Hi all I have started to rebuild a client?s samba environment from scratch on Debian. The plan is to use Samba AD instead of Windows AD, and to use a Samba FS for everything else. AFAIK the AD and FS setup is done correctly since I can logon from a Windows client, map home drive and map application drives. The problem is that roaming profiles don?t work. I have linked to a screenshot taken on the Windows 10 desktop that shows Event log error Profile share permissions Profile folder permissions Folder with mapped drives (done by netlogon script run from sysvol) The user account settings https://drive.google.com/file/d/1vMRAGJn-01UWARN5Hs8LflMKDtaOt6vU/view?usp=sharing ACL permissions for the Profiles share root at fs1-hplts:/samba# getfacl Profiles/ # file: Profiles/ # owner: root # group: root user::rwx user:root:rwx user:30512:rwx user:30513:r-x group::--- group:root:--- group:NT\040Authority\\system:rwx group:domain\040admins:rwx group:domain\040users:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:30512:rwx default:group::--- default:group:root:--- default:group:NT\040Authority\\system:rwx default:group:domain\040admins:rwx default:mask::rwx default:other::--- The samba FS config goes here (I changed the profiles share to browsable in order to view the share for troubleshooting) [global] ? ?workgroup = HPLTS ? ?server role = MEMBER SERVER ? ?security = ADS ? ?realm = HOGANAS-PLATSLAGAREN.SE ? ?dedicated keytab file = /etc/krb5.keytab ? ?kerberos method = secrets and keytab ? ?server string ="Fileserver Samba4 %h" ? ?log file = /var/log/samba/%m.log ? ?log level = 5 ? ?max logsize = 2000 ? ?username map = /etc/samba/user.map ? ?idmap config * : backend = tdb ? ?idmap config * : range = 10000-20000 ? ?idmap config HPLTS : backend = rid ? ?idmap config HPLTS : range = 30000-40000 ? ?encrypt passwords = yes ? ?winbind refresh tickets = yes ? ?winbind offline logon = yes ? ?winbind enum users = yes ? ?winbind enum groups = yes ? ?winbind nested groups = yes ? ?winbind expand groups = yes ? ?winbind use default domain = yes ? ?os level = 20 ? ?domain master = no ? ?local master = no ? ?preferred master = no ? ?map to guest = bad user ? ?host msdfs = no ? ?netbios name = fS1-hplts ? ?client min protocol = SMB2 ? ?client max protocol = SMB3 ? ?unix extensions = no ? ?reset on zero vc = yes ? ?hide unreadable = yes ? ?acl group control = yes ? ?acl map full control = yes ? ?ea support = yes ? ?vfs objects = acl_xattr recycle ? ?map acl inherit = yes ? ?store dos attributes = yes ? ?dos filemode = yes ? ?dos filetimes = yes ? ?restrict anonymous = 2 ? ?strict allocate = yes ? ?guest ok = no ? ?load printers = no ? ?printing = bsd ? ?printcap name = /dev/null ? ?disable spoolss = yes ? ?interfaces = lo enp1s0 ? ?bind interfaces only = yes [Users] ? ?comment = "User home directories" ? ?path = /samba/Users ? ?browseable = yes ? ?read only = no ? ?force create mode = 0660 ? ?force directory mode = 2770 [Profiles] ? ?comment = "User roaming profiles" ? ?path = /samba/Profiles ? ?browseable = yes ? ?read only = no ? ?force create mode = 0660 ? ?force directory mode = 2770 [Documents] ? ?comment = "Shared documents" ? ?path = /samba/Documents ? ?browseable = yes ? ?read only = no ? ?force create mode = 0660 ? ?force directory mode = 2770 [Setup] ? ?comment = "Setup applications" ? ?path = /samba/Setup [Legacy] ? ?comment = "Legacy applications (DOS & 16-bit)" ? ?path = /samba/Legacy [Robotics] ? ?comment = "Industrial systems" ? ?path = /samba/Robotics The samba AD config is this one [global] ?? ? ? ?netbios name = DC1-HPLTS ?? ? ? ?realm = HOGANAS-PLATSLAGAREN.SE ?? ? ? ?server role = active directory domain controller ?? ? ? ?workgroup = HPLTS ?? ? ? ?idmap_ldb:use rfc2307 = yes ?? ? ? ?dns forwarder = 8.8.8.8 ?? ? ? ?allow dns updates [netlogon] ?? ? ? ?path = /var/lib/samba/sysvol/hoganas-platslagaren.se/scripts ?? ? ? ?read only = No [sysvol] ?? ? ? ?path = /var/lib/samba/sysvol ?? ? ? ?read only = No
You sould use a GPO to assign the profiles and not the setting of each user. The Profil-directory of each user will be created by the useraccount so the permission on /samba/profile sould be "1770 root domain users"? Am 06.02.21 um 10:47 schrieb Anders ?stling via samba:> Hi all > > I have started to rebuild a client?s samba environment from scratch on Debian. The plan is to use Samba AD instead of Windows AD, and to use a Samba FS for everything else. AFAIK the AD and FS setup is done correctly since I can logon from a Windows client, map home drive and map application drives. > > The problem is that roaming profiles don?t work. I have linked to a screenshot taken on the Windows 10 desktop that shows > > Event log error > Profile share permissions > Profile folder permissions > Folder with mapped drives (done by netlogon script run from sysvol) > The user account settings > > https://drive.google.com/file/d/1vMRAGJn-01UWARN5Hs8LflMKDtaOt6vU/view?usp=sharing > > ACL permissions for the Profiles share > > root at fs1-hplts:/samba# getfacl Profiles/ > # file: Profiles/ > # owner: root > # group: root > user::rwx > user:root:rwx > user:30512:rwx > user:30513:r-x > group::--- > group:root:--- > group:NT\040Authority\\system:rwx > group:domain\040admins:rwx > group:domain\040users:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:30512:rwx > default:group::--- > default:group:root:--- > default:group:NT\040Authority\\system:rwx > default:group:domain\040admins:rwx > default:mask::rwx > default:other::--- > > The samba FS config goes here (I changed the profiles share to browsable in order to view the share for troubleshooting) > > [global] > ? ?workgroup = HPLTS > ? ?server role = MEMBER SERVER > ? ?security = ADS > ? ?realm = HOGANAS-PLATSLAGAREN.SE > ? ?dedicated keytab file = /etc/krb5.keytab > ? ?kerberos method = secrets and keytab > ? ?server string ="Fileserver Samba4 %h" > ? ?log file = /var/log/samba/%m.log > ? ?log level = 5 > ? ?max logsize = 2000 > ? ?username map = /etc/samba/user.map > ? ?idmap config * : backend = tdb > ? ?idmap config * : range = 10000-20000 > ? ?idmap config HPLTS : backend = rid > ? ?idmap config HPLTS : range = 30000-40000 > ? ?encrypt passwords = yes > ? ?winbind refresh tickets = yes > ? ?winbind offline logon = yes > ? ?winbind enum users = yes > ? ?winbind enum groups = yes > ? ?winbind nested groups = yes > ? ?winbind expand groups = yes > ? ?winbind use default domain = yes > ? ?os level = 20 > ? ?domain master = no > ? ?local master = no > ? ?preferred master = no > ? ?map to guest = bad user > ? ?host msdfs = no > ? ?netbios name = fS1-hplts > ? ?client min protocol = SMB2 > ? ?client max protocol = SMB3 > ? ?unix extensions = no > ? ?reset on zero vc = yes > ? ?hide unreadable = yes > ? ?acl group control = yes > ? ?acl map full control = yes > ? ?ea support = yes > ? ?vfs objects = acl_xattr recycle > ? ?map acl inherit = yes > ? ?store dos attributes = yes > ? ?dos filemode = yes > ? ?dos filetimes = yes > ? ?restrict anonymous = 2 > ? ?strict allocate = yes > ? ?guest ok = no > ? ?load printers = no > ? ?printing = bsd > ? ?printcap name = /dev/null > ? ?disable spoolss = yes > > ? ?interfaces = lo enp1s0 > ? ?bind interfaces only = yes > > [Users] > ? ?comment = "User home directories" > ? ?path = /samba/Users > ? ?browseable = yes > ? ?read only = no > ? ?force create mode = 0660 > ? ?force directory mode = 2770 > > [Profiles] > ? ?comment = "User roaming profiles" > ? ?path = /samba/Profiles > ? ?browseable = yes > ? ?read only = no > ? ?force create mode = 0660 > ? ?force directory mode = 2770 > > [Documents] > ? ?comment = "Shared documents" > ? ?path = /samba/Documents > ? ?browseable = yes > ? ?read only = no > ? ?force create mode = 0660 > ? ?force directory mode = 2770 > > [Setup] > ? ?comment = "Setup applications" > ? ?path = /samba/Setup > > [Legacy] > ? ?comment = "Legacy applications (DOS & 16-bit)" > ? ?path = /samba/Legacy > > [Robotics] > ? ?comment = "Industrial systems" > ? ?path = /samba/Robotics > The samba AD config is this one > > [global] > ?? ? ? ?netbios name = DC1-HPLTS > ?? ? ? ?realm = HOGANAS-PLATSLAGAREN.SE > ?? ? ? ?server role = active directory domain controller > ?? ? ? ?workgroup = HPLTS > ?? ? ? ?idmap_ldb:use rfc2307 = yes > ?? ? ? ?dns forwarder = 8.8.8.8 > ?? ? ? ?allow dns updates > [netlogon] > ?? ? ? ?path = /var/lib/samba/sysvol/hoganas-platslagaren.se/scripts > ?? ? ? ?read only = No > > [sysvol] > ?? ? ? ?path = /var/lib/samba/sysvol > ?? ? ? ?read only = No-- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html