samba - Apr 2020 - steps to get automatic home folder created at user logon windows 10 with samba 4.9.5-Debian

Hello everybody,

I been at this for more then a week and went through the archives and 
wiki but can not get it to work.

I been trying to follow these steps:
https://wiki.samba.org/index.php/User_Home_Folders

wanted behavior:

samba-tool user create jdoe pass01 --login-shell /bin/bash --given-name 
"John Doe" --home-drive=H --home-directory="\\\SAMBA01\users\jdoe
--script-path=netlogon.bat

first logon on windows 10 pro domain member:
no \\SAMBA01\users\jdoe is created....

When I logon as SAMDOM/ADMINISTRATOR and create user with ADUC and fill 
in the profile the userdir is either added or it gives the error that 
the user dir already exist but in really it is not there, cashing issue?

How can I debug this all?

Kind regards,

Jelle de Jong

root at samba01:~# getfacl /srv/storage/users/
getfacl: Removing leading '/' from absolute path names
# file: srv/storage/users/
# owner: root
# group: domain\040users
# flags: -s-
user::rwx
user:root:rwx
user:10512:rwx
user:10513:r-x
group::r-x
group:NT\040Authority\\authenticated\040users:r-x
group:NT\040Authority\\system:rwx
group:domain\040admins:rwx
group:domain\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:10512:rwx
default:group::---
default:group:NT\040Authority\\system:rwx
default:group:domain\040admins:rwx
default:group:domain\040users:---
default:mask::rwx
default:other::---


root at samba01:~# cat /etc/samba/smb.conf
[global]
    workgroup = SAMDOM
    security = ADS
    realm = SAMDOM.POWERCRAFT.NL

    winbind refresh tickets = Yes
    vfs objects = acl_xattr
    map acl inherit = Yes

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    winbind use default domain = yes

    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    #username map = /usr/local/samba/etc/user.map

    log file = /var/log/samba/%m.log
    log level = 1

    idmap config * : backend = tdb
    idmap config * : range = 3000-7999

    idmap config SAMDOM:backend = rid
    #idmap config SAMDOM:schema_mode = rfc2307
    idmap config SAMDOM:range = 10000-999999
    #idmap config SAMDOM:unix_nss_info = yes

    template shell = /bin/bash
    template homedir = /home/%U

    idmap config SAMDOM:unix_primary_group = yes

    winbind enum users = yes
    winbind enum groups = yes

[documenten]
     path = /srv/storage/shares
     read only = No
     create mask = 0660
     directory mask = 0770
     inherit acls = Yes
     map acl inherit = Yes
     hide unreadable = Yes
     store dos attributes = Yes
     vfs objects = recycle
     recycle:touch_mtime = Yes
     recycle:versions = Yes
     recycle:keeptree = Yes

[openbaar]
     path = /srv/storage/guestshare
     store dos attributes = Yes
     writable = yes
     printable = no
     only guest = yes
     public = yes
     guest ok = yes
     guest only = yes
     guest account = nobody
     browsable = yes
     create mask = 0660
     directory mask = 0770
     inherit acls = Yes
     map acl inherit = Yes
     hide unreadable = Yes
     store dos attributes = Yes

[users]
     path = /srv/storage/users/
     read only = No

[profiles]
     path = /srv/storage/profiles/
     browseable = No
     read only = No
     force create mode = 0600
     force directory mode = 0700
     csc policy = disable
     store dos attributes = yes
     vfs objects = acl_xattr

I don't know exactly what you are trying to achieve, but isn't the
notion of
"home folder" somewhat a thing of the past? I use Folder Redirection
with
Windows 10 clients (and Windows 7 before) and it works like a charm. User
Profile folders are created automatically at first login. Furthermore, it
gives most of the advantages of roaming profiles without their huge
disadvantages in today's environment. All your users' profiles are
nicely
hosted in the same place on a server and you can very easily backup them
all. To increase privacy, you can use "hide unreadable = yes" at the
share
level.

On 2020-04-30 00:55, miguel medalha wrote:
> I don't know exactly what you are trying to achieve, but isn't the
notion of
> "home folder" somewhat a thing of the past? I use Folder
Redirection with
> Windows 10 clients (and Windows 7 before) and it works like a charm. User
> Profile folders are created automatically at first login. Furthermore, it
> gives most of the advantages of roaming profiles without their huge
> disadvantages in today's environment. All your users' profiles are
nicely
> hosted in the same place on a server and you can very easily backup them
> all. To increase privacy, you can use "hide unreadable = yes" at
the share
> level.
I got Folder Redirection on as well but I want to redirect to the users 
homeDirectory and for that this directory needs to be automatic created.

I got my profile and users share on my samba fileserver and not addc.

The profile is created file, but the homeDirectory is not... and then 
the folder redirection is failing as well.

# cat 
/var/lib/samba/sysvol/samdom.powercraft.nl/Policies/\{5B881613-EA4F-4E6B-B4E9-3B219AE86C44\}/User/Documents\
\&\ Settings/fdeploy.ini
??

[FolderStatus]
My Pictures=2
My Documents=0
[My Pictures]
[My Documents]
s-1-1-0=\\%HOMESHARE%%HOMEPATH%

On 4/29/20 5:55 PM, miguel medalha via samba wrote:
> I don't know exactly what you are trying to achieve, but isn't the
notion of
> "home folder" somewhat a thing of the past? I use Folder
Redirection with
> Windows 10 clients (and Windows 7 before) and it works like a charm. User
> Profile folders are created automatically at first login. Furthermore, it
> gives most of the advantages of roaming profiles without their huge
> disadvantages in today's environment. All your users' profiles are
nicely
> hosted in the same place on a server and you can very easily backup them
> all. To increase privacy, you can use "hide unreadable = yes" at
the share
> level.
> 
> 
Just for my own education, isn't folder redirection limited to the
"shell
folders" like Documents, Downloads, Desktop, Videos, Pictures and such?

With that said, I do have some users "shell folders" redirected to my
Samba
server.

But, I also can do the home folder thing as well and can understand there might 
be cases where that's preferred since not everything in your home (and
correct
me if I'm wrong) is "redirectable" in the way I think we're
talking about.

Mandi! Jelle de Jong via samba
  In chel di` si favelave...
> first logon on windows 10 pro domain member:
> no \\SAMBA01\users\jdoe is created....
I don't know if this is a fix, but for home folder/drive, i use a 'root
preexec' script, that create the folder and set some other things (eg,
mostly quota).

For me:
	root preexec = /etc/samba/createhome "%U"

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On 29/04/2020 22:07, Jelle de Jong via samba wrote:
> Hello everybody,
>
> I been at this for more then a week and went through the archives and 
> wiki but can not get it to work.
>
>
> root at samba01:~# cat /etc/samba/smb.conf
> [global]
>
> ?? #username map = /usr/local/samba/etc/user.map
You need the user.map
>
>
> ?? idmap config SAMDOM:backend = rid
> ?? idmap config SAMDOM:range = 10000-999999
You need to use the 'ad' backend
>
> ?? template homedir = /home/%U
I think that is your problem right there, if you are trying to create a 
link something like map 'H:' to '/home/%U' in the
'profiles' tab (%U
could be a username), it will not work. This was raised here recently 
and I said it didn't work, well it does, provide you do not specify
'%U'
in the share path in smb.conf, the only possible problem could be the 
permissions the users dir gets created with and you can fix that with a 
'root preexec' script.
>
> ?? idmap config SAMDOM:unix_primary_group = yes
That only works with the 'ad' backend
>
> ?? winbind enum users = yes
> ?? winbind enum groups = yes
Never set those, they just slow things down.
>
> [documenten]
> ??? path = /srv/storage/shares
> ??? read only = No
> ??? create mask = 0660
> ??? directory mask = 0770
> ??? inherit acls = Yes
> ??? map acl inherit = Yes
> ??? hide unreadable = Yes
> ??? store dos attributes = Yes
> ??? vfs objects = recycle
You have turned acl_xattr off

Rowland

On 30/04/2020 08:32, Marco Gaiarin via samba wrote:
> I don't know if this is a fix, but for home folder/drive, i use a
'root
> preexec' script, that create the folder and set some other things (eg,
> mostly quota).
>
> For me:
> 	root preexec = /etc/samba/createhome "%U"
>
How does your script know where to create the users homedir ?

Rowland

On 2020-04-30 09:49, Rowland penny via samba wrote:
> On 29/04/2020 22:07, Jelle de Jong via samba wrote:
>> Hello everybody,
>>
>> I been at this for more then a week and went through the archives and 
>> wiki but can not get it to work.
>>
>>
>> root at samba01:~# cat /etc/samba/smb.conf
>> [global]
>>
>> ?? #username map = /usr/local/samba/etc/user.map
> You need the user.map
>>
>>
>> ?? idmap config SAMDOM:backend = rid
>> ?? idmap config SAMDOM:range = 10000-999999
> You need to use the 'ad' backend
>>
>> ?? template homedir = /home/%U
> I think that is your problem right there, if you are trying to create a 
> link something like map 'H:' to '/home/%U' in the
'profiles' tab (%U
> could be a username), it will not work. This was raised here recently 
> and I said it didn't work, well it does, provide you do not specify
'%U'
> in the share path in smb.conf, the only possible problem could be the 
> permissions the users dir gets created with and you can fix that with a 
> 'root preexec' script.
>>
>> ?? idmap config SAMDOM:unix_primary_group = yes
> That only works with the 'ad' backend
>>
>> ?? winbind enum users = yes
>> ?? winbind enum groups = yes
> Never set those, they just slow things down.
>>
>> [documenten]
>> ??? path = /srv/storage/shares
>> ??? read only = No
>> ??? create mask = 0660
>> ??? directory mask = 0770
>> ??? inherit acls = Yes
>> ??? map acl inherit = Yes
>> ??? hide unreadable = Yes
>> ??? store dos attributes = Yes
>> ??? vfs objects = recycle
> You have turned acl_xattr off
I never was able to get the backend = ad working

I only need my user to be able to login to Windows 10 systems from a 
domain joined machine.

This is how I add my users:

samba-tool user create lgaga passwd --login-shell /bin/bash --given-name 
"Lady Gaga" --home-drive=H
--home-directory="\\\SAMBA01\users\lgaga"

Based on this wiki https://wiki.samba.org/index.php/Idmap_config_ad I 
tried the bellow configuration again but it did now work. getent passwd 
user or id user does not do anything. I think I am missing the 
prerequisites when using samba-tool to create the user as above?

Can I use the rid backend when I just want windows users to have file 
access?

root at samba01:~# cat /etc/samba/smb.conf
[global]
    workgroup = SAMDOM
    security = ADS
    realm = SAMDOM.HUIGHAVERLAG.NL

    winbind refresh tickets = Yes
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = yes

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    winbind use default domain = yes

    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    username map = /usr/local/samba/etc/user.map

    log file = /var/log/samba/%m.log
    log level = 1

    idmap config * : backend = tdb
    idmap config * : range = 3000-7999

#  idmap config SAMDOM:backend = rid
    idmap config SAMDOM:backend = ad
    idmap config SAMDOM:schema_mode = rfc2307
    idmap config SAMDOM:range = 10000-999999
    idmap config SAMDOM:unix_nss_info = yes

#  template shell = /bin/bash
#  template homedir = /home/%U

    idmap config SAMDOM:unix_primary_group = yes

[documenten]
     path = /srv/storage/shares
     read only = No
     create mask = 0660
     directory mask = 0770
     inherit acls = Yes
     map acl inherit = Yes
     hide unreadable = Yes
     store dos attributes = Yes
     vfs objects = recycle
     recycle:touch_mtime = Yes
     recycle:versions = Yes
     recycle:keeptree = Yes

[openbaar]
     path = /srv/storage/guestshare
     store dos attributes = Yes
     writable = yes
     printable = no
     only guest = yes
     public = yes
     guest ok = yes
     guest only = yes
     guest account = nobody
     browsable = yes
     create mask = 0660
     directory mask = 0770
     inherit acls = Yes
     map acl inherit = Yes
     hide unreadable = Yes
     store dos attributes = Yes

[users]
     path = /srv/storage/users/
     read only = No
     root preexec = /usr/local/bin/samba-mkdir-home %H %U

[profiles]
     path = /srv/storage/profiles/
     read only = No
     browsable = yes