Hello you all, we are in the process of upgrading to windows 10 on all our workstations. We see one problem with redirected folders. We redirect Appdata to a network share. [profdata] comment = Profile Data Share path = /srv/profdata csc policy = disable hide files /?esktop.ini/ntuser.ini/NTUSER.*/?humbs.db/$RECYCLE.BIN/ This worked great (although slow) with terminal servers on Win2008R2 and Windows 7. Now the clients on win10 experience error in Thunderbird and Firefox. THe files cert9.db and cert8.db sometimes can not be read (a pop up shows with unknown certificates etc) If you close the program everything works again. Only Firefox and Thunderbird are effected. Chrome has no Problem. My questions are: Has anybody had the same Problem? Is "csc policy = disable" still recommended for profile shares as stated in the WIKI and is it also recommended for redicrected folders like this? How do you guys handle csc policy for other shares. We always have it disabled. Regards Christian -- Dr. Christian Naumer Research Scientist Plattform-Koordinator Bioprozesstechnik B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender, Ludger Roedder Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
Hai Christion, So yes, i told you this once before it better to setup the windows acl. And yes, but these days in win10 everything is more picky on correct settings. Set/verify you profile share again, but setup windows ACL's. not POSIX acls. See: https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles Goto : Setup : Using Windows ACLs And dont look below this line on the wiki: Using POSIX ACLs on a Unix domain member Just dont. And be carefull you can/might reset everything on the share. And Verify that permission inheritance is disabled on the root of the share If that still gives problems, try adding this setting in the profiles share. acl_xattr:ignore system acls = yes And setup the share again, this is a must after you set this parameter. Personaly, i still use that parameter on profiles and the users share. A bit to avoid windows acl problem and why not set it if these shares are only use for windows clients. Note, this is a inheritance of old samba version with bug, this solved it all. And im now using it about 3 years without problems on my profiles, just saying, i really suggest you test it. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Christian Naumer via samba > Verzonden: dinsdag 25 juni 2019 11:15 > Aan: Thamm, Russell via samba > Onderwerp: [Samba] csc policy > > Hello you all, > we are in the process of upgrading to windows 10 on all our > workstations. We see one problem with redirected folders. We redirect > Appdata to a network share. > > > [profdata] > comment = Profile Data Share > path = /srv/profdata > csc policy = disable > hide files > /?esktop.ini/ntuser.ini/NTUSER.*/?humbs.db/$RECYCLE.BIN/ > > > This worked great (although slow) with terminal servers on > Win2008R2 and > Windows 7. Now the clients on win10 experience error in > Thunderbird and > Firefox. THe files cert9.db and cert8.db sometimes can not be read (a > pop up shows with unknown certificates etc) If you close the program > everything works again. Only Firefox and Thunderbird are effected. > Chrome has no Problem. > > My questions are: > > Has anybody had the same Problem? > > Is "csc policy = disable" still recommended for profile > shares as stated > in the WIKI and is it also recommended for redicrected > folders like this? > > How do you guys handle csc policy for other shares. We always have it > disabled. > > > Regards > > Christian > > -- > Dr. Christian Naumer > Research Scientist > Plattform-Koordinator Bioprozesstechnik > > B.R.A.I.N Aktiengesellschaft > Darmstaedter Str. 34-36, D-64673 Zwingenberg > e-mail cn at brain-biotech.de, homepage www.brain-biotech.de > fon +49-6251-9331-30 / fax +49-6251-9331-11 > > Sitz der Gesellschaft: Zwingenberg/Bergstrasse > Registergericht AG Darmstadt, HRB 24758 > Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender, > Ludger Roedder > Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hi Louis, thanks for the feed back.> Hai Christion, > > So yes, i told you this once before it better to setup the windows acl.Yes I know...> And yes, but these days in win10 everything is more picky on correct settings. > > Set/verify you profile share again, but setup windows ACL's. not POSIX acls. > See: https://wiki.samba.org/index.php/Roaming_Windows_User_ProfilesHere the share definition is with out the "csc policy" so this means here offline files are enabled. Or do you disable it via GPO?> > Goto : Setup : Using Windows ACLs > > And dont look below this line on the wiki: Using POSIX ACLs on a Unix domain member > Just dont. > > And be carefull you can/might reset everything on the share. > And Verify that permission inheritance is disabled on the root of the share > > > > If that still gives problems, try adding this setting in the profiles share. > acl_xattr:ignore system acls = yes > > And setup the share again, this is a must after you set this parameter. > > Personaly, i still use that parameter on profiles and the users share. > A bit to avoid windows acl problem and why not set it if these shares are only use for windows clients. > Note, this is a inheritance of old samba version with bug, this solved it all. > And im now using it about 3 years without problems on my profiles, just saying, i really suggest you test it.I appreciate your feed back as you have much more knowledge in that area. And I will look at it (when I have time or if this is not solvable by using offline files). However, coming back to "csc policy" do you disable this either on the share or by GPO in your environment? Regards Christian> > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Christian Naumer via samba >> Verzonden: dinsdag 25 juni 2019 11:15 >> Aan: Thamm, Russell via samba >> Onderwerp: [Samba] csc policy >> >> Hello you all, >> we are in the process of upgrading to windows 10 on all our >> workstations. We see one problem with redirected folders. We redirect >> Appdata to a network share. >> >> >> [profdata] >> comment = Profile Data Share >> path = /srv/profdata >> csc policy = disable >> hide files >> /?esktop.ini/ntuser.ini/NTUSER.*/?humbs.db/$RECYCLE.BIN/ >> >> >> This worked great (although slow) with terminal servers on >> Win2008R2 and >> Windows 7. Now the clients on win10 experience error in >> Thunderbird and >> Firefox. THe files cert9.db and cert8.db sometimes can not be read (a >> pop up shows with unknown certificates etc) If you close the program >> everything works again. Only Firefox and Thunderbird are effected. >> Chrome has no Problem. >> >> My questions are: >> >> Has anybody had the same Problem? >> >> Is "csc policy = disable" still recommended for profile >> shares as stated >> in the WIKI and is it also recommended for redicrected >> folders like this? >> >> How do you guys handle csc policy for other shares. We always have it >> disabled. >> >> >> Regards >> >> Christian >> >> -- >> Dr. Christian Naumer >> Research Scientist >> Plattform-Koordinator Bioprozesstechnik >> >> B.R.A.I.N Aktiengesellschaft >> Darmstaedter Str. 34-36, D-64673 Zwingenberg >> e-mail cn at brain-biotech.de, homepage www.brain-biotech.de >> fon +49-6251-9331-30 / fax +49-6251-9331-11 >> >> Sitz der Gesellschaft: Zwingenberg/Bergstrasse >> Registergericht AG Darmstadt, HRB 24758 >> Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender, >> Ludger Roedder >> Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >-- Dr. Christian Naumer Research Scientist Plattform-Koordinator Bioprozesstechnik B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender, Ludger Roedder Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
Good morning Christian,> > Hi Louis, > thanks for the feed back.Your welkom, doing our best.> > > Hai Christion, > > > > So yes, i told you this once before it better to setup the > windows acl. > Yes I know... > > > And yes, but these days in win10 everything is more picky > on correct settings. > > > > Set/verify you profile share again, but setup windows > ACL's. not POSIX acls. > > See: > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles > > Here the share definition is with out the "csc policy" so this means > here offline files are enabled. Or do you disable it via GPO?I have offline still enable, but i can easily disable this with GPO. https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/disable-offline-files-on-folders I do all my computer/user setting with GPO's.> > > > > Goto : Setup : Using Windows ACLs > > > > And dont look below this line on the wiki: Using POSIX > ACLs on a Unix domain member > > Just dont. > > > > And be carefull you can/might reset everything on the share. > > And Verify that permission inheritance is disabled on the > root of the share > > > > > > > > If that still gives problems, try adding this setting in > the profiles share. > > acl_xattr:ignore system acls = yes > > > > And setup the share again, this is a must after you set > this parameter. > > > > Personaly, i still use that parameter on profiles and the > users share. > > A bit to avoid windows acl problem and why not set it if > these shares are only use for windows clients. > > Note, this is a inheritance of old samba version with bug, > this solved it all. > > And im now using it about 3 years without problems on my > profiles, just saying, i really suggest you test it. > > I appreciate your feed back as you have much more knowledge in that > area. And I will look at it (when I have time or if this is > not solvable > by using offline files). > However, coming back to "csc policy" do you disable this either on the > share or by GPO in your environment?All by GPO, see link above.> > > Regards > > Christian >Greetz, Louis