Roaming Profiles einrichten

german

#1

Hallo,

auch ich versuche jetzt schon seit gefühlten Ewigkeiten das roaming Profile zum laufen zu bringen.
Auch ich scheitere immer an der Meldung >>Profil nicht gefunden, mit temp. Profil angemeldet …<<
Das gleiche Problem mit den Logon-Scripts (wird einfach nicht ausgeführt).

Wäre toll, wenn jemand eine kleine Schritt-für-Schritt-Anleitung (für Anfänger) posten könnte …
(Am liebsten wäre es mir, wenn für Profile / Logonscripts eigene Verz. verwendet würden)

Besten Dank im Voraus !!!


#2

Wo genau hapert es denn mit der Einrichtung? Also wie gehen Sie vor (ggf. auch nach welcher Anleitung) und was funktioniert dabei nicht?

Gruß,
Jens Thorp-Hansen


#3

Hallo,
Entschuldigung, kam aber erst jetzt dazu, eine Antwort zu schreiben …

Einstellungen UCS-Konsole:
Benutzer > Konto > Laufwerk für das Heimatverz. => H:
Benutzer > Konto > Windows-Heimatverz. => \server01\home\benutzer1
Benutzer > Konto > Anmeldescript => \server01\shares\logonscripts\benutzer1
Benutzer > Konto > Profilverz. => \server01\profile\benutzer1

Freigaben => home
Name = home
Server = server01.domain.intra
Pfad = /shares/home
Besitzer = root
Gruppe = Domain Users
Rechte = 775
=> logonscripts
Name = logonscripts
Server = server01.domain.intra
Pfad = /shares/logonscripts
Besitzer = root
Gruppe = Domain Users
Rechte = 775
=> profile
Name = profile
Server = server01.domain.intra
Pfad = /shares/profile
Besitzer = root
Gruppe = Domain Users
Rechte = 775

Das sollte alles gewesen sein.
Mehr habe ich nicht gemacht …

mfG
HH


#4

Danke für die Antwort
Ich gehe davon aus, dass die Benutzer Ihre Profilverzeichnisse manuell erreichen können und hier auch keine Berechtigungsfehler kommen?


#5

Ja, ein manuelles mapping funktioniert.
Es kann auch in das Verz. geschrieben werden.


#6

Muss da vieleicht noch etwas an dem Win 10 Client eingestellt werden ???


#7

Das sieht soweit alles korrekt aus. Sie haben wahrscheinlich nicht die Möglichkeit das mit Win7 oder 8 zu testen? In der Domäne sind die Clients ja sicher und die Clients sind auch gegen den UCS gejoint?
Können Sie bitte prüfen (über die UMC) welche Einstellung für “msdfs root” an dem Share gesetzt ist (und die Einstellung testweise verändern)?


#8

Hallo,
sorry, bin erst jetzt aus dem Urlaub zurück …

Wo genau kann ich das nachprüfen ???
In der “Configuration Registry” kann unter msdfs root nichts gefunden werden.
Unter msdfs wird nur der Eintrag “samba/enable-msdfs = yes” gefunden.

mfG
HH


#9

Sie können das mit folgendem Befehl prüfen - posten Sie gern ein anonymisierte Ausgabe:

# testparm -sv

#10

Hallo,
wenn ich das richtig sehe, ist global für alle Shares “msdfs root = No” gesetzt.
hier der gewünschte Auszug:

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[GLeitung]"
Processing section "[Progs]"
Processing section "[Unternehmen]"
Processing section "[Profile]"
Processing section "[Kaufmann]"
Processing section "[LexEasy]"
Processing section "[home]"
Processing section "[logonscripts]"
Processing section "[Canon_MX_990]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.

Server role: ROLE_ACTIVE_DIRECTORY_DC

# Global parameters
[global]
	bind interfaces only = Yes
	config backend = file
	dos charset = CP850
	enable core files = Yes
	interfaces = lo eth0 eth1 vethbbb6c99
	multicast dns register = Yes
	netbios aliases = 
	netbios name = SCSHDC01
	netbios scope = 
	realm = CSH-ONLINE.INTRA
	server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
	server string = Univention Corporate Server
	share backend = classic
	unix charset = UTF-8
	workgroup = CSH-ONLINE
	browse list = Yes
	domain master = Yes
	enhanced browsing = Yes
	lm announce = Auto
	lm interval = 60
	local master = Yes
	os level = 20
	preferred master = Yes
	allow dns updates = secure only
	dns forwarder = 
	dns update command = /usr/sbin/samba_dnsupdate
	machine password timeout = 0
	nsupdate command = /usr/bin/nsupdate -g
	rndc command = /usr/sbin/rndc
	spn update command = /usr/sbin/samba_spnupdate
	mangle prefix = 1
	mangling method = hash2
	max stat cache size = 256
	stat cache = Yes
	client ldap sasl wrapping = sign
	ldap admin dn = 
	ldap connection timeout = 2
	ldap delete dn = No
	ldap deref = auto
	ldap follow referral = Auto
	ldap group suffix = 
	ldap idmap suffix = 
	ldap machine suffix = 
	ldap page size = 1000
	ldap passwd sync = no
	ldap replication sleep = 1000
	ldap server require strong auth = allow_sasl_over_tls
	ldap ssl = start tls
	ldap ssl ads = No
	ldap suffix = 
	ldap timeout = 15
	ldap user suffix = 
	lock spin time = 200
	oplock break wait time = 0
	smb2 leases = Yes
	debug class = No
	debug hires timestamp = Yes
	debug pid = Yes
	debug prefix timestamp = No
	debug uid = No
	ldap debug level = 0
	ldap debug threshold = 10
	log file = 
	logging = file
	log level = 2
	max log size = 0
	syslog = 1
	syslog only = No
	timestamp logs = Yes
	abort shutdown script = 
	add group script = 
	add machine script = 
	add user script = 
	add user to group script = 
	allow nt4 crypto = No
	delete group script = 
	delete user from group script = 
	delete user script = 
	domain logons = No
	enable privileges = Yes
	init logon delay = 100
	init logon delayed hosts = 
	logon drive = I:
	logon home = scshdc01%U
	logon path = scshdc01%Uwindows-profiles%a
	logon script = 
	reject md5 clients = No
	set primary group script = 
	shutdown script = 
	add share command = 
	afs token lifetime = 604800
	afs username map = 
	allow insecure wide links = No
	async smb echo handler = No
	auto services = 
	cache directory = /var/cache/samba
	change notify = Yes
	change share command = 
	cluster addresses = 
	clustering = No
	config file = 
	ctdbd socket = 
	ctdb locktime warn threshold = 0
	ctdb timeout = 0
	default service = 
	delete share command = 
	homedir map = auto.home
	kernel change notify = Yes
	lock directory = /var/run/samba
	log writeable files on exit = No
	message command = 
	nbt client socket address = 0.0.0.0
	ncalrpc dir = /var/run/samba/ncalrpc
	NIS homedir = No
	nmbd bind explicit broadcast = Yes
	panic action = 
	perfcount module = 
	pid directory = /var/run/samba
	registry shares = No
	remote announce = 
	remote browse sync = 
	reset on zero vc = No
	smbd profiling level = off
	state directory = /var/lib/samba
	usershare allow guests = No
	usershare max shares = 0
	usershare owner only = Yes
	usershare path = /var/lib/samba/usershares
	usershare prefix allow list = 
	usershare prefix deny list = 
	usershare template share = 
	utmp = No
	utmp directory = 
	wtmp directory = 
	addport command = 
	addprinter command = 
	cups connection timeout = 30
	cups encrypt = No
	cups server = 
	deleteprinter command = 
	disable spoolss = No
	enumports command = 
	iprint server = 
	load printers = Yes
	lpq cache time = 30
	os2 driver map = 
	printcap cache time = 750
	printcap name = cups
	show add printer wizard = Yes
	cldap port = 389
	client ipc max protocol = default
	client ipc min protocol = default
	client max protocol = default
	client min protocol = CORE
	client use spnego = Yes
	dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
	defer sharing violations = Yes
	dgram port = 138
	disable netbios = No
	enable asu support = No
	eventlog list = 
	large readwrite = Yes
	max mux = 50
	max ttl = 259200
	max wins ttl = 518400
	max xmit = 65535
	min receivefile size = 0
	min wins ttl = 21600
	name resolve order = lmhosts wins host bcast
	nbt port = 137
	nt pipe support = Yes
	nt status support = Yes
	read raw = Yes
	rpc big endian = No
	server max protocol = SMB3
	server min protocol = LANMAN1
	server multi channel support = No
	smb2 max credits = 8192
	smb2 max read = 8388608
	smb2 max trans = 8388608
	smb2 max write = 8388608
	smb ports = 445 139
	svcctl list = 
	time server = No
	unicode = Yes
	unix extensions = Yes
	use spnego = Yes
	web port = 901
	write raw = Yes
	algorithmic rid base = 1000
	allow dcerpc auth level connect = No
	allow trusted domains = Yes
	auth methods = 
	check password script = 
	client ipc signing = default
	client lanman auth = No
	client NTLMv2 auth = Yes
	client plaintext auth = No
	client schannel = Auto
	client signing = default
	client use spnego principal = No
	dedicated keytab file = 
	encrypt passwords = Yes
	guest account = nobody
	kerberos method = default
	kpasswd port = 464
	krb5 port = 88
	lanman auth = No
	log nt token command = 
	map to guest = Bad User
	map untrusted to domain = No
	ntlm auth = Yes
	ntp signd socket directory = /var/lib/samba/ntp_signd
	null passwords = No
	obey pam restrictions = Yes
	old password allowed period = 60
	pam password change = No
	passdb backend = samba_dsdb
	passdb expand explicit = No
	passwd chat = *New*password* %nn *Re-enter*new*password* %nn *password*changed*
	passwd chat debug = No
	passwd chat timeout = 2
	passwd program = 
	password hash gpg key ids = 
	password server = *
	preload modules = 
	private dir = /var/lib/samba/private
	raw NTLMv2 auth = No
	rename user script = 
	restrict anonymous = 0
	root directory = 
	samba kcc command = /usr/sbin/samba_kcc
	security = AUTO
	server role = active directory domain controller
	server schannel = Auto
	server signing = default
	smb passwd file = /etc/samba/smbpasswd
	tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem
	tls certfile = /etc/univention/ssl/scshdc01.csh-online.intra/cert.pem
	tls crlfile = 
	tls dh params file = 
	tls enabled = Yes
	tls keyfile = /etc/univention/ssl/scshdc01.csh-online.intra/private.key
	tls priority = NORMAL:-VERS-SSL3.0
	tls verify peer = ca_and_name
	unix password sync = No
	username level = 0
	username map = 
	username map cache time = 0
	username map script = 
	aio max threads = 100
	deadtime = 15
	getwd cache = Yes
	hostname lookups = No
	keepalive = 300
	max disk size = 0
	max open files = 32808
	max smbd processes = 0
	name cache timeout = 660
	socket options = TCP_NODELAY
	use mmap = Yes
	get quota command = 
	host msdfs = Yes
	set quota command = 
	create krb5 conf = Yes
	idmap backend = tdb
	idmap cache time = 604800
	idmap gid = 
	idmap negative cache time = 120
	idmap uid = 
	neutralize nt4 emulation = No
	reject md5 servers = No
	require strong key = Yes
	template homedir = /home/%D-%U
	template shell = /bin/bash
	winbind cache time = 300
	winbindd privileged socket directory = /var/lib/samba/winbindd_privileged
	winbindd socket directory = /var/run/samba/winbindd
	winbind enum groups = No
	winbind enum users = No
	winbind expand groups = 0
	winbind max clients = 200
	winbind max domain connections = 1
	winbind nested groups = Yes
	winbind normalize names = No
	winbind nss info = template
	winbind offline logon = No
	winbind reconnect delay = 30
	winbind refresh tickets = No
	winbind request timeout = 60
	winbind rpc only = No
	winbind sealed pipes = Yes
	winbind separator = +
	winbind trusted domains only = No
	winbind use default domain = No
	dns proxy = Yes
	wins hook = 
	wins proxy = No
	wins server = 
	wins support = Yes
	rpc_server:tcpip = no
	rpc_daemon:spoolssd = embedded
	rpc_server:spoolss = embedded
	rpc_server:winreg = embedded
	rpc_server:ntsvcs = embedded
	rpc_server:eventlog = embedded
	rpc_server:srvsvc = embedded
	rpc_server:svcctl = embedded
	rpc_server:default = external
	winbindd:use external pipes = true
	acl:search = no
	spoolss: architecture = Windows x64
	idmap config * : range = 300000-400000
	kccsrv:samba_kcc = False
	dsdb:schema update allowed = no
	nmbd_proxy_logon:cldap_server = 127.0.0.1
	server role check:inhibit = yes
	idmap config * : backend = tdb
	comment = 
	path = 
	administrative share = No
	browseable = Yes
	case sensitive = Auto
	default case = lower
	delete veto files = No
	hide dot files = Yes
	hide files = 
	hide special files = No
	hide unreadable = No
	hide unwriteable files = No
	mangled names = Yes
	mangling char = ~
	map archive = No
	map hidden = No
	map readonly = no
	map system = No
	preserve case = Yes
	short preserve case = Yes
	store dos attributes = Yes
	veto files = 
	veto oplock files = 
	blocking locks = Yes
	csc policy = manual
	fake oplocks = No
	kernel oplocks = Yes
	kernel share modes = Yes
	level2 oplocks = Yes
	locking = Yes
	oplock contention limit = 2
	oplocks = Yes
	posix locking = Yes
	strict locking = Auto
	acl xattr update mtime = No
	afs share = No
	available = Yes
	copy = 
	delete readonly = No
	dfree cache time = 0
	dfree command = 
	directory name cache size = 100
	dmapi support = No
	dont descend = 
	dos filemode = No
	dos filetime resolution = No
	dos filetimes = Yes
	fake directory create times = No
	follow symlinks = Yes
	fstype = NTFS
	include = /etc/samba/base.conf
	magic output = 
	magic script = 
	postexec = 
	preexec = 
	preexec close = No
	root postexec = 
	root preexec = 
	root preexec close = No
	spotlight = No
	volume = 
	wide links = No
	cups options = 
	default devmode = Yes
	force printername = No
	lppause command = 
	lpq command = %p
	lpresume command = 
	lprm command = 
	max print jobs = 1000
	max reported print jobs = 0
	printable = No
	print command = 
	printer name = 
	printing = cups
	printjob username = %U
	print notify backchannel = No
	queuepause command = 
	queueresume command = 
	use client driver = No
	acl allow execute always = Yes
	acl check permissions = Yes
	acl map full control = Yes
	durable handles = Yes
	ea support = No
	map acl inherit = No
	nt acl support = Yes
	profile acls = No
	access based share enum = No
	acl group control = No
	admin users = administrator join-backup
	create mask = 0744
	directory mask = 0755
	force create mode = 0000
	force directory mode = 0000
	force group = 
	force unknown acl user = No
	force user = 
	guest ok = No
	guest only = No
	hosts allow = 
	hosts deny = 
	inherit acls = No
	inherit owner = No
	inherit permissions = No
	invalid users = 
	read list = 
	read only = Yes
	smb encrypt = default
	valid users = 
	write list = 
	aio read size = 0
	aio write behind = 
	aio write size = 0
	allocation roundup size = 1048576
	block size = 1024
	max connections = 0
	min print space = 0
	strict allocate = No
	strict rename = No
	strict sync = No
	sync always = No
	use sendfile = No
	write cache size = 0
	msdfs proxy = 
	msdfs root = No
	msdfs shuffle referrals = No
	ntvfs handler = unixuid, default
	vfs objects = dfs_samba4 acl_xattr


[netlogon]
	comment = Domain logon service
	path = /var/lib/samba/sysvol/csh-online.intra/scripts
	case sensitive = No
	read only = No


[sysvol]
	path = /var/lib/samba/sysvol
	case sensitive = No
	acl xattr update mtime = Yes
	read only = No


[homes]
	comment = Heimatverzeichnisse
	browseable = No
	create mask = 0700
	directory mask = 0700
	read only = No
	vfs objects = acl_xattr


[printers]
	comment = Drucker
	path = /tmp
	browseable = No
	printable = Yes
	create mask = 0700


[print$]
	comment = Printer Drivers
	path = /var/lib/samba/drivers
	include = /etc/samba/shares.conf.d/GLeitung
	read only = No
	write list = root Administrator @Printer-Admins


[GLeitung]
	path = /shares/gleitung
	dos filemode = Yes
	include = /etc/samba/shares.conf.d/Progs
	inherit acls = Yes
	read only = No
	vfs objects = acl_xattr


[Progs]
	path = /shares/progs
	dos filemode = Yes
	include = /etc/samba/shares.conf.d/Unternehmen
	inherit acls = Yes
	read only = No
	vfs objects = acl_xattr


[Unternehmen]
	path = /shares/unternehmen
	dos filemode = Yes
	include = /etc/samba/shares.conf.d/Profile
	inherit acls = Yes
	read only = No
	vfs objects = acl_xattr


[Profile]
	path = /shares/profile
	include = /etc/samba/shares.conf.d/Kaufmann
	inherit acls = Yes
	read only = No
	vfs objects = acl_xattr


[Kaufmann]
	path = /shares/kaufmann
	dos filemode = Yes
	include = /etc/samba/shares.conf.d/LexEasy
	inherit acls = Yes
	read only = No
	vfs objects = acl_xattr


[LexEasy]
	path = /shares/lexeasy
	dos filemode = Yes
	include = /etc/samba/shares.conf.d/home
	inherit acls = Yes
	read only = No
	vfs objects = acl_xattr


[home]
	path = /shares/home
	include = /etc/samba/shares.conf.d/logonscripts
	inherit acls = Yes
	read only = No
	vfs objects = acl_xattr


[logonscripts]
	path = /shares/logonscripts
	include = /etc/samba/printers.conf.d/Canon_MX_990
	inherit acls = Yes
	read only = No
	vfs objects = acl_xattr


[Canon_MX_990]
	path = /tmp
	force printername = Yes
	printable = Yes
	printer name = Canon_MX_990
	guest ok = Yes

mfG
HH


#11

Was ich nicht verstehe …
Was sollen in den einzelnen Sektionen die seltsamen include, die von der Sache her hier überhaubt nicht passen …

mfG
HH


#12

Die includes sind eine Anzeige-Eigenheit vom testparm. Ich kann leider im Moment nicht eindeutig erkennen, warum die Profile nicht verwendet werden. Ist in den Ereignisdaten der Clients ggf. noch irgendwas zu sehen?


#13

Nein, leider habe ich nichts gefunden.
Gibt es bei Win10 einen bestimmten Punkt / Log das ich mir anschauen sollte ???

mfG
HH


#14

Nein, ich habe hier allgemein das Ereignisprotokoll (wahrscheinlich “System”) gemeint. Ich würde erwarten, dass hier Fehlermeldungen auftauchen, wenn in eine Domäne gejointe Clients ihre Profile nicht ziehen können.