E
E
Evgeny Elizarov2012-06-18 13:02:53
Active Directory
Evgeny Elizarov, 2012-06-18 13:02:53

Samba, AD, Terminal Server and roaming profiles?

There is AD on Win2008, everything works ok, raised a file server on CentOS, raised samba + kerberos for roaming profiles. Windows does not want to work with them. At logon: "Windows could not find a server copy of the roaming profile, trying to log in using the local profile. Changes to this profile will not be copied to the server when you log out. Possible cause is network problems or insufficient security rights. I go into the logs, and I see: "DETAIL - Network name not found." (event ID 1521). Then I climb on this ball, calmly go there, it is empty, I can create files / directories, change, delete, i.e. everything works fine and there are no problems. It was revealed that this situation occurs if I log in to the terminal server, if I log in under the same account from a regular machine with XP or W7, everything is in order. There is such parsley in the samba log:

[2012/06/18 13:59:43.218410, 0] lib/util_sock.c:474(read_fd_with_timeout)<br/>
[2012/06/18 13:59:43.218557, 0]<br/>
lib/util_sock.c:1441(get_peer_addr_internal)<br/>
getpeername failed. Error was Конечная точка передачи не подсоединена<br/>
read_fd_with_timeout: client 0.0.0.0 read error = Соединение сброшено<br/>
другой стороной.

I already googled for the first and second errors, but I couldn’t find the answer. Samba config primitive:
[global]<br/>
 workgroup = MTELECOM<br/>
 server string = Samba Server Version %v<br/>
<br/>
security = ads<br/>
 encrypt passwords = yes<br/>
 realm = MTELECOM.LOCAL<br/>
 password server = ad-2008.mtelecom.local<br/>
<br/>
idmap uid = 10000-20000<br/>
 idmap gid = 10000-20000<br/>
 winbind enum users = yes<br/>
 winbind enum groups = yes<br/>
 winbind separator = +<br/>
 template shell = /bin/false<br/>
 winbind use default domain = true<br/>
 winbind offline logon = false<br/>
 <br/>
 obey pam restrictions = Yes<br/>
 template homedir = /home/%U<br/>
 <br/>
 [profile]<br/>
 comment = user profile<br/>
 path = /home/%U<br/>
 browseable = yes<br/>
 read only = no<br/>
 inherit acls = yes<br/>
 inherit permissions = yes<br/>
 create mask = 700<br/>
 directory mask = 700<br/>
 valid users = @&quot;MTELECOM+domain users&quot;

Answer the question

In order to leave comments, you need to log in

3 answer(s)
E
Evgeny Elizarov, 2012-06-18
@KorP

Thanks, I'll try tomorrow.

R
rinx, 2012-06-19
@rinx

You can also try to insert delay (but you will need to play around with the size of the delay) in the logon scripts. It is quite possible that something simply “does not have time” to work out, and, as a result, it gives an error.

N
Nikolai Turnaviotov, 2012-06-20
@foxmuldercp

when I made roaming profiles, very severe rights are set on the very folder where the accounting files will be stored. and 777 is not allowed there.
Everything worked for me when only the system had access to \\filserver\user_profiles, it seems.
I googled the solution at the time

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question