive = Z:
  logon home = \\lalamachine\%u\samba-homeshare
  domain logons = Yes
  os level = 200
  domain master = Yes
  dns proxy = No
  wins support = Yes
  security = user
  encrypt passwords = Yes
  hosts allow = 192.168.0., 127.
  guest account = nobody
  usershare allow guests = No

  # printer setup
  load printers = Yes
  printing = cups
  printcap name = cups
  printcap = cups
  printcap cache time = 750
  cups options = raw
  read raw = yes
  write raw = yes
  oplocks = yes
  max xmit = 65535
  dead time = 15
  getwd cache = yes

  # Samba implements the CIFS UNIX
  unix extensions = no

[netlogon]
  comment = Network Logon Service
  path = /samba/NetLogon
  browseable = Yes
  guest ok = yes
  admin users = root
  full_audit:success = none
  full_audit:failure = none
  # this is required for log files to be written to
  read only = No
  write list = @lalausers, @lalaadmins

[profiles]
  comment = Roaming Profile Share
  path = /samba/Profiles/
  read only = No
  create mask = 0600
  directory mask = 0700
  browseable = yes
  # you MUST disable caching on shares that have roaming profiles stored
  csc policy = disable
  guest ok = no
  valid users = @lalausers, @lalaadmins
  admin users = root
  store dos attributes = yes
  profile acls = yes
  full_audit:success = none
  full_audit:failure = none


-- 
If builders built buildings the way Microsoft wrote programs, then the first
woodpecker that came along would destroy civilization.

  | |0| |   Jobst Schmalenbach, jobst at barrett.com.au, General Manager
  | | |0|   Barrett Consulting Group P/L & The Meditation Room P/L
  |0|0|0|   +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia

Am 07.06.2017 um 09:18 schrieb Jobst Schmalenbach via
samba:
> Hi
> 
> I have had this problem for a while, but waited to post this until I
upgraded to see whether the upgrade would fix it.
> I upgraded samba to the 4.2.X stream from 3.6.X stream, but it happens on
both, 3.6.X and 4.2.10.
> 
> Whenever someone logs out, then in again the profile gets corrupted and a
new TEMP profile is created (the dreadful "creating new desktop"). Now
I do not know where this problem is - the desktop or the server.
> It also happens if you wait 1/2 hour or so, never tried it longer.
> 
> I can quickly fix this by:
> 
>  - tell the user to log out
>  - rsync -avHAX the profile with yesterdays profile
>  - tell the user to log in again
> 
> Now if I log out on my workstation, then on the server I do a "smb
reload", then log in again this problem does not happen.
> 
> This morning a person logged out of his workstation, went over to the
bigscreen in one of our training rooms and logged in there, then logged out,
went over to his machine but got the dreadful "preparing desktop" on
login ....
> 
> Anybody got any idea?
> 
> thanks
> Jobst
> 
> Here is some info:
> ~~~~~~~~~~~~~~~~~~
> All latest patches installed on everything.
> 
> OS server: CentOS 6.X
> OS Workstations: Windows 7 Prof
> Samba: 4.2.10 (was 3.6.23)
> Other: roaming profiles (as we log into other stations, e.g. training
rooms)
> 
> smb.conf (important bits):
> [global]
>   workgroup = LALA
>   server string = Domain Server
>   netbios name = LALAMACHINE
>   username map = /etc/samba/smbusers
>   interfaces = eth0, lo
>   bind interfaces only = yes
>   # these flags were recommended.
>   socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072
SO_SNDBUF=131072
> 
>   # Logging, what, how much, etc
>   log level = 1
>   syslog = 0
>   log file = /var/log/samba/samba.log
>   max log size = 10000000
> 
>   # Auditing
>   vfs objects = full_audit
>   full_audit:prefix = %u|%I|%m|%S
>   full_audit:failure = none
>   full_audit:facility = LOCAL4
>   full_audit:priority = NOTICE
>   full_audit:success = none
>   full_audit:failure = none
> 
>   idmap config *: backend       = tdb
>   idmap config *: range         = 1000000-1999999
>   idmap config LALA : default = Yes
>   idmap config LALA : backend = <idmap backend>
>   idmap config LALA : range   = 500-999999
> 
>   winbind use default domain = Yes
>   winbind nested groups = Yes
>   winbind normalize names = no
> 
>   # domain stuff
>   logon script = user.cmd
>   logon path = \\lalamachine\profiles\%u
>   logon drive = Z:
>   logon home = \\lalamachine\%u\samba-homeshare
>   domain logons = Yes
>   os level = 200
>   domain master = Yes
>   dns proxy = No
>   wins support = Yes
>   security = user
>   encrypt passwords = Yes
>   hosts allow = 192.168.0., 127.
>   guest account = nobody
>   usershare allow guests = No
> 
>   # printer setup
>   load printers = Yes
>   printing = cups
>   printcap name = cups
>   printcap = cups
>   printcap cache time = 750
>   cups options = raw
>   read raw = yes
>   write raw = yes
>   oplocks = yes
>   max xmit = 65535
>   dead time = 15
>   getwd cache = yes
> 
>   # Samba implements the CIFS UNIX
>   unix extensions = no
> 
> [netlogon]
>   comment = Network Logon Service
>   path = /samba/NetLogon
>   browseable = Yes
>   guest ok = yes
>   admin users = root
>   full_audit:success = none
>   full_audit:failure = none
>   # this is required for log files to be written to
>   read only = No
>   write list = @lalausers, @lalaadmins
> 
> [profiles]
>   comment = Roaming Profile Share
>   path = /samba/Profiles/
>   read only = No
>   create mask = 0600
>   directory mask = 0700
>   browseable = yes
>   # you MUST disable caching on shares that have roaming profiles stored
>   csc policy = disable
>   guest ok = no
>   valid users = @lalausers, @lalaadmins
>   admin users = root
>   store dos attributes = yes
>   profile acls = yes
>   full_audit:success = none
>   full_audit:failure = none
> 
> 
Hi

I had the same issue on win7 and win10 clients.
if the user shut down the client, then on the next login he was unable
to load his profile.

'smbstatus -L' shows me that the NTUSER.DAT and NTUSER.INI from this
profile had a lock on this file (DENY_WRITE or DENY_ALL) cant remember
the exact value, too long ago.

But I was only able to observe this behavior on clients with SSD or
really fast HDD.

My workaround for this is to set "oplocks = no" on our profile share.

Another solution was to delay the shut down with a GPO script on 'client
shutdown' and a sleep timer up to 10 seconds.

Here my smb.conf file:
---
[global]
    netbios name = FILES
    security = ADS
    workgroup = INTRANET
    realm = INTRANET.TESTVM.DE

    username map = /etc/samba/user.map

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    idmap config * : backend = tdb
    idmap config * : range = 1000000-2000000

    # idmap config for the domain
    idmap config INTRANET:backend = rid
    idmap config INTRANET:range = 3000000-4000000

    # Template settings for login shell and home directory
    winbind nss info = template
    template shell = /bin/bash
    template homedir = /home/profiles_linux/%U

    winbind use default domain = yes
    winbind refresh tickets = yes

    vfs objects = dfs_samba4,acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # network
    interfaces = lo eth0
    bind interfaces only = yes
    smb ports = 445

    # Auditing
    full_audit:prefix = %u|%I|%S
    full_audit:facility = local5
    full_audit:priority = notice
    full_audit:success = mkdir rename unlink rmdir pwrite
    full_audit:failure = none

[profiles_windows]
    acl allow execute always = true
    comment = windows profiles
    path = /home/profiles_windows
    read only = no
    create mask = 0600
    directory mask = 0700
    profile acls = yes
    csc policy = disable
    vfs object                  = recycle
        recycle:repository      = ../recycler/%U/%S
        recycle:keeptree        = yes
        recycle:versions        = no
        recycle:touch_mtime     = yes
        recycle:maxsize         = 104857600
    # The next option is a workaround for windows7/10 with SSD
    # Windows? does not tend to ensure that all locks for the user
profile (ntuser.dat and ntuser.ini) are broken on a fast shut down.
    # Another method is to install a delay for the shutdown process of
Windows by using a GPO Script.
    oplocks = no

[profiles_linux]
    comment = linux profiles
    path = /home/profiles_linux
    read only = no
    create mask = 0600
    directory mask = 0700
    vfs object                  = recycle
        recycle:repository      = ../recycler/%U/%S
        recycle:keeptree        = yes
        recycle:versions        = yes
        recycle:touch_mtime     = yes
        recycle:maxsize         = 104857600

[profiles_data]
    acl allow execute always = true
    comment = users's profile files
    path = /home/profiles_data
    read only = no
    create mask = 0600
    directory mask = 0700
    vfs object                  = recycle
        recycle:repository      = ../recycler/%U/%S
        recycle:keeptree        = yes
        recycle:versions        = yes
        recycle:touch_mtime     = yes
        recycle:maxsize         = 104857600

[shares]
    comment = users's files
    path = /home/shares
    read only = no
    vfs object                  = recycle,full_audit
        recycle:repository      = ../recycler/%U/%S
        recycle:keeptree        = yes
        recycle:versions        = yes
        recycle:touch_mtime     = yes
        recycle:maxsize         = 104857600
---

Bjoern

Hi Bjoern.

That worked, thank you very much!

However, I still think this is a bug.
I found this: https://lists.samba.org/archive/samba/2017-January/206133.html
and followed the research.

When you logout FIRST, then shutdown: no problem.
When you shutdown (which is essentially the same as logout then shutdown) the
NTUSER.DAT keeps locked.

So when I consider the first way your should be able to do that in the second
way.
It's mostly a problem when you have to reboot after an update, upgrade or
install.

However,
thank you!!!!

Jobst


On Wed, Jun 07, 2017 at 09:45:15PM +0200, Bjoern Trimborn via samba (samba at
lists.samba.org) wrote:
> Am 07.06.2017 um 09:18 schrieb Jobst Schmalenbach via samba:
> > Hi
> > 
> > I have had this problem for a while, but waited to post this until I
upgraded to see whether the upgrade would fix it.
> > I upgraded samba to the 4.2.X stream from 3.6.X stream, but it happens
on both, 3.6.X and 4.2.10.
> > 
> > Whenever someone logs out, then in again the profile gets corrupted
and a new TEMP profile is created (the dreadful "creating new
desktop"). Now I do not know where this problem is - the desktop or the
server.
> > It also happens if you wait 1/2 hour or so, never tried it longer.
> > 
> > I can quickly fix this by:
> > 
> >  - tell the user to log out
> >  - rsync -avHAX the profile with yesterdays profile
> >  - tell the user to log in again
> > 
> > Now if I log out on my workstation, then on the server I do a
"smb reload", then log in again this problem does not happen.
> > 
> > This morning a person logged out of his workstation, went over to the
bigscreen in one of our training rooms and logged in there, then logged out,
went over to his machine but got the dreadful "preparing desktop" on
login ....
> > 
> > Anybody got any idea?
> > 
> > thanks
> > Jobst
> > 
> > Here is some info:
> > ~~~~~~~~~~~~~~~~~~
> > All latest patches installed on everything.
> > 
> > OS server: CentOS 6.X
> > OS Workstations: Windows 7 Prof
> > Samba: 4.2.10 (was 3.6.23)
> > Other: roaming profiles (as we log into other stations, e.g. training
rooms)
> > 
> > smb.conf (important bits):
> > [global]
> >   workgroup = LALA
> >   server string = Domain Server
> >   netbios name = LALAMACHINE
> >   username map = /etc/samba/smbusers
> >   interfaces = eth0, lo
> >   bind interfaces only = yes
> >   # these flags were recommended.
> >   socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
SO_RCVBUF=131072 SO_SNDBUF=131072
> > 
> >   # Logging, what, how much, etc
> >   log level = 1
> >   syslog = 0
> >   log file = /var/log/samba/samba.log
> >   max log size = 10000000
> > 
> >   # Auditing
> >   vfs objects = full_audit
> >   full_audit:prefix = %u|%I|%m|%S
> >   full_audit:failure = none
> >   full_audit:facility = LOCAL4
> >   full_audit:priority = NOTICE
> >   full_audit:success = none
> >   full_audit:failure = none
> > 
> >   idmap config *: backend       = tdb
> >   idmap config *: range         = 1000000-1999999
> >   idmap config LALA : default = Yes
> >   idmap config LALA : backend = <idmap backend>
> >   idmap config LALA : range   = 500-999999
> > 
> >   winbind use default domain = Yes
> >   winbind nested groups = Yes
> >   winbind normalize names = no
> > 
> >   # domain stuff
> >   logon script = user.cmd
> >   logon path = \\lalamachine\profiles\%u
> >   logon drive = Z:
> >   logon home = \\lalamachine\%u\samba-homeshare
> >   domain logons = Yes
> >   os level = 200
> >   domain master = Yes
> >   dns proxy = No
> >   wins support = Yes
> >   security = user
> >   encrypt passwords = Yes
> >   hosts allow = 192.168.0., 127.
> >   guest account = nobody
> >   usershare allow guests = No
> > 
> >   # printer setup
> >   load printers = Yes
> >   printing = cups
> >   printcap name = cups
> >   printcap = cups
> >   printcap cache time = 750
> >   cups options = raw
> >   read raw = yes
> >   write raw = yes
> >   oplocks = yes
> >   max xmit = 65535
> >   dead time = 15
> >   getwd cache = yes
> > 
> >   # Samba implements the CIFS UNIX
> >   unix extensions = no
> > 
> > [netlogon]
> >   comment = Network Logon Service
> >   path = /samba/NetLogon
> >   browseable = Yes
> >   guest ok = yes
> >   admin users = root
> >   full_audit:success = none
> >   full_audit:failure = none
> >   # this is required for log files to be written to
> >   read only = No
> >   write list = @lalausers, @lalaadmins
> > 
> > [profiles]
> >   comment = Roaming Profile Share
> >   path = /samba/Profiles/
> >   read only = No
> >   create mask = 0600
> >   directory mask = 0700
> >   browseable = yes
> >   # you MUST disable caching on shares that have roaming profiles
stored
> >   csc policy = disable
> >   guest ok = no
> >   valid users = @lalausers, @lalaadmins
> >   admin users = root
> >   store dos attributes = yes
> >   profile acls = yes
> >   full_audit:success = none
> >   full_audit:failure = none
> > 
> > 
> 
> Hi
> 
> I had the same issue on win7 and win10 clients.
> if the user shut down the client, then on the next login he was unable
> to load his profile.
> 
> 'smbstatus -L' shows me that the NTUSER.DAT and NTUSER.INI from
this
> profile had a lock on this file (DENY_WRITE or DENY_ALL) cant remember
> the exact value, too long ago.
> 
> But I was only able to observe this behavior on clients with SSD or
> really fast HDD.
> 
> My workaround for this is to set "oplocks = no" on our profile
share.
> 
> Another solution was to delay the shut down with a GPO script on
'client
> shutdown' and a sleep timer up to 10 seconds.
> 
> Here my smb.conf file:
> ---
> [global]
>     netbios name = FILES
>     security = ADS
>     workgroup = INTRANET
>     realm = INTRANET.TESTVM.DE
> 
>     username map = /etc/samba/user.map
> 
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
> 
>     idmap config * : backend = tdb
>     idmap config * : range = 1000000-2000000
> 
>     # idmap config for the domain
>     idmap config INTRANET:backend = rid
>     idmap config INTRANET:range = 3000000-4000000
> 
>     # Template settings for login shell and home directory
>     winbind nss info = template
>     template shell = /bin/bash
>     template homedir = /home/profiles_linux/%U
> 
>     winbind use default domain = yes
>     winbind refresh tickets = yes
> 
>     vfs objects = dfs_samba4,acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
> 
>     # network
>     interfaces = lo eth0
>     bind interfaces only = yes
>     smb ports = 445
> 
>     # Auditing
>     full_audit:prefix = %u|%I|%S
>     full_audit:facility = local5
>     full_audit:priority = notice
>     full_audit:success = mkdir rename unlink rmdir pwrite
>     full_audit:failure = none
> 
> [profiles_windows]
>     acl allow execute always = true
>     comment = windows profiles
>     path = /home/profiles_windows
>     read only = no
>     create mask = 0600
>     directory mask = 0700
>     profile acls = yes
>     csc policy = disable
>     vfs object                  = recycle
>         recycle:repository      = ../recycler/%U/%S
>         recycle:keeptree        = yes
>         recycle:versions        = no
>         recycle:touch_mtime     = yes
>         recycle:maxsize         = 104857600
>     # The next option is a workaround for windows7/10 with SSD
>     # Windows? does not tend to ensure that all locks for the user
> profile (ntuser.dat and ntuser.ini) are broken on a fast shut down.
>     # Another method is to install a delay for the shutdown process of
> Windows by using a GPO Script.
>     oplocks = no
> 
> [profiles_linux]
>     comment = linux profiles
>     path = /home/profiles_linux
>     read only = no
>     create mask = 0600
>     directory mask = 0700
>     vfs object                  = recycle
>         recycle:repository      = ../recycler/%U/%S
>         recycle:keeptree        = yes
>         recycle:versions        = yes
>         recycle:touch_mtime     = yes
>         recycle:maxsize         = 104857600
> 
> [profiles_data]
>     acl allow execute always = true
>     comment = users's profile files
>     path = /home/profiles_data
>     read only = no
>     create mask = 0600
>     directory mask = 0700
>     vfs object                  = recycle
>         recycle:repository      = ../recycler/%U/%S
>         recycle:keeptree        = yes
>         recycle:versions        = yes
>         recycle:touch_mtime     = yes
>         recycle:maxsize         = 104857600
> 
> [shares]
>     comment = users's files
>     path = /home/shares
>     read only = no
>     vfs object                  = recycle,full_audit
>         recycle:repository      = ../recycler/%U/%S
>         recycle:keeptree        = yes
>         recycle:versions        = yes
>         recycle:touch_mtime     = yes
>         recycle:maxsize         = 104857600
> ---
> 
> Bjoern
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
Learn the rules so you know how to break them properly. -F1

  | |0| |   Jobst Schmalenbach, jobst at barrett.com.au, General Manager
  | | |0|   Barrett Consulting Group P/L & The Meditation Room P/L
  |0|0|0|   +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia