Troubles on Roaming Profiles...

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Troubles on Roaming Profiles...

Samba - General mailing list

I've created a folder for roaming profiles:

 [profiles]
        comment = Network Profiles Share
        path = /srv/samba/profiles
        browseable = No
        store dos attributes = Yes
        csc policy = disable
        map acl inherit = Yes
        read only = No
        vfs objects = acl_xattr

Share permission and folder permission seems right, exactly as in:

        https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

I've created a policy, but profiles folder does not get created, and in
logs (windows events and samba log) i don't see nothing relevant.


How can i debug this? Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Troubles on Roaming Profiles...

Samba - General mailing list
On Thu, 30 Nov 2017 11:12:56 +0100
Marco Gaiarin via samba <[hidden email]> wrote:

>
> I've created a folder for roaming profiles:
>
>  [profiles]
> comment = Network Profiles Share
> path = /srv/samba/profiles
> browseable = No
> store dos attributes = Yes
> csc policy = disable
> map acl inherit = Yes
> read only = No
> vfs objects = acl_xattr
>
> Share permission and folder permission seems right, exactly as in:
>
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
>
> I've created a policy, but profiles folder does not get created, and
> in logs (windows events and samba log) i don't see nothing relevant.
>
>
> How can i debug this? Thanks.
>

Is this on a DC ?

If it is, use windows ACLs

If it isn't, Try setting it up exactly like it is shown on the
wikipage, note that you only need the 'vfs objects' line if it isn't
set in [global]

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Troubles on Roaming Profiles...

Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

> Is this on a DC ?

No, is a DM.


> If it isn't, Try setting it up exactly like it is shown on the
> wikipage, note that you only need the 'vfs objects' line if it isn't
> set in [global]

Wikipage say only:

  Create a new share. For details, see Setting up a Share Using Windows ACLs.

and https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
say exactly i'm added to my configuration; for a sake of completeness,
i've removed the 'csc policy = disable' and 'browseable = no' opts, but
nothing changed. Now my share is:

 [profiles]
        comment = Network Profiles Share
        path = /srv/samba/profiles
        store dos attributes = Yes
        map acl inherit = Yes
        read only = No
        vfs objects = acl_xattr

I've just double-checked again the ACL, and seems exactly as
specification (share and filesystem root spec). I say 'seems' because
there's also other ACL (CREATOR GROUP, Everyone, ...) that seems i
cannot remove (i've only sed 'Eeveryone' to 'no access').


I've manually created 'gaio.V2' folder, setting it gaio:"Domain Users"
700, but profiles still get not saved.
(supposing was a 'folder creation' trouble...)


If i set 'profile path' in user data, eg:

 root@vdmsv1:/srv/samba/profiles# ldbsearch -H ldap://vdcsv1 -P -b DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)" profilePath | grep ^profilePath:
 profilePath: \\vdmsv1\profiles\gaio

roaming profile works as expected.


Boh...

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Troubles on Roaming Profiles...

Samba - General mailing list
I don't know if is relevant and maybe is the same as GPO that you've
created, but Ive a profiles folder with this configuration:

[profiles]
        path = /server/share/profiles
        read only = no
        browsable = no

Other options are on my smb.conf global section so is the same as your
configuration.

Next I've changed the profile path on the user configuration instead use a
GPO and is working as expected. Maybe is a way to test with an user if is a
problem of the GPO instead a share problem.

Greetings!!

2017-11-30 13:01 GMT+01:00 Marco Gaiarin via samba <[hidden email]>:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
>
> > Is this on a DC ?
>
> No, is a DM.
>
>
> > If it isn't, Try setting it up exactly like it is shown on the
> > wikipage, note that you only need the 'vfs objects' line if it isn't
> > set in [global]
>
> Wikipage say only:
>
>   Create a new share. For details, see Setting up a Share Using Windows
> ACLs.
>
> and https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> say exactly i'm added to my configuration; for a sake of completeness,
> i've removed the 'csc policy = disable' and 'browseable = no' opts, but
> nothing changed. Now my share is:
>
>  [profiles]
>         comment = Network Profiles Share
>         path = /srv/samba/profiles
>         store dos attributes = Yes
>         map acl inherit = Yes
>         read only = No
>         vfs objects = acl_xattr
>
> I've just double-checked again the ACL, and seems exactly as
> specification (share and filesystem root spec). I say 'seems' because
> there's also other ACL (CREATOR GROUP, Everyone, ...) that seems i
> cannot remove (i've only sed 'Eeveryone' to 'no access').
>
>
> I've manually created 'gaio.V2' folder, setting it gaio:"Domain Users"
> 700, but profiles still get not saved.
> (supposing was a 'folder creation' trouble...)
>
>
> If i set 'profile path' in user data, eg:
>
>  root@vdmsv1:/srv/samba/profiles# ldbsearch -H ldap://vdcsv1 -P -b
> DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)" profilePath | grep ^profilePath:
>  profilePath: \\vdmsv1\profiles\gaio
>
> roaming profile works as expected.
>
>
> Boh...
>
> --
> dott. Marco Gaiarin                                     GNUPG Key ID:
> 240A3D66
>   Associazione ``La Nostra Famiglia''
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento
> (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f
> +39-0434-842797
>
>                 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
>         (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Troubles on Roaming Profiles...

Samba - General mailing list
i've seen that is similar to your latest test.

What about a gpresult -h result.html. The GPo is appplied to the user?

Greetings!!

2017-11-30 13:29 GMT+01:00 Daniel Carrasco <[hidden email]>:

> I don't know if is relevant and maybe is the same as GPO that you've
> created, but Ive a profiles folder with this configuration:
>
> [profiles]
>         path = /server/share/profiles
>         read only = no
>         browsable = no
>
> Other options are on my smb.conf global section so is the same as your
> configuration.
>
> Next I've changed the profile path on the user configuration instead use a
> GPO and is working as expected. Maybe is a way to test with an user if is a
> problem of the GPO instead a share problem.
>
> Greetings!!
>
> 2017-11-30 13:01 GMT+01:00 Marco Gaiarin via samba <[hidden email]>
> :
>
>> Mandi! Rowland Penny via samba
>>   In chel di` si favelave...
>>
>> > Is this on a DC ?
>>
>> No, is a DM.
>>
>>
>> > If it isn't, Try setting it up exactly like it is shown on the
>> > wikipage, note that you only need the 'vfs objects' line if it isn't
>> > set in [global]
>>
>> Wikipage say only:
>>
>>   Create a new share. For details, see Setting up a Share Using Windows
>> ACLs.
>>
>> and https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Wi
>> ndows_ACLs
>> say exactly i'm added to my configuration; for a sake of completeness,
>> i've removed the 'csc policy = disable' and 'browseable = no' opts, but
>> nothing changed. Now my share is:
>>
>>  [profiles]
>>         comment = Network Profiles Share
>>         path = /srv/samba/profiles
>>         store dos attributes = Yes
>>         map acl inherit = Yes
>>         read only = No
>>         vfs objects = acl_xattr
>>
>> I've just double-checked again the ACL, and seems exactly as
>> specification (share and filesystem root spec). I say 'seems' because
>> there's also other ACL (CREATOR GROUP, Everyone, ...) that seems i
>> cannot remove (i've only sed 'Eeveryone' to 'no access').
>>
>>
>> I've manually created 'gaio.V2' folder, setting it gaio:"Domain Users"
>> 700, but profiles still get not saved.
>> (supposing was a 'folder creation' trouble...)
>>
>>
>> If i set 'profile path' in user data, eg:
>>
>>  root@vdmsv1:/srv/samba/profiles# ldbsearch -H ldap://vdcsv1 -P -b
>> DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)" profilePath | grep ^profilePath:
>>  profilePath: \\vdmsv1\profiles\gaio
>>
>> roaming profile works as expected.
>>
>>
>> Boh...
>>
>> --
>> dott. Marco Gaiarin                                     GNUPG Key ID:
>> 240A3D66
>>   Associazione ``La Nostra Famiglia''
>> http://www.lanostrafamiglia.it/
>>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento
>> (PN)
>>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f
>> +39-0434-842797
>>
>>                 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
>>         (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
>
> --
> _________________________________________
>
>       Daniel Carrasco Marín
>       Ingeniería para la Innovación i2TIC, S.L.
>       Tlf:  +34 911 12 32 84 Ext: 223
>       www.i2tic.com
> _________________________________________
>



--
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Troubles on Roaming Profiles...

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, 30 Nov 2017 13:01:09 +0100
Marco Gaiarin via samba <[hidden email]> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
>
> > Is this on a DC ?
>
> No, is a DM.
>
>
> > If it isn't, Try setting it up exactly like it is shown on the
> > wikipage, note that you only need the 'vfs objects' line if it isn't
> > set in [global]
>
> Wikipage say only:
>
>   Create a new share. For details, see Setting up a Share Using
> Windows ACLs.
>
> and
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> say exactly i'm added to my configuration;

No it doesn't, it says:

[Demo]
       path = /srv/samba/Demo/
       read only = no

So, your profile share should be:

[profiles]
  comment = Network Profiles Share
  path = /srv/samba/profiles
  read only = No

Now set the ACLs from windows.

Your profile share is nearer the one to use if you are using POSIX ACLs

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Troubles on Roaming Profiles...

Samba - General mailing list
In reply to this post by Samba - General mailing list
Mandi! Daniel Carrasco via samba
  In chel di` si favelave...

> What about a gpresult -h result.html. The GPo is appplied to the user?

Mmmhhhh... seems me no. Clearly Microsoft help here, building an
Italian-language html file, but briefly i've defined a policy, only
one, in the sub-OU OU=FVG, and inside i've set profile path
(computer-oriented setting) and home path (user-based setting).

 + in computer summary, i've only:
        Local
        ad.fvg.lnf.it (the default/empty policy for the domain)

 + in user summary:
        ad.fvg.lnf.it (the default/empty policy for the domain)
        ad.fvg.lnf.it/FVG (my policy)

So effectively seems that the computer part of my policy get not
applied...

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Troubles on Roaming Profiles...

Samba - General mailing list
Hello,

The GPO must be linked to the computers OU also, then the computer part
will be applied too.

Greetings!!

2017-11-30 14:54 GMT+01:00 Marco Gaiarin via samba <[hidden email]>:

> Mandi! Daniel Carrasco via samba
>   In chel di` si favelave...
>
> > What about a gpresult -h result.html. The GPo is appplied to the user?
>
> Mmmhhhh... seems me no. Clearly Microsoft help here, building an
> Italian-language html file, but briefly i've defined a policy, only
> one, in the sub-OU OU=FVG, and inside i've set profile path
> (computer-oriented setting) and home path (user-based setting).
>
>  + in computer summary, i've only:
>         Local
>         ad.fvg.lnf.it (the default/empty policy for the domain)
>
>  + in user summary:
>         ad.fvg.lnf.it (the default/empty policy for the domain)
>         ad.fvg.lnf.it/FVG (my policy)
>
> So effectively seems that the computer part of my policy get not
> applied...
>
> --
> dott. Marco Gaiarin                                     GNUPG Key ID:
> 240A3D66
>   Associazione ``La Nostra Famiglia''
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento
> (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f
> +39-0434-842797
>
>                 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
>         (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Troubles on Roaming Profiles...

Samba - General mailing list
In reply to this post by Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

> > Wikipage say only:
> >   Create a new share. For details, see Setting up a Share Using
> > Windows ACLs.
> > and
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> > say exactly i'm added to my configuration;

> No it doesn't, it says:

Ahem, the above link say also (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Enable_Extended_ACL_Support_in_the_smb.conf_File):

 To configure shares using extended access control lists (ACL), you must enable the support in the smb.conf file. To enable extended ACL support globally, add the following settings to the [global] section of your smb.conf file:
 vfs objects = acl_xattr
 map acl inherit = yes
 store dos attributes = yes
 [...]
 Alternatively, to enable extended ACL support only for a specific share, add the parameters to the share's section.

Because i don't want to use on every share Windows ACL, i've simply
added that parameters to that share.


I've anyway tried to remove is, but clearly does not work: remeins only
POSIX ACL available, and so complex permission cannot be set (and,
groups like 'domain admins' that have no GID cannot be set at all).

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Troubles on Roaming Profiles...

Samba - General mailing list
In reply to this post by Samba - General mailing list
Mandi! Daniel Carrasco via samba
  In chel di` si favelave...

> The GPO must be linked to the computers OU also, then the computer part
> will be applied too.

But... why user part are hierarchical and computer part not? Computer
is on a sub-OU of the OU where the policy reside... wait...


AAARRGGH!!!! Damn me! ;(

I've just changed my test computer, and after joining it i've forgot to
move to the correct OUs.

Now also the computer policy work. ;-)


Sorry to all...

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Troubles on Roaming Profiles...

Samba - General mailing list
In reply to this post by Samba - General mailing list
on the workstation, run: rsop.msc and see what is working and not of the policies.


Greetz
Louis
(mobile)





Op 30 nov. 2017 om 15:57 heeft Marco Gaiarin via samba <[hidden email]> het volgende geschreven:


Mandi! Daniel Carrasco via samba
 In chel di` si favelave...

The GPO must be linked to the computers OU also, then the computer part
will be applied too.

But... why user part are hierarchical and computer part not? Computer
is on a sub-OU of the OU where the policy reside... wait...


AAARRGGH!!!! Damn me! ;(

I've just changed my test computer, and after joining it i've forgot to
move to the correct OUs.

Now also the computer policy work. ;-)


Sorry to all...

--
dott. Marco Gaiarin                        GNUPG Key ID: 240A3D66
 Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
 Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
 marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

       Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
     http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
   (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba