[Samba] How to debug not working Roaming profiles on Samba 4 AD setup?

Discussion:

Thomas DEBESSE

2016-06-27 20:03:30 UTC

Hi, some months before, I was serving files and profiles using a Samba 3
PDC server (I will name it PDCSERV), this is some abstracts fro smb.conf:

PDCSERV:/etc/samba/smb.conf

[general]
logon path = \\%N\profile
logon drive = U:
logon home = \\%N\%U
logon script = "logon.cmd"
valid users = %S

[homes]
path = "/home/%U/userdisk"
browseable = No
read only = No
writeable = Yes
browseable = No
public = No
create mask = 2700
directory mask = 0700
valid users = %S

[profile]
path = /home/%U/profile
browsable = No
writeable = Yes
create mask = 0600
directory mask = 0700
profile acls = Yes
csc policy = disable

[profile.v2]
path = /home/%U/profile.v2
browseable = No
writeable = Yes
create mask = 0600
directory mask = 0700
profile acls = Yes
csc policy = disable

Roaming profiles was working fine, they were backed up at user logout.

Then I migrated my setup to a Samba 4 AD server (I will name it ADSERV) and
a Samba 4 File server (I will name it FILESERV), this is some abstracts
from smb.conf from ADSERV and FILESERV:

ADSERV:/etc/samba/smb.conf

[general]
logon path = \\FILESERV\profile
logon drive = U:
logon home = \\FILESERV\%U
logon script = "logon.cmd"
valid users = %S

FILESERV:/etc/samba/smb.conf

[homes]
path = "/home/%U/userdisk"
browseable = No
read only = No
writeable = Yes
browseable = No
public = No
create mask = 2700
directory mask = 0700
valid users = %S

[profile]
path = /home/%U/profile
browsable = No
writeable = Yes
create mask = 0600
directory mask = 0700
profile acls = Yes
csc policy = disable

[profile.v2]
path = /home/%U/profile.v2
browseable = No
writeable = Yes
create mask = 0600
directory mask = 0700
profile acls = Yes
csc policy = disable

From a logged-in client, I can successfully browse \\FILESERV\homes,
\\FILESERV\username (another view for \\FILESERV\homes), \\FILESERV\profile
and \\FILESERV\profile.v2.

But the Roaming profiles are not backed up at logout. At all. No one.

Since I have a logon.cmd that mount U: to \\FILESERV\homes plus some
registry key that redirect Desktop, and some files to U:\something, I never
lose any user data, but I lose any user configuration when the user's
computer gets replaced, since the user profile is never backed up to the
server at lougout. For stuff like desktop background image it's not a big
problem because users known how to set it and having it broken do not
prevent them to work, but it's very annoying when users lost some
configuration they need to do their job, like per-user option in printer
configuration.

For information, Samba assumes these options on my Samba 4 system (seen
using testparm -v):

[general]
fstype = NTFS
store dos attributes = No

I don't remember what were the default on Samba 3, I have no Samba3 servers
anymore.

My Domain is an AD Domain with Samba 4 servers (both AD and File servers)
and Windows 7/10 clients, there is no Windows servers at all.

So, unless I miss something, all the things above looks legit. So my
question is: how I can debug my setup ? What are the things I must look for
to find what is not working?

--
Thomas DEBESSE
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Thomas DEBESSE

2016-06-27 21:42:37 UTC

Permalink

Hi, thank your for your answer.

Are the 'File servers' joined to the domain ?

Yes

Are the smb.conf files you posted complete

No, they are abstracted ones, because they are very long

if not, can you post the complete ones, exactly as they are on the

computers (you can sanitize them if you need to)
Yes
https://wiki.samba.org/index.php/Implementing_roaming_profiles
I've read that page but it does not helped me… :(

So, following are the complete files, if you're OK with that, I just
applied on it a sed substitution to hide some sensitives names (and using
the nomenclature defined above since the server's pet names will mean
nothing for you), and removed some data shares that works very well and are
unrelated at all (by the way, I kept the unrelated "partage" share as an
example, even if it's unrelated to my current problem).

So, the "PDCSERV" config was the now-disabled All-In-One Samba3 PDC server.
The "ADSERV" is the current AD DC Samba4 server, and the "FILESERV" is the
current file sharing server (hosting homes and profiles). I have also some
other file servers but they are totally unrelated to the current described
problems since they just serves optional files for some people (like the
"partage" share described below). I also give you my logon.cmd so you see
how the machinery works.

As you can see, previous home paths were /home/users/%u and previous
profile paths were /home/users/%u/.profile.v2 and home paths are now
/home/users/%u/userdisk, and profile path are now /home/users/%u/profile.v2.
I just put the profile outside the home disk, which is recommended.

---------------------------------------------------------------------------
PDCSERV:

[global]
workgroup = DOMAIN
netbios name = PDCSERV
server string = "Server"

wins support = yes
dns proxy = no
unix extensions = no

log file = /var/log/samba/log.%m
log level = 4
debug level = 4
max log size = 5000
syslog = 0

panic action = /usr/share/samba/panic-action %d
encrypt passwords = true

passdb backend = smbpasswd:/etc/samba/smbpasswd
obey pam restrictions = yes
unix password sync = yes

passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes

domain logons = yes
logon path = \\%N\profile
logon drive = U:
logon home = \\%N\%U
logon script = logon.cmd
domain master = auto

[homes]
comment = Dossier Personnel de %U
path = /home/users/%U/.windows
browseable = no
wide links = Yes
follow symlinks = Yes
writable = yes
read only = no
create mask = 2770
directory mask = 2770
public = no
hide files =
/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*~/$RECYCLE.BIN/
veto files = /.profile/.profile.v2/*.desktop/

[netlogon]
path = /etc/samba/netlogon
guest ok = no
writeable = yes
browseable = no
write list = ntadmin

[profile]
path = /home/users/%U/.profile
browsable = no
writeable = yes
create mask = 0600
directory mask = 0700
profile acls = yes
csc policy = disable
hide files =
/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*.desktop/

[profile.v2]
path = /home/users/%U/.profile.v2
browseable = no
writeable = yes
create mask = 0600
directory mask = 0700
profile acls = yes
csc policy = disable
hide files =
/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*.desktop/

[partage]
path = /home/partage
comment = "Partage Commun a tous"
browsable = yes
read only = no
create mask = 777
directory mask = 777

[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700

[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no

---------------------------------------------------------------------------
ADSERV:/etc/samba/smb.conf

[global]
workgroup = DOMAIN
realm = DOMAIN.REALM
netbios name = ADSERV
server role = active directory domain controller

domain logons = Yes
domain master = Yes

wins support = Yes
dns proxy = No

idmap_ldb:use rfc2307 = Yes

syslog = 1
log level = 4

panic action = /usr/share/samba/panic-action %d

printing = bsd
printcap name = /dev/null
load printers = No
disable spoolss = Yes

logon path = \\FILESERV\profile
logon drive = U:
logon home = \\FILESERV\%U
logon script = "logon.cmd"

[netlogon]
comment = "Service d’identification réseau"
path = /var/lib/samba/sysvol/savane.saba/scripts
guest ok = No
writeable = Yes
read only = No
browseable = No
write list = ntadmin

[sysvol]
path = /var/lib/samba/sysvol
read only = No
browseable = No

---------------------------------------------------------------------------
FILESERV:/etc/samba/smb.conf

[global]
workgroup = DOMAIN
realm = DOMAIN.REALM
netbios name = FILESERV
security = ADS

dfree command = /usr/local/bin/smb-dfree.sh

log file = /var/log/samba/log.%m
log level = 4
max log size = 1000
syslog = 2

panic action = /usr/share/samba/panic-action %d

server role = member server

local master = No
domain master = No
preferred master = No

encrypt passwords = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

winbind refresh tickets = Yes
winbind trusted domains only = No
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes

idmap config *:backend = tdb
idmap config *:range = 2000-9999

idmap config DOMAIN:backend = rid
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 10000-30000

winbind nss info = template
template shell = /bin/false
template homedir = /home/users/%U

usershare allow guests = Yes

printing = bsd
printcap name = /dev/null
load printers = No
disable spoolss = Yes

unix extensions = No
hide special files = Yes
hide unreadable = Yes
hide dot files = Yes
hide files =
/Bureau/AppData/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*~/~$*/$RECYCLE.BIN/Thumbs.db/.DS_Store/*.desktop/
veto files = /.fuse_*/lost+found/aquota.group/aquota.user/

[homes]
comment = "Dossier personnel de %u"
path = "/home/users/%U/userdisk"
browseable = No
read only = No
writeable = Yes
browseable = No
public = No
wide links = Yes
follow symlinks = Yes
create mask = 2770
directory mask = 2770
force group = "users-%U"
valid users = %S

[partage]
comment = "Partage commun à tous"
path = /home/partage
browsable = Yes
read only = No
create mask = 2770
directory mask = 2770

[profile]
comment = "Profil NT5 (Windows XP)"
path = /home/users/%U/profile
browsable = No
writeable = Yes
create mask = 0600
directory mask = 0700
force group = "users-%U"
profile acls = Yes
csc policy = disable

[profile.v2]
comment = "Profil NT6 (Windows 7 etc.)"
path = /home/users/%U/profile.v2
browseable = No
writeable = Yes
create mask = 0600
directory mask = 0700
force group = "users-%U"
profile acls = Yes
csc policy = disable

---------------------------------------------------------------------------
ADSERV:/var/lib/samba/sysvol/savane.saba/scripts/logon.cmd

NET USE U: \\FILESERV\homes
NET USE P: \\FILESERV\partage

REGEDIT /S \\ADSERV\netlogon\common.reg

--
Thomas DEBESSE
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Thomas DEBESSE

2016-06-28 11:23:43 UTC

Permalink

OK, I think your problem is that you are trying to run your AD domain as

if it is still an NT4-style domain.

This does not sound like a surprise to me. ;-)

with AD, you would add […] to each users object in AD. You can do this

with ADUC or by creating an ldif file on the DC and then use ldbmodify to
add it.

Oh, yes, you're right, I had to do the same for the logon.cmd, I already
have a pdbedit call for logon.cmd stuff in my user creation script I wrote
myself.
I did that for the logon.cmd stuff, for each user:

pdbedit --script="logon.cmd" "${user_name}"

I suppose I can use the --profile= , --drive= and --homedir= options from
pdbedit to do the same things you recommend without having to deal with
ldif file.

Too bad these values can't be forced by a template on the AD DC. I will try
these options tonight when everyone will be logged out.

did you know that ' writeable = Yes' is the same as 'read only = No' ?

There is no point in having both.

Yes, these smb.conf are more than 15 years old, modifying them continuously
when I update something through the ages, so I will not be surprised if
some stuff are superfluous or some crap is remaining.

I would suggest you follow the Samba wiki and use ACLs instead of the old

style 'create mask' etc

I will look at it interestingly, currently I don't need more and that part,
even old, works very well. :-)

Post by Thomas DEBESSE
Hi, thank your for your answer.

Are the 'File servers' joined to the domain ?

Yes

Are the smb.conf files you posted complete

No, they are abstracted ones, because they are very long

if not, can you post the complete ones, exactly as they are on the

computers (you can sanitize them if you need to)
Yes
https://wiki.samba.org/index.php/Implementing_roaming_profiles
I've read that page but it does not helped me… :(
So, following are the complete files, if you're OK with that, I just
applied on it a sed substitution to hide some sensitives names (and using
the nomenclature defined above since the server's pet names will mean
nothing for you), and removed some data shares that works very well and are
unrelated at all (by the way, I kept the unrelated "partage" share as an
example, even if it's unrelated to my current problem).
So, the "PDCSERV" config was the now-disabled All-In-One Samba3 PDC
server. The "ADSERV" is the current AD DC Samba4 server, and the "FILESERV"
is the current file sharing server (hosting homes and profiles). I have
also some other file servers but they are totally unrelated to the current
described problems since they just serves optional files for some people
(like the "partage" share described below). I also give you my logon.cmd so
you see how the machinery works.
As you can see, previous home paths were /home/users/%u and previous
profile paths were /home/users/%u/.profile.v2 and home paths are now
/home/users/%u/userdisk, and profile path are now /home/users/%u/profile.v2.
I just put the profile outside the home disk, which is recommended.
---------------------------------------------------------------------------
[global]
workgroup = DOMAIN
netbios name = PDCSERV
server string = "Server"
wins support = yes
dns proxy = no
unix extensions = no
log file = /var/log/samba/log.%m
log level = 4
debug level = 4
max log size = 5000
syslog = 0
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = smbpasswd:/etc/samba/smbpasswd
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
domain logons = yes
logon path = \\%N\profile
logon home = \\%N\%U
logon script = logon.cmd
domain master = auto
[homes]
comment = Dossier Personnel de %U
path = /home/users/%U/.windows
browseable = no
wide links = Yes
follow symlinks = Yes
writable = yes
read only = no
create mask = 2770
directory mask = 2770
public = no
hide files =
/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*~/$RECYCLE.BIN/
veto files = /.profile/.profile.v2/*.desktop/
[netlogon]
path = /etc/samba/netlogon
guest ok = no
writeable = yes
browseable = no
write list = ntadmin
[profile]
path = /home/users/%U/.profile
browsable = no
writeable = yes
create mask = 0600
directory mask = 0700
profile acls = yes
csc policy = disable
hide files =
/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*.desktop/
[profile.v2]
path = /home/users/%U/.profile.v2
browseable = no
writeable = yes
create mask = 0600
directory mask = 0700
profile acls = yes
csc policy = disable
hide files =
/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*.desktop/
[partage]
path = /home/partage
comment = "Partage Commun a tous"
browsable = yes
read only = no
create mask = 777
directory mask = 777
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
---------------------------------------------------------------------------
ADSERV:/etc/samba/smb.conf
[global]
workgroup = DOMAIN
realm = DOMAIN.REALM
netbios name = ADSERV
server role = active directory domain controller
domain logons = Yes
domain master = Yes
wins support = Yes
dns proxy = No
idmap_ldb:use rfc2307 = Yes
syslog = 1
log level = 4
panic action = /usr/share/samba/panic-action %d
printing = bsd
printcap name = /dev/null
load printers = No
disable spoolss = Yes
logon path = \\FILESERV\profile
logon home = \\FILESERV\%U
logon script = "logon.cmd"
[netlogon]
comment = "Service d’identification réseau"
path = /var/lib/samba/sysvol/savane.saba/scripts
guest ok = No
writeable = Yes
read only = No
browseable = No
write list = ntadmin
[sysvol]
path = /var/lib/samba/sysvol
read only = No
browseable = No
---------------------------------------------------------------------------
FILESERV:/etc/samba/smb.conf
[global]
workgroup = DOMAIN
realm = DOMAIN.REALM
netbios name = FILESERV
security = ADS
dfree command = /usr/local/bin/smb-dfree.sh
log file = /var/log/samba/log.%m
log level = 4
max log size = 1000
syslog = 2
panic action = /usr/share/samba/panic-action %d
server role = member server
local master = No
domain master = No
preferred master = No
encrypt passwords = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = Yes
winbind trusted domains only = No
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config DOMAIN:backend = rid
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 10000-30000
winbind nss info = template
template shell = /bin/false
template homedir = /home/users/%U
usershare allow guests = Yes
printing = bsd
printcap name = /dev/null
load printers = No
disable spoolss = Yes
unix extensions = No
hide special files = Yes
hide unreadable = Yes
hide dot files = Yes
hide files =
/Bureau/AppData/Desktop.ini/desktop.ini/outlook*.lnk/*Briefcase*/*~/~$*/$RECYCLE.BIN/Thumbs.db/.DS_Store/*.desktop/
veto files = /.fuse_*/lost+found/aquota.group/aquota.user/
[homes]
comment = "Dossier personnel de %u"
path = "/home/users/%U/userdisk"
browseable = No
read only = No
writeable = Yes
browseable = No
public = No
wide links = Yes
follow symlinks = Yes
create mask = 2770
directory mask = 2770
force group = "users-%U"
valid users = %S
[partage]
comment = "Partage commun à tous"
path = /home/partage
browsable = Yes
read only = No
create mask = 2770
directory mask = 2770
[profile]
comment = "Profil NT5 (Windows XP)"
path = /home/users/%U/profile
browsable = No
writeable = Yes
create mask = 0600
directory mask = 0700
force group = "users-%U"
profile acls = Yes
csc policy = disable
[profile.v2]
comment = "Profil NT6 (Windows 7 etc.)"
path = /home/users/%U/profile.v2
browseable = No
writeable = Yes
create mask = 0600
directory mask = 0700
force group = "users-%U"
profile acls = Yes
csc policy = disable
---------------------------------------------------------------------------
ADSERV:/var/lib/samba/sysvol/savane.saba/scripts/logon.cmd
NET USE U: \\FILESERV\homes
NET USE P: \\FILESERV\partage
REGEDIT /S \\ADSERV\netlogon\common.reg
--
Thomas DEBESSE

OK, I think your problem is that you are trying to run your AD domain as
if it is still an NT4-style domain.
I suggest you re-read the page I pointed you to and also other pages in
the Samba wiki.
logon path = \\FILESERV\profile
logon home = \\FILESERV\%U
logon script = "logon.cmd"
profilePath: \\FILESERV\profile
scriptPath: logon.cmd
homeDirectory: \\FILESERV\%U
to each users object in AD. You can do this with ADUC or by creating an
ldif file on the DC and then use ldbmodify to add it.
I would also look carefully at your smb.conf files, referencing 'man
smb.conf', for an instance, did you know that ' writeable = Yes' is the
same as 'read only = No' ? There is no point in having both.
I would suggest you follow the Samba wiki and use ACLs instead of the old
style 'create mask' etc
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
Thomas DEBESSE
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Thomas DEBESSE

2016-06-28 12:33:51 UTC

Permalink

If you need to create new users, you could investigate 'samba-tool user

create --help' on a Samba DC, or you can write a script around pdbedit to
update your users.

I did that for my own user:

pdbedit --drive='U:' --homedir='\\FILESERV\thd'
--profile='\\FILESERV\profile' --user='thd'

And it worked ! :-) Thank you very much, I will do that for all my users
soon to fix them, and update my user creation script with that pdbedit call
for future user creation like already do for the logon script path.

--
Thomas DEBESSE

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba