samba - Feb 2020 - GPO redirected folders reg path issue

We are not much off. But you have mixed "samba/window" and
"windows/windows" settings.
Samba/windows \\%logonserver%\home\%username%\desktop
Windows/windows \\hostname.fqdn.tld\users\%username%\desktop 

Guess, which one i use.  ;-)  

Now, do get where this is coming from. 
So use this (add CNAME for you member server ), Note, you MUST setup PTR
records.
\\ALIAS-CNAME.fqdn.tld\users\%username%\desktop 


And offcourse this is not correct. 
\\%logonserver%\home\%username%\desktop.  

You "logon" server = the DC. Not the member. 

So my advice, setup as suggested, and im sure you never see this again. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Philippe LeCavalier via samba
> Verzonden: donderdag 20 februari 2020 16:05
> Aan: samba
> Onderwerp: Re: [Samba] GPO redirected folders reg path issue
> 
> On Thu, Feb 20, 2020 at 9:28 AM Rowland penny via samba <
> samba at lists.samba.org> wrote:
> 
> > On 20/02/2020 14:10, Philippe LeCavalier via samba wrote:
> > > Hi all,
> > >
> > > I have an issue at multiple sites that has been plaguing 
> me for a while.
> >
> > Hi, whilst you tell us what is wrong, you do not give us anything to
> > work with.
> 
> Agreed. I'm posting this from a remote site where I don't 
> have easy access
> to either of the two main sites this is occurring on. I'll 
> gather that info
> up asap and get back to you (and Louis) Oh and Louis, I'm redirecting
> Desktop as well. So that's actually the first error that pops 
> up is access
> denied  for \\%logonserver%\home\%username%\desktop. Now that 
> I'm rereading
> myself, I wonder if the Home in the path is some sort of 
> trigger. Generally
> for practical reasons, I run QNAPs as file servers and QNAP 
> still uses the
> %home% variable so I make use of that feature to redirect to 
> \\QNAP\home
> and in the GPO it is \\QNAP\%USERNAME% which has worked very 
> well until
> those folders get redirected to the DC in err.
> Phil
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Thu, Feb 20, 2020 at 10:14 AM L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
>
> We are not much off. But you have mixed "samba/window" and
> "windows/windows" settings.
> Samba/windows \\%logonserver%\home\%username%\desktop
> Windows/windows \\hostname.fqdn.tld\users\%username%\desktop
>
> Guess, which one i use.  ;-)
Okay that's good info. Keep in mind I wrote all that out purely by
memory so I'll repost if it differs at all from what I initially wrote. But
otherwise, yeah that sounds like a possible fix and I would certainly
welcome that! I think what may have mislead me was the roaming profile
section of the wiki refers to the fqdn to set permissions therefore in my
mind, the fqdn should be used for all references for config that's facing
the windows side.
>
>
> Now, do get where this is coming from.
> So use this (add CNAME for you member server ), Note, you MUST setup PTR
> records.
> \\ALIAS-CNAME.fqdn.tld\users\%username%\desktop
They have PTR records I know that for certain but I'll revisit that as well
to be certain they reflect what you show here.
>
>
>
> And offcourse this is not correct.
> \\%logonserver%\home\%username%\desktop.
>
> You "logon" server = the DC. Not the member.
Yep. Agreed.
Phil

A setup on howto improve your samba network and simplify it. 
This is how i setup, sure looks dificult but its all about DNS setup and what
you add to it.

For AD-DC.s  ( AD, TIME, NS, LDAP )
Hostname.FQDN.TLD : max 63chars, incl the .'s  allowed chars: a-Z 0-9 - 

Hostname : sam-dc1.internal.domain.tld
IP 	   : what you need/want. ( example 192.168.1.11 ) 
PTR 	   : 11.0.168.192.in-addr.arpa
CNAME    : dc1 ns1 ldap1 ntp1

Hostname : sam-dc2.internal.domain.tld
IP 	   : what you need/want. ( example 192.168.1.12 ) 
PTR 	   : 12.0.168.192.in-addr.arpa
CNAME    : dc1 ns2 ldap2 ntp2

For a MEMBER. 
Hostname.FQDN.TLD : max 254chars, incl the .'s  allowed chars: a-Z 0-9 - 
Hostname : sam-mem1.internal.domain.tld
IP 	   : what you need/want. ( example 192.168.1.21 ) 
PTR 	   : 21.0.168.192.in-addr.arpa
CNAME    : fs1 (fileserver1) 
But also and this is just how may servers you setup. 
Think in web1 proxy1 cluster1  etc etc. these are always the ALIASES. 
And you can also say thing like this. 

Why.. This is all about the ability to scale you network and split up services
over other servers IF needed.
And if done right ,you dont have to touch any setup you only change a CNAME.
Now lets say you move or setup a new webserver, all i change is web1.dom.tld and
point that to a new server hostname.
www.dom.tld CNAME web1.dom.tld  ( which is also a CNAME to
sam-mem1.internal.domain.tld )

And yes you have to think in ahead here. 
So now for all serices configure the alias name, not the real hostname.

Kerberos works fine as long you A and PTR are the server is set. 
Certificates, per hostname and aliases where needed or in one certificate or
multiple.

This is also why i hammer on a correct DNS setup, if its not correct above will
most probely fail.

For windows, stop using \\hostname  start using \\hostname.internal.fqdn.tld 
Same user/profile shares use : 
\\fs1.int.dom.tld\users\%username% 
\\fs1.int.dom.tld\profiles\%username% 

Why not \\fs1.int.dom.tld\home\%username% or \\fs1.int.dom.tld\homes\%username% 
Well, one is really wrong and the other should work like \users\ but easy to
make a mistake here.
man smb.conf tells it all ;-)  

Tip for today. 


Greetz, 

Louis
 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Philippe LeCavalier via samba
> Verzonden: donderdag 20 februari 2020 16:35
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] GPO redirected folders reg path issue
> 
> On Thu, Feb 20, 2020 at 10:14 AM L.P.H. van Belle via samba <
> samba at lists.samba.org> wrote:
> 
> >
> > We are not much off. But you have mixed "samba/window" and
> > "windows/windows" settings.
> > Samba/windows \\%logonserver%\home\%username%\desktop
> > Windows/windows \\hostname.fqdn.tld\users\%username%\desktop
> >
> > Guess, which one i use.  ;-)
> 
> Okay that's good info. Keep in mind I wrote all that out purely by
> memory so I'll repost if it differs at all from what I 
> initially wrote. But
> otherwise, yeah that sounds like a possible fix and I would certainly
> welcome that! I think what may have mislead me was the roaming profile
> section of the wiki refers to the fqdn to set permissions 
> therefore in my
> mind, the fqdn should be used for all references for config 
> that's facing
> the windows side.
> 
> >
> >
> > Now, do get where this is coming from.
> > So use this (add CNAME for you member server ), Note, you 
> MUST setup PTR
> > records.
> > \\ALIAS-CNAME.fqdn.tld\users\%username%\desktop
> 
> They have PTR records I know that for certain but I'll 
> revisit that as well
> to be certain they reflect what you show here.
> 
> >
> >
> >
> > And offcourse this is not correct.
> > \\%logonserver%\home\%username%\desktop.
> >
> > You "logon" server = the DC. Not the member.
> 
> Yep. Agreed.
> Phil
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

OOOEPPS.. The PTR record point to 192.168.0.  not 192.168.1. .. 
Adjust that in jou mind please ;-) 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> L.P.H. van Belle via samba
> Verzonden: donderdag 20 februari 2020 16:55
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] GPO redirected folders reg path issue
> 
> 
> A setup on howto improve your samba network and simplify it. 
> This is how i setup, sure looks dificult but its all about 
> DNS setup and what you add to it. 
> 
> For AD-DC.s  ( AD, TIME, NS, LDAP )
> Hostname.FQDN.TLD : max 63chars, incl the .'s  allowed chars: 
> a-Z 0-9 - 
> 
> Hostname : sam-dc1.internal.domain.tld
> IP 	   : what you need/want. ( example 192.168.1.11 ) 
> PTR 	   : 11.0.168.192.in-addr.arpa
> CNAME    : dc1 ns1 ldap1 ntp1
> 
> Hostname : sam-dc2.internal.domain.tld
> IP 	   : what you need/want. ( example 192.168.1.12 ) 
> PTR 	   : 12.0.168.192.in-addr.arpa
> CNAME    : dc1 ns2 ldap2 ntp2
> 
> For a MEMBER. 
> Hostname.FQDN.TLD : max 254chars, incl the .'s  allowed 
> chars: a-Z 0-9 - 
> Hostname : sam-mem1.internal.domain.tld
> IP 	   : what you need/want. ( example 192.168.1.21 ) 
> PTR 	   : 21.0.168.192.in-addr.arpa
> CNAME    : fs1 (fileserver1) 
> But also and this is just how may servers you setup. 
> Think in web1 proxy1 cluster1  etc etc. these are always the ALIASES. 
> And you can also say thing like this. 
> 
> Why.. This is all about the ability to scale you network and 
> split up services over other servers IF needed. 
> And if done right ,you dont have to touch any setup you only 
> change a CNAME.
> Now lets say you move or setup a new webserver, all i change 
> is web1.dom.tld and point that to a new server hostname. 
> www.dom.tld CNAME web1.dom.tld  ( which is also a CNAME to 
> sam-mem1.internal.domain.tld ) 
> 
> And yes you have to think in ahead here. 
> So now for all serices configure the alias name, not the real 
> hostname.
> 
> Kerberos works fine as long you A and PTR are the server is set. 
> Certificates, per hostname and aliases where needed or in one 
> certificate or multiple. 
> 
> This is also why i hammer on a correct DNS setup, if its not 
> correct above will most probely fail. 
> 
> For windows, stop using \\hostname  start using 
> \\hostname.internal.fqdn.tld 
> Same user/profile shares use : 
> \\fs1.int.dom.tld\users\%username% 
> \\fs1.int.dom.tld\profiles\%username% 
> 
> Why not \\fs1.int.dom.tld\home\%username% or 
> \\fs1.int.dom.tld\homes\%username% 
> Well, one is really wrong and the other should work like 
> \users\ but easy to make a mistake here. 
> man smb.conf tells it all ;-)  
> 
> Tip for today. 
> 
> 
> Greetz, 
> 
> Louis
>  
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Philippe LeCavalier via samba
> > Verzonden: donderdag 20 februari 2020 16:35
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] GPO redirected folders reg path issue
> > 
> > On Thu, Feb 20, 2020 at 10:14 AM L.P.H. van Belle via samba <
> > samba at lists.samba.org> wrote:
> > 
> > >
> > > We are not much off. But you have mixed "samba/window"
and
> > > "windows/windows" settings.
> > > Samba/windows \\%logonserver%\home\%username%\desktop
> > > Windows/windows \\hostname.fqdn.tld\users\%username%\desktop
> > >
> > > Guess, which one i use.  ;-)
> > 
> > Okay that's good info. Keep in mind I wrote all that out purely by
> > memory so I'll repost if it differs at all from what I 
> > initially wrote. But
> > otherwise, yeah that sounds like a possible fix and I would 
> certainly
> > welcome that! I think what may have mislead me was the 
> roaming profile
> > section of the wiki refers to the fqdn to set permissions 
> > therefore in my
> > mind, the fqdn should be used for all references for config 
> > that's facing
> > the windows side.
> > 
> > >
> > >
> > > Now, do get where this is coming from.
> > > So use this (add CNAME for you member server ), Note, you 
> > MUST setup PTR
> > > records.
> > > \\ALIAS-CNAME.fqdn.tld\users\%username%\desktop
> > 
> > They have PTR records I know that for certain but I'll 
> > revisit that as well
> > to be certain they reflect what you show here.
> > 
> > >
> > >
> > >
> > > And offcourse this is not correct.
> > > \\%logonserver%\home\%username%\desktop.
> > >
> > > You "logon" server = the DC. Not the member.
> > 
> > Yep. Agreed.
> > Phil
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> > 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Thu, Feb 20, 2020 at 10:56 AM L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
>
> A setup on howto improve your samba network and simplify it.
> This is how i setup, sure looks dificult but its all about DNS setup and
> what you add to it.
>
That is great info Louis! Thank you for taking the time. I'll endeavour to
comb through all that and implement as needed. I used to work at an iSP so
although DNS isn't my expertise, I'm certainly comfortable with it. I
definitely have the AD entry (I don't have clients large enough to really
justify multiple DCs even if I "pitch" it as a benefit
initially..Costs...)
but I suspect I might find that the member entry for my QNAP doesn't have
the CNAME alias. But I don't think in my case/issue it would explain how
the GPO would be overridden like it seems to be. Nonetheless, improving
things is always the direction I want to go. I caught your latest reply
about the subnet...Wasn't going to mention it ;)
Phil

On Thu, Feb 20, 2020 at 10:56 AM L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
>
> A setup on howto improve your samba network and simplify it.
> This is how i setup, sure looks dificult but its all about DNS setup and
> what you add to it.
>
> For AD-DC.s  ( AD, TIME, NS, LDAP )
> Hostname.FQDN.TLD : max 63chars, incl the .'s  allowed chars: a-Z 0-9 -
>
> Hostname : sam-dc1.internal.domain.tld
> IP         : what you need/want. ( example 192.168.1.11 )
> PTR        : 11.0.168.192.in-addr.arpa
> CNAME    : dc1 ns1 ldap1 ntp1
>
> Hostname : sam-dc2.internal.domain.tld
> IP         : what you need/want. ( example 192.168.1.12 )
> PTR        : 12.0.168.192.in-addr.arpa
> CNAME    : dc1 ns2 ldap2 ntp2
>
> For a MEMBER.
> Hostname.FQDN.TLD : max 254chars, incl the .'s  allowed chars: a-Z 0-9
-
> Hostname : sam-mem1.internal.domain.tld
> IP         : what you need/want. ( example 192.168.1.21 )
> PTR        : 21.0.168.192.in-addr.arpa
> CNAME    : fs1 (fileserver1)
> But also and this is just how may servers you setup.
> Think in web1 proxy1 cluster1  etc etc. these are always the ALIASES.
> And you can also say thing like this.
>
Started implementing this today in one site. I first started looking at it
using samba-tool with guidance from the wiki[1] and could easily see the
results nor could I easily add the records so I reverted to RSAT on a
desktop. I quickly noticed despite my thought of having added some of these
records that I solely relied on the samba-tool provisioning and had in
fact, not added any CNAME or PTR records as suggested above. So I proceeded
to add them. Based on the record examples provided above and the DNS
Management MMC snap-in tool I mistakenly omitted the FQDN in the data part
of both the CNAME and PTR records so when I applied the entries just about
everything stopped working; no logins no shares...etc. When I queried the
dns backend in samba I noticed the records I added were missing the
"data"
part and quickly added my hostname.domain.tld to each and everything
started working again. -just wanted to add the story in case it helps
anyone following along. Personally, I'm always trying to steer away from
RSAT and administering anything from windows as a whole and would much
rather use samba-tool so I'm not reliant on a desktop but hey,,, it is a
windows based network afterall.

So now that the dust has settled (the whole ordeal was less than 15 minutes
so no big deal) I'm not seeing anything spectacularly different but it will
be interesting to see if I ever the issue stated in the original msg of
this thread.