Web lists-archives.com

[Samba] User profiles question




Hi,

I'm facing an issue where most users receive the error "The Group Policy Client service failed the logon. Access denied.". The fix so far is to delete a registry folder on the client machine, but there are cases where this does not work. For one user, I had to delete the account and create it again. The domain uses 3 centos7 + samba 4.5.5, with a fileserver running 4.4.4.

Reading https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles shows me that our setup does not thing different from the suggested configuration:

We do not have a profiles share. Instead, we put the user profile inside the user's home folder.

Are there recomendations regarding the profile location? Is it ok to have the user profile inside the home drive, insteado of a specific share?

Here's the fileserver smb.conf, if it helps:

[global]
        netbios name = ULTRON
        security = ADS
        workgroup = E-TRUST
        realm = E-TRUST.COM.BR
        #dns forwarder = 192.168.2.27
        server role = member server

        # Default idmap config used for BUILTIN and local accounts/groups
        #idmap config *:backend = ad
        idmap config *:range = 2000-9999

        # Use settings from AD for login shell and home directory
        idmap_ldb:use rfc2307 = yes

        # idmap config for domain E-TRUST
        idmap config E-TRUST:backend = ad
        idmap config E-TRUST:schema_mode = rfc2307
        idmap config E-TRUST:range = 10000-40000

        # Winbind Configuration
        winbind enum groups = yes
        winbind enum users = yes
        winbind use default domain = yes
        winbind nss info = rfc2307

        #[cp 13.Oct.2016] Reduzido o cache do Winbindd
        idmap cache time = 30
        idmap negative cache time = 30
        winbind cache time = 30

        # Necessario no domain member apenas
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
        log level = 5
        log file = /var/log/samba/%M.log

        #[vbs 30.11.2016]180417 - remove vulnerabilidade
        #"26920 - Microsoft Windows SMB NULL Session Authentication"
        restrict anonymous = 2


[home]
   comment = Diretorios de usuarios
   path = /compartilhamentos/home/
   browseable = no
   writable = yes
   guest ok = no
   create mask = 600
   directory mask = 700

--

	
Vinicius Silva
SOC


BRA: + 55 51 2117.1000 | 55 11 5521.2021
USA: + 1 888 259.5801
vbs@xxxxxxxxxxxxxx
skype: vinicius.bones.silva

	







	Smiley face

www.e-trust.com.br <http://www.e-trust.com.br/>


Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você recebeu esta mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer atitude com base nestas informações. Solicitamos que você apague a mensagem imediatamente e avise a E-TRUST, enviando um e-mail para suporte@xxxxxxxxxxxxxx. Opiniões, conclusões ou informações contidas nesta mensagem não necessariamente refletem a posição oficial da E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser confirmada pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.

This message may contain privileged and confidential information for the use of the intended recipients only. If you are not an intended recipient then you should not disseminate, copy, or take any action based on its contents. If you have received this message in error then please notify E-TRUST by sending an e-mail message to suporte@xxxxxxxxxxxxxx immediately. Views and opinions expressed in this message do not necessarily reflect the position of E-TRUST. If this message is digitally signed, its authenticity can be confirmed by E-TRUST Private Certificate Authority, available at www.e-trust.com.br.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba