[CentOS] Domain Logout, then domain login again, profile corrupt -> replaced by TEMP profile

Wed Jun 7 06:13:30 UTC 2017
Jobst Schmalenbach <jobst at barrett.com.au>


I have had this problem for a while, but waited to post this until I upgraded to see whether the upgrade would fix it.
I upgraded samba to the 4.2.X stream from 3.6.X stream, but it happens on both, 3.6.X and 4.2.10.

Whenever someone logs out, then in again the profile gets corrupted and a new TEMP profile is created (the dreadful "creating new desktop"). Now I do not know where this problem is - the desktop or the server.
It also happens if you wait 1/2 hour or so, never tried it longer.

I can quickly fix this by:

 - tell the user to log out
 - rsync -avHAX the profile with yesterdays profile
 - tell the user to log in again

Now if I log out on my workstation, then on the server I do a "smb reload", then log in again this problem does not happen.

This morning a person logged out of his workstation, went over to the bigscreen in one of our training rooms and logged in there, then logged out, went over to his machine but got the dreadful "preparing desktop" on login ....

Anybody got any idea?


Here is some info: 
All latest patches installed on everything.

OS server: CentOS 6.X
OS Workstations: Windows 7 Prof
Samba: 4.2.10 (was 3.6.23)
Other: roaming profiles (as we log into other stations, e.g. training rooms)

smb.conf (important bits):
  workgroup = LALA
  server string = Domain Server
  netbios name = LALAMACHINE
  username map = /etc/samba/smbusers
  interfaces = eth0, lo
  bind interfaces only = yes
  # these flags were recommended.

  # Logging, what, how much, etc
  log level = 1
  syslog = 0
  log file = /var/log/samba/samba.log
  max log size = 10000000

  # Auditing
  vfs objects = full_audit
  full_audit:prefix = %u|%I|%m|%S
  full_audit:failure = none
  full_audit:facility = LOCAL4
  full_audit:priority = NOTICE
  full_audit:success = none
  full_audit:failure = none

  idmap config *: backend       = tdb
  idmap config *: range         = 1000000-1999999
  idmap config LALA : default = Yes
  idmap config LALA : backend = <idmap backend>
  idmap config LALA : range   = 500-999999

  winbind use default domain = Yes
  winbind nested groups = Yes
  winbind normalize names = no
  # domain stuff
  logon script = user.cmd
  logon path = \\lalamachine\profiles\%u
  logon drive = Z:
  logon home = \\lalamachine\%u\samba-homeshare
  domain logons = Yes
  os level = 200
  domain master = Yes
  dns proxy = No
  wins support = Yes
  security = user
  encrypt passwords = Yes
  hosts allow = 192.168.0., 127.
  guest account = nobody
  usershare allow guests = No

  # printer setup
  load printers = Yes
  printing = cups
  printcap name = cups
  printcap = cups
  printcap cache time = 750
  cups options = raw
  read raw = yes
  write raw = yes
  oplocks = yes
  max xmit = 65535
  dead time = 15
  getwd cache = yes

  # Samba implements the CIFS UNIX
  unix extensions = no

  comment = Network Logon Service
  path = /samba/NetLogon
  browseable = Yes
  guest ok = yes
  admin users = root
  full_audit:success = none
  full_audit:failure = none
  # this is required for log files to be written to
  read only = No
  write list = @lalausers, @lalaadmins

  comment = Roaming Profile Share
  path = /samba/Profiles/
  read only = No
  create mask = 0600
  directory mask = 0700
  browseable = yes
  # you MUST disable caching on shares that have roaming profiles stored
  csc policy = disable
  guest ok = no
  valid users = @lalausers, @lalaadmins
  admin users = root
  store dos attributes = yes
  profile acls = yes
  full_audit:success = none
  full_audit:failure = none

Keyboard not found - please clean up desktop!

  | |0| |   Jobst Schmalenbach, jobst at barrett.com.au, General Manager
  | | |0|   Barrett Consulting Group P/L & The Meditation Room P/L
  |0|0|0|   +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia