Hallo,
auch ich versuche jetzt schon seit gefühlten Ewigkeiten das roaming Profile zum laufen zu bringen.
Auch ich scheitere immer an der Meldung >>Profil nicht gefunden, mit temp. Profil angemeldet …<<
Das gleiche Problem mit den Logon-Scripts (wird einfach nicht ausgeführt).
Wäre toll, wenn jemand eine kleine Schritt-für-Schritt-Anleitung (für Anfänger) posten könnte …
(Am liebsten wäre es mir, wenn für Profile / Logonscripts eigene Verz. verwendet würden)
Besten Dank im Voraus !!!
Wo genau hapert es denn mit der Einrichtung? Also wie gehen Sie vor (ggf. auch nach welcher Anleitung) und was funktioniert dabei nicht?
Gruß,
Jens Thorp-Hansen
Hallo,
Entschuldigung, kam aber erst jetzt dazu, eine Antwort zu schreiben …
Einstellungen UCS-Konsole:
Benutzer > Konto > Laufwerk für das Heimatverz. => H:
Benutzer > Konto > Windows-Heimatverz. => \server01\home\benutzer1
Benutzer > Konto > Anmeldescript => \server01\shares\logonscripts\benutzer1
Benutzer > Konto > Profilverz. => \server01\profile\benutzer1
Freigaben => home
Name = home
Server = server01.domain.intra
Pfad = /shares/home
Besitzer = root
Gruppe = Domain Users
Rechte = 775
=> logonscripts
Name = logonscripts
Server = server01.domain.intra
Pfad = /shares/logonscripts
Besitzer = root
Gruppe = Domain Users
Rechte = 775
=> profile
Name = profile
Server = server01.domain.intra
Pfad = /shares/profile
Besitzer = root
Gruppe = Domain Users
Rechte = 775
Das sollte alles gewesen sein.
Mehr habe ich nicht gemacht …
mfG
HH
Danke für die Antwort
Ich gehe davon aus, dass die Benutzer Ihre Profilverzeichnisse manuell erreichen können und hier auch keine Berechtigungsfehler kommen?
Ja, ein manuelles mapping funktioniert.
Es kann auch in das Verz. geschrieben werden.
Muss da vieleicht noch etwas an dem Win 10 Client eingestellt werden ???
Das sieht soweit alles korrekt aus. Sie haben wahrscheinlich nicht die Möglichkeit das mit Win7 oder 8 zu testen? In der Domäne sind die Clients ja sicher und die Clients sind auch gegen den UCS gejoint?
Können Sie bitte prüfen (über die UMC) welche Einstellung für “msdfs root” an dem Share gesetzt ist (und die Einstellung testweise verändern)?
Hallo,
sorry, bin erst jetzt aus dem Urlaub zurück …
Wo genau kann ich das nachprüfen ???
In der “Configuration Registry” kann unter msdfs root nichts gefunden werden.
Unter msdfs wird nur der Eintrag “samba/enable-msdfs = yes” gefunden.
mfG
HH
Sie können das mit folgendem Befehl prüfen - posten Sie gern ein anonymisierte Ausgabe:
# testparm -svHallo,
wenn ich das richtig sehe, ist global für alle Shares “msdfs root = No” gesetzt.
hier der gewünschte Auszug:
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[GLeitung]"
Processing section "[Progs]"
Processing section "[Unternehmen]"
Processing section "[Profile]"
Processing section "[Kaufmann]"
Processing section "[LexEasy]"
Processing section "[home]"
Processing section "[logonscripts]"
Processing section "[Canon_MX_990]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_ACTIVE_DIRECTORY_DC
# Global parameters
[global]
bind interfaces only = Yes
config backend = file
dos charset = CP850
enable core files = Yes
interfaces = lo eth0 eth1 vethbbb6c99
multicast dns register = Yes
netbios aliases =
netbios name = SCSHDC01
netbios scope =
realm = CSH-ONLINE.INTRA
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
server string = Univention Corporate Server
share backend = classic
unix charset = UTF-8
workgroup = CSH-ONLINE
browse list = Yes
domain master = Yes
enhanced browsing = Yes
lm announce = Auto
lm interval = 60
local master = Yes
os level = 20
preferred master = Yes
allow dns updates = secure only
dns forwarder =
dns update command = /usr/sbin/samba_dnsupdate
machine password timeout = 0
nsupdate command = /usr/bin/nsupdate -g
rndc command = /usr/sbin/rndc
spn update command = /usr/sbin/samba_spnupdate
mangle prefix = 1
mangling method = hash2
max stat cache size = 256
stat cache = Yes
client ldap sasl wrapping = sign
ldap admin dn =
ldap connection timeout = 2
ldap delete dn = No
ldap deref = auto
ldap follow referral = Auto
ldap group suffix =
ldap idmap suffix =
ldap machine suffix =
ldap page size = 1000
ldap passwd sync = no
ldap replication sleep = 1000
ldap server require strong auth = allow_sasl_over_tls
ldap ssl = start tls
ldap ssl ads = No
ldap suffix =
ldap timeout = 15
ldap user suffix =
lock spin time = 200
oplock break wait time = 0
smb2 leases = Yes
debug class = No
debug hires timestamp = Yes
debug pid = Yes
debug prefix timestamp = No
debug uid = No
ldap debug level = 0
ldap debug threshold = 10
log file =
logging = file
log level = 2
max log size = 0
syslog = 1
syslog only = No
timestamp logs = Yes
abort shutdown script =
add group script =
add machine script =
add user script =
add user to group script =
allow nt4 crypto = No
delete group script =
delete user from group script =
delete user script =
domain logons = No
enable privileges = Yes
init logon delay = 100
init logon delayed hosts =
logon drive = I:
logon home = scshdc01%U
logon path = scshdc01%Uwindows-profiles%a
logon script =
reject md5 clients = No
set primary group script =
shutdown script =
add share command =
afs token lifetime = 604800
afs username map =
allow insecure wide links = No
async smb echo handler = No
auto services =
cache directory = /var/cache/samba
change notify = Yes
change share command =
cluster addresses =
clustering = No
config file =
ctdbd socket =
ctdb locktime warn threshold = 0
ctdb timeout = 0
default service =
delete share command =
homedir map = auto.home
kernel change notify = Yes
lock directory = /var/run/samba
log writeable files on exit = No
message command =
nbt client socket address = 0.0.0.0
ncalrpc dir = /var/run/samba/ncalrpc
NIS homedir = No
nmbd bind explicit broadcast = Yes
panic action =
perfcount module =
pid directory = /var/run/samba
registry shares = No
remote announce =
remote browse sync =
reset on zero vc = No
smbd profiling level = off
state directory = /var/lib/samba
usershare allow guests = No
usershare max shares = 0
usershare owner only = Yes
usershare path = /var/lib/samba/usershares
usershare prefix allow list =
usershare prefix deny list =
usershare template share =
utmp = No
utmp directory =
wtmp directory =
addport command =
addprinter command =
cups connection timeout = 30
cups encrypt = No
cups server =
deleteprinter command =
disable spoolss = No
enumports command =
iprint server =
load printers = Yes
lpq cache time = 30
os2 driver map =
printcap cache time = 750
printcap name = cups
show add printer wizard = Yes
cldap port = 389
client ipc max protocol = default
client ipc min protocol = default
client max protocol = default
client min protocol = CORE
client use spnego = Yes
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
defer sharing violations = Yes
dgram port = 138
disable netbios = No
enable asu support = No
eventlog list =
large readwrite = Yes
max mux = 50
max ttl = 259200
max wins ttl = 518400
max xmit = 65535
min receivefile size = 0
min wins ttl = 21600
name resolve order = lmhosts wins host bcast
nbt port = 137
nt pipe support = Yes
nt status support = Yes
read raw = Yes
rpc big endian = No
server max protocol = SMB3
server min protocol = LANMAN1
server multi channel support = No
smb2 max credits = 8192
smb2 max read = 8388608
smb2 max trans = 8388608
smb2 max write = 8388608
smb ports = 445 139
svcctl list =
time server = No
unicode = Yes
unix extensions = Yes
use spnego = Yes
web port = 901
write raw = Yes
algorithmic rid base = 1000
allow dcerpc auth level connect = No
allow trusted domains = Yes
auth methods =
check password script =
client ipc signing = default
client lanman auth = No
client NTLMv2 auth = Yes
client plaintext auth = No
client schannel = Auto
client signing = default
client use spnego principal = No
dedicated keytab file =
encrypt passwords = Yes
guest account = nobody
kerberos method = default
kpasswd port = 464
krb5 port = 88
lanman auth = No
log nt token command =
map to guest = Bad User
map untrusted to domain = No
ntlm auth = Yes
ntp signd socket directory = /var/lib/samba/ntp_signd
null passwords = No
obey pam restrictions = Yes
old password allowed period = 60
pam password change = No
passdb backend = samba_dsdb
passdb expand explicit = No
passwd chat = *New*password* %nn *Re-enter*new*password* %nn *password*changed*
passwd chat debug = No
passwd chat timeout = 2
passwd program =
password hash gpg key ids =
password server = *
preload modules =
private dir = /var/lib/samba/private
raw NTLMv2 auth = No
rename user script =
restrict anonymous = 0
root directory =
samba kcc command = /usr/sbin/samba_kcc
security = AUTO
server role = active directory domain controller
server schannel = Auto
server signing = default
smb passwd file = /etc/samba/smbpasswd
tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem
tls certfile = /etc/univention/ssl/scshdc01.csh-online.intra/cert.pem
tls crlfile =
tls dh params file =
tls enabled = Yes
tls keyfile = /etc/univention/ssl/scshdc01.csh-online.intra/private.key
tls priority = NORMAL:-VERS-SSL3.0
tls verify peer = ca_and_name
unix password sync = No
username level = 0
username map =
username map cache time = 0
username map script =
aio max threads = 100
deadtime = 15
getwd cache = Yes
hostname lookups = No
keepalive = 300
max disk size = 0
max open files = 32808
max smbd processes = 0
name cache timeout = 660
socket options = TCP_NODELAY
use mmap = Yes
get quota command =
host msdfs = Yes
set quota command =
create krb5 conf = Yes
idmap backend = tdb
idmap cache time = 604800
idmap gid =
idmap negative cache time = 120
idmap uid =
neutralize nt4 emulation = No
reject md5 servers = No
require strong key = Yes
template homedir = /home/%D-%U
template shell = /bin/bash
winbind cache time = 300
winbindd privileged socket directory = /var/lib/samba/winbindd_privileged
winbindd socket directory = /var/run/samba/winbindd
winbind enum groups = No
winbind enum users = No
winbind expand groups = 0
winbind max clients = 200
winbind max domain connections = 1
winbind nested groups = Yes
winbind normalize names = No
winbind nss info = template
winbind offline logon = No
winbind reconnect delay = 30
winbind refresh tickets = No
winbind request timeout = 60
winbind rpc only = No
winbind sealed pipes = Yes
winbind separator = +
winbind trusted domains only = No
winbind use default domain = No
dns proxy = Yes
wins hook =
wins proxy = No
wins server =
wins support = Yes
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
acl:search = no
spoolss: architecture = Windows x64
idmap config * : range = 300000-400000
kccsrv:samba_kcc = False
dsdb:schema update allowed = no
nmbd_proxy_logon:cldap_server = 127.0.0.1
server role check:inhibit = yes
idmap config * : backend = tdb
comment =
path =
administrative share = No
browseable = Yes
case sensitive = Auto
default case = lower
delete veto files = No
hide dot files = Yes
hide files =
hide special files = No
hide unreadable = No
hide unwriteable files = No
mangled names = Yes
mangling char = ~
map archive = No
map hidden = No
map readonly = no
map system = No
preserve case = Yes
short preserve case = Yes
store dos attributes = Yes
veto files =
veto oplock files =
blocking locks = Yes
csc policy = manual
fake oplocks = No
kernel oplocks = Yes
kernel share modes = Yes
level2 oplocks = Yes
locking = Yes
oplock contention limit = 2
oplocks = Yes
posix locking = Yes
strict locking = Auto
acl xattr update mtime = No
afs share = No
available = Yes
copy =
delete readonly = No
dfree cache time = 0
dfree command =
directory name cache size = 100
dmapi support = No
dont descend =
dos filemode = No
dos filetime resolution = No
dos filetimes = Yes
fake directory create times = No
follow symlinks = Yes
fstype = NTFS
include = /etc/samba/base.conf
magic output =
magic script =
postexec =
preexec =
preexec close = No
root postexec =
root preexec =
root preexec close = No
spotlight = No
volume =
wide links = No
cups options =
default devmode = Yes
force printername = No
lppause command =
lpq command = %p
lpresume command =
lprm command =
max print jobs = 1000
max reported print jobs = 0
printable = No
print command =
printer name =
printing = cups
printjob username = %U
print notify backchannel = No
queuepause command =
queueresume command =
use client driver = No
acl allow execute always = Yes
acl check permissions = Yes
acl map full control = Yes
durable handles = Yes
ea support = No
map acl inherit = No
nt acl support = Yes
profile acls = No
access based share enum = No
acl group control = No
admin users = administrator join-backup
create mask = 0744
directory mask = 0755
force create mode = 0000
force directory mode = 0000
force group =
force unknown acl user = No
force user =
guest ok = No
guest only = No
hosts allow =
hosts deny =
inherit acls = No
inherit owner = No
inherit permissions = No
invalid users =
read list =
read only = Yes
smb encrypt = default
valid users =
write list =
aio read size = 0
aio write behind =
aio write size = 0
allocation roundup size = 1048576
block size = 1024
max connections = 0
min print space = 0
strict allocate = No
strict rename = No
strict sync = No
sync always = No
use sendfile = No
write cache size = 0
msdfs proxy =
msdfs root = No
msdfs shuffle referrals = No
ntvfs handler = unixuid, default
vfs objects = dfs_samba4 acl_xattr
[netlogon]
comment = Domain logon service
path = /var/lib/samba/sysvol/csh-online.intra/scripts
case sensitive = No
read only = No
[sysvol]
path = /var/lib/samba/sysvol
case sensitive = No
acl xattr update mtime = Yes
read only = No
[homes]
comment = Heimatverzeichnisse
browseable = No
create mask = 0700
directory mask = 0700
read only = No
vfs objects = acl_xattr
[printers]
comment = Drucker
path = /tmp
browseable = No
printable = Yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
include = /etc/samba/shares.conf.d/GLeitung
read only = No
write list = root Administrator @Printer-Admins
[GLeitung]
path = /shares/gleitung
dos filemode = Yes
include = /etc/samba/shares.conf.d/Progs
inherit acls = Yes
read only = No
vfs objects = acl_xattr
[Progs]
path = /shares/progs
dos filemode = Yes
include = /etc/samba/shares.conf.d/Unternehmen
inherit acls = Yes
read only = No
vfs objects = acl_xattr
[Unternehmen]
path = /shares/unternehmen
dos filemode = Yes
include = /etc/samba/shares.conf.d/Profile
inherit acls = Yes
read only = No
vfs objects = acl_xattr
[Profile]
path = /shares/profile
include = /etc/samba/shares.conf.d/Kaufmann
inherit acls = Yes
read only = No
vfs objects = acl_xattr
[Kaufmann]
path = /shares/kaufmann
dos filemode = Yes
include = /etc/samba/shares.conf.d/LexEasy
inherit acls = Yes
read only = No
vfs objects = acl_xattr
[LexEasy]
path = /shares/lexeasy
dos filemode = Yes
include = /etc/samba/shares.conf.d/home
inherit acls = Yes
read only = No
vfs objects = acl_xattr
[home]
path = /shares/home
include = /etc/samba/shares.conf.d/logonscripts
inherit acls = Yes
read only = No
vfs objects = acl_xattr
[logonscripts]
path = /shares/logonscripts
include = /etc/samba/printers.conf.d/Canon_MX_990
inherit acls = Yes
read only = No
vfs objects = acl_xattr
[Canon_MX_990]
path = /tmp
force printername = Yes
printable = Yes
printer name = Canon_MX_990
guest ok = YesmfG
HH
Was ich nicht verstehe …
Was sollen in den einzelnen Sektionen die seltsamen include, die von der Sache her hier überhaubt nicht passen …
mfG
HH
Die includes sind eine Anzeige-Eigenheit vom testparm. Ich kann leider im Moment nicht eindeutig erkennen, warum die Profile nicht verwendet werden. Ist in den Ereignisdaten der Clients ggf. noch irgendwas zu sehen?
Nein, leider habe ich nichts gefunden.
Gibt es bei Win10 einen bestimmten Punkt / Log das ich mir anschauen sollte ???
mfG
HH
Nein, ich habe hier allgemein das Ereignisprotokoll (wahrscheinlich “System”) gemeint. Ich würde erwarten, dass hier Fehlermeldungen auftauchen, wenn in eine Domäne gejointe Clients ihre Profile nicht ziehen können.