[Samba] storing profiles on a 3rd host (NetApp), and [profiles] section of smb.conf

Justin Zachor zachor-samba at gamelogic.com
Thu Nov 18 16:59:37 GMT 2004 

1.
Is it okay to use an NFS-mounted path in the [profiles] path statement?

2.
How do I make sure that owner & permissions don't get set to root on 
certain profile files when the user profile is migrated to the PDC 
'logon path' area?

--------------------------------------------------------
I've set out to move our Windows PCs into a samba PDC domain, and my 
first profile migration was tripped up by some improper permissions that 
were set on some of the profile files when I copied the profile (as 
Administrator, on the Windows client) from the Win2K client to the PDC. 
(this was using the typical Windows utility: System | User Profiles | 
Copy To...) Plus, our previous Samba admin set a few things in smb.conf 
that I don't understand:

1. There's a [profiles] section that is commented --
Can I change /var/lib/samba/profiles to a directory on our NetApp filer? 
(the Samba server has root privilege on the NetApp, and the NetApp is a 
PDC client of Samba).

2. Do I even need this section? The "logon path = \\netapp\profiles\%u" 
in PDC section seems to work somewhat, but my permissions need to be 
tweaked after being uploaded; How do I force create/directory modes? 
Should I use a [profiles] section for that? (please see smb.conf below)

3. In the [netlogon] section, can I move /var/lib/samba/netlogon to
a path nfs-mounted from my NetApp? (e.g. would /netapp/samba/netlogon 
only be accessed by the smb/PDC daemon?)

4. path was left out of [Homes] section --
I don't know why this section has no paths.

BTW,
I know there's a ton of info on this around the web, but I didn't find
much of anything written about this scenario, where the general file
server is a third host, not the Samba server. Also, the NetApp can act
as a PDC, but we're using NIS in a mostly Debian/Max OSX environment.

--------------------------------------------------------
What happens now:

After adding a Win2K system to the domain, using local Administrator I
copied a local user profile to \\netapp\profiles\<user>

However, upon trying to login I get these errors:

"Windows cannot copy file \\netapp\profiles\user\Application
Data\Microsoft\Protect\S-1-5-21-515...\ to location C:\Documents and
Settings\user.FOOBAR\Application
Data\Microsoft\Protect\S-1-5-21-515...\. Contact your network
administrator.

DETAIL - Access is denied."

"Windows cannot load the profile and is logging you on with a
temporary profile. Changes you make to this profile will be lost when
you log off."

Performing a chown -R user:group to the profile makes the errors go 
away. Is there a better fix, such as Otto's notes below?

--------------------------------------------------------
Otto writes:
http://lists.samba.org/archive/samba/1999-November/015480.html

Excerpt of above URL -- use these in [profiles] section
   force create mode = 0600
   force directory mode = 0700

Sure enough, permissions are:
drwx------    2 root   daemon    4096 Nov 12 14:58 S-1-5-21-515...

Only after recursively chown'ing user's profile can they login:
netapp:/profiles#  chown -R user /profiles/user

My setup is:
   -  Debian Samba server
   -  NetApp filer (fileserver)
   -  Win2K clients

------------smb.conf--------------
[global]

# -- BEGIN PDC --
     domain logons = yes
     logon path = \\netapp\profiles\%u
     logon drive = H:
     logon home = \\netapp\%u\.winprofile
     logon script = logon.bat

     add user to group script = /usr/sbin/usermod -G %g %u
     add machine script = /usr/sbin/adduser --firstuid 9001 \
         --lastuid 9500 \
         --gid 9000 --home /dev/null --shell /bin/false \
         --no-create-home \
         --disabled-password --gecos "%u Samba Machine Account" \
         --force-badname %u
     admin users = @ntadmins
     workgroup = FOOBAR
# -- END PDC --

     invalid users = root
<snip> (many misc settings)

[netlogon]
     comment = Network Logon Service
     browseable = no
     path = /var/lib/samba/netlogon
     read only = yes
     write list = @ntadmins
#[profiles]
#    path = /var/lib/samba/profiles # path = /netapp/profiles ???
#    read only = no
#    create mask = 0600
#    directory mask = 0700
[homes]
    comment = Home Directories
    browseable = no
    force create mode = 0755
    force directory mode = 0755
    writable = yes
--------------------------------------------------------
Thanks in advance
JAZ
==========

More information about the samba mailing list