+ Post New Thread
Results 1 to 12 of 12
*nix Thread, samba share and user profiles in Technical; Over half term we are looking to move to a centralised storage solution using a HP p200g3 and additional shelf ...
  1. #1
    mdench's Avatar
    Join Date
    Oct 2011
    Location
    Billingshurst
    Posts
    813
    Thank Post
    40
    Thanked 104 Times in 94 Posts
    Rep Power
    39

    samba share and user profiles

    Over half term we are looking to move to a centralised storage solution using a HP p200g3 and additional shelf for around 38tb storage space.

    We have been trialling the use of samba with a few of intake years and soo far all has worked well besides their login speeds. If their profiles are on the samba share it can take them up to 10 minutes to login even with minimal profile size. As soon as the profiles are moved back to windows they instantly speed up. We have noticed that the samba processes seem to hang frequently on the server.

    Does any one else use a samba share to store their profiles? DO you find any issues with it? Any ideas why we might be experiencing this?

  2. #2


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    340
    We've been using Samba for all of our shares on RedHat Enterprise for the five years without any issues. I've never seen any of the samba processes hang.
    We've used roaming profiles (hidden inside user shares) and didn't notice any major logon speed issues. The mandatory profiles reside on the DC's on windows - although this will change as soon as RHEL adopts samba.4
    SMB2 should easily be able to max out your network and perform to the same speeds that SMB3 does on windows (according to a post I read by a lead developer) so it sounds like it's probably a config issue somewhere. I put this howto up a while back, but it may be out of date now: Samba Homedirectory - Wiki


    edit: do check the permissions of the profiles - perhaps give them 777 recursively just to test that windows isn't spending time looking for something it cannot access.
    Last edited by CyberNerd; 6th February 2013 at 10:58 PM.

  3. #3
    mdench's Avatar
    Join Date
    Oct 2011
    Location
    Billingshurst
    Posts
    813
    Thank Post
    40
    Thanked 104 Times in 94 Posts
    Rep Power
    39
    Cheers will take read tomorrow the current server is running samba3 but will be running samba4 on the new ones

  4. #4
    mdench's Avatar
    Join Date
    Oct 2011
    Location
    Billingshurst
    Posts
    813
    Thank Post
    40
    Thanked 104 Times in 94 Posts
    Rep Power
    39
    Our samba config appears to be similar to that of the one in your article. Unless you can see anything that doesn't look right. I will check the permissions on profiles in a sec

    Code:
    [global]
       workgroup = DOMAIN
       server string = %h server (Samba, Ubuntu)
       dns proxy = no
       log file = /var/log/samba/log.%m
       log level = 3
       max log size = 1000
       syslog = 1
       panic action = /usr/share/samba/panic-action %d
       security = ads
       realm = DOMAIN.INTERNAL
       domain master = no
       local master = no
       preferred master = no
       idmap config DOMAIN: default = yes
       idmap config DOMAIN: backend = rid
       idmap config DOMAIN: range = 100000-500000000
       idmap config * : range   = 70000-500000000
       winbind separator = +
       winbind enum users = no
       winbind enum groups = no
       winbind use default domain = yes
       winbind nested groups = yes
       winbind refresh tickets = yes
       template homedir = /home/%G/%U
       template shell = /bin/bash
       client ntlmv2 auth = yes
       encrypt passwords = true
    #   restrict anonymous = 2
       passdb backend = tdbsam
       obey pam restrictions = yes
       unix password sync = yes
       passwd program = /usr/bin/passwd %u
       passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\                                                                                                                                                             n *password\supdated\ssuccessfully* .
       pam password change = yes
       map to guest = bad user
       load printers = no
       printing = cups
       printcap name = cups
       usershare allow guests = yes
    
       nt acl support = yes
       inherit acls = Yes
    
       map acl inherit = Yes
       map archive = no
       map hidden = no
       map read only = no
       map system = no
       store dos attributes = yes
       inherit permissions = Yes
    
    ## Section - [intake07]
    [intake07]
            comment                   =
            path                      = /var/FSHost/students/intake07
            max connections           = 0
            admin users = @"Domain Admins" root
            valid users = @"Domain Users"
            browseable = no
            writeable  = yes
            public = yes
            available = yes
            hide unreadable = yes
            access based share enum = yes
            force group = "Domain Users"
            veto files = /*.cmd/*.exe/*.bat/*.java/desktop.ini/
    
    [studentprofiles]
            path                      = /var/FSHost/students/profiles
            max connections           = 0
            admin users = @"Domain Admins" root
            valid users = @"Domain Users"
            browseable = no
            writeable  = yes
            public = yes
            available = yes
            hide unreadable = yes
            access based share enum = yes
            force group = "Domain Users"
            # Windows will fail sync if it cannot write files!
    Last edited by mdench; 7th February 2013 at 12:47 PM.

  5. Thanks to mdench from:

    CyberNerd (7th February 2013)

  6. #5


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    340
    This is cool. Never occured to me.
    unix password sync = yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\ n *password\supdated\ssuccessfully* .

    Nothing strikes me as odd.
    Are you using ACL's for permissions?

  7. #6
    mdench's Avatar
    Join Date
    Oct 2011
    Location
    Billingshurst
    Posts
    813
    Thank Post
    40
    Thanked 104 Times in 94 Posts
    Rep Power
    39
    Yes we are ... well trying to... Do you use ACLs?

  8. #7


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    340
    Quote Originally Posted by mdench View Post
    Yes we are ... well trying to... Do you use ACLs?
    Indeed - you need to check three (four) things with the permissions:
    1) the POSIX permissions "ls -l"
    2) The ACL permissions "getfacl"
    3) The samba permissions (here domain users)
    4) any extra security such as SELinux (or whatever ubuntu uses)

    I just remembered that we don't use "Domain Users" I recall there might have been a problem with it... not sure. Try putting all your students into one "students" group and using that.

    edit: and if you are autocreating homedrives they need to have the group that they are being made a member of as their Primary group (old NT style)

  9. #8
    mdench's Avatar
    Join Date
    Oct 2011
    Location
    Billingshurst
    Posts
    813
    Thank Post
    40
    Thanked 104 Times in 94 Posts
    Rep Power
    39
    1)

    Code:
    drwxrwx---+  9 07zduke            domain users 3896 Feb  7 12:44 07ZDuke.V2
    drwxrwx---+ 12 chrome             domain users 3896 Sep 27 14:30 Chrome.V2
    drwxrwx---+  9 teststudent2       domain users 3896 Oct  2 12:21 teststudent2.V2
    drwxrwx---+ 14 weald4             domain users 3896 Sep 27 16:34 Weald4.V2
    2)

    Code:
    # file: intake07
    # owner: administrator
    # group: domain\040users
    user::rwx
    group::r-x
    group:intake07:rwx
    mask::rwx
    other::r-x
    default:user::rwx
    default:group::---
    default:group:intake07:rwx
    default:mask::rwx
    default:other::---
    - - - Updated - - -

    So we should change the Domain users in the SMB config?

  10. #9


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    340
    does default:group::--- mean "domain users" can't access it? or is group::r-x the important bit?
    Try logging in as a student "sudo 07teststudent" and then reading/writing to the directory I guess would be a good start.

    Where's @Geoff when you need him!

  11. #10


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    340
    ok - this is how our year 8 drives look (shared access by all of yr 8 and writable by teachers)

    Code:
    drwxrws---+ 15 root domain admins 4096 Nov 29 09:32 11
    the directory is called 11

    Code:
    # file: 11
    # owner: root
    # group: domain\040admins
    # flags: -s-
    user::rwx
    group::rwx
    group:staff:rwx
    group:11:r-x
    mask::rwx
    other::---
    ie - the files are owned by root and "domain admins" but readable by students of the "11" group (yr 8 ) and writable by staff.

    for homedrives:

    Code:
    drwxrws---+ 11 11tsmith             domain admins  4096 Feb  7 09:57 11tsmith
    Code:
    # file: 11tsmith/
    # owner: 11tsmith
    # group: domain\040admins
    # flags: -s-
    user::rwx
    user:11tsmith:rwx
    group::rwx
    group:domain\040admins:rwx
    group:teachers:r-x
    mask::rwx
    other::---
    Homedrive is owned by the student and "domain admins" and readable by teachers.
    Last edited by CyberNerd; 7th February 2013 at 04:00 PM.

  12. #11

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227
    What are your users default group (as per their AD settings?) if it's not 'domain users' your above share level permissions settings wont work (yes even with the winbind nested groups set to yes).

  13. #12
    mdench's Avatar
    Join Date
    Oct 2011
    Location
    Billingshurst
    Posts
    813
    Thank Post
    40
    Thanked 104 Times in 94 Posts
    Rep Power
    39
    Back to this again

    All Users are set to be members of Domain users and then all staff or all students. We have solved the profile issue but we are now looking at ACLs on homedrive and shares etc and after setting up some test users we have noticed that when you right click properties and click security users dont have read / write etc ticked but just special permissions at the bottom. Does anybody know why this?

    unix permissions.PNG

    The acls on that folder are currently set to the below:
    Code:
    # file: studentshare/
    # owner: root
    # group: root
    user::rwx
    group::r-x
    group:all\040weald\040staff:rwx
    group:all\040weald\040students:r-x
    mask::rwx
    other::r-x



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 4
    Last Post: 3rd August 2010, 12:05 PM
  2. Replies: 0
    Last Post: 4th May 2010, 06:27 PM
  3. Replies: 3
    Last Post: 29th March 2010, 02:01 PM
  4. Replies: 8
    Last Post: 24th September 2009, 04:25 PM
  5. Replies: 0
    Last Post: 16th June 2006, 10:00 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •