[Samba] samba 3.0.23a + ldap as PDC - should work, but why?

John Mason jmason at lim.com
Mon Aug 7 18:05:44 GMT 2006


I've got an issue with roaming profiles with samba 3.0.23a and an LDAP backend. I can use the ldap to authenticate an NT and a local user, and I know alot about PAM, NSS, and general linux. BUT, I can't get ANY roaming profiles to work.
 
Other than my domain name changed for security purposes, the following is my smb.conf file. (I first used SWAT, then did more customization)
 
smb.conf=====>
=============================================================
[global]
        workgroup = DOMAIN.COM
        netbios name = PDC
        server string = PDC
        interfaces = eth0
        bind interfaces only = Yes
        update encrypted = Yes
        private dir = /data/samba/private
        passdb backend = ldapsam:ldap://127.0.0.1/
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        log level = 10
        syslog = 0
        password server = PDC
        log file = /data/samba/logs/sambalog
        #max log size = 50
        enable core files = No
        smb ports = 139
        name resolve order = wins bcast hosts
        time server = Yes
        deadtime = 10
        socket options = TCP_NODELAY SO_RCVBUF=8192
        printcap name = CUPS
        show add printer wizard = No
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
        add machine script = /usr/sbin/smbldap-useradd -w "%u"
        #shutdown script = /var/lib/samba/scripts/shutdown.sh
        #abort shutdown script = /sbin/shutdown -c
        logon script = logon.bat
        logon path = \\%L\%U\.msprofile
        logon drive = h:
        logon home = \\%L\%U
        server schannel = auto
        client schannel = auto
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        ldap admin dn = uid=root,dc=domain,dc=com
        ldap delete dn = Yes
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Computers
        ldap passwd sync = Yes
        ldap suffix = dc=domain,dc=com
        ldap ssl = no
        ldap user suffix = ou=Users
        #utmp = Yes
        profile acls = Yes
        map acl inherit = Yes
        printing = cups
        case sensitive = Yes
        hide unreadable = Yes
        hide files = /desktop.ini/
        veto oplock files = /*.doc/*.xls/*.mdb/
        admin users=root Administrator
 
[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        create mask = 0644
        directory mask = 0775
        hide files = /desktop.ini/
        browseable = No
 
[printers]
        comment = SMB Print Spool
        path = /var/spool/samba
        guest ok = Yes
        printable = Yes
        browseable = No
 
[print$]
        comment = Printer Drivers
        path = /data/samba/print/drivers
        guest ok = Yes
 
[netlogon]
        comment = Network Logon Service
        path = /data/samba/netlogon
        browseable = No
        locking = No
 
[profiles]
        # chmod 1777 /home/%U/.msprofile
        path = /home/%U/.msprofile
        read only = no
        profile acls = yes
        create mask = 0600
        directory mask = 0700
        browseable = No
        nt acl support = Yes
        force user = %U
        valid users = %U @"Domain Admins"
 
[profdata]
        comment = Profile Data Share
        path = /data/samba/profdata
        read only = No
        create mask = 0644
        directory mask = 0755
        browseable = No
        hide files = /desktop.ini/
        csc policy = disable
 
[shared]
        comment = Network Shares
        path = /data/samba/shared
        read only = No
        guest ok = Yes
 
 
=============================================================
<======== end smb.conf
 
 
Also, here's a few "ls"'s so you can see about my permissions.
 
# > ls -al /data/samba/profdata
total 24K
drwxr-xr-x  6 root          root          4.0K Aug  3 14:41 .
drwxr-xr-x  9 root          root          4.0K Aug  3 14:28 ..
drwxr-xr-x 11 Administrator Domain Admins 4.0K Aug  3 15:42 Administrator
drwxr-xr-x 12 user1        Domain Users  4.0K Aug  4 08:22 user1
drwxr-xr-x 10 root          Domain Admins 4.0K Aug  3 14:30 root
drwxr-xr-x  2 user2        Domain Users  4.0K Aug  3 13:04 user2
 
and user1's .msprofile:
 
# > ls -al /home/user1/.msprofile
total 820K
drwxrwxrwt  9 user1 Domain Users 4.0K Aug  7 12:02 .
drwxr-xr-x 43 user1 Domain Users 4.0K Aug  7 08:44 ..
drwxrwxr-x  6 user1 Domain Users 4.0K Aug  7 07:40 Application Data
drwxrwxr-x  2 user1 Domain Users 4.0K Aug  3 13:56 NetHood
-rw-r--r--  1 user1 Domain Users 768K Aug  7 12:01 NTUSER.DAT
-rw-r--r--  1 user1 Domain Users 1.0K Aug  7 12:01 ntuser.dat.LOG
-rw-r--r--  1 user1 Domain Users  610 Aug  7 12:02 ntuser.ini
-r--r--r--  1 user1 Domain Users  794 Aug  7 12:01 ntuser.pol
drwxrwxr-x  2 user1 Domain Users 4.0K Aug  3 13:56 PrintHood
drwxrwxr-x  2 user1 Domain Users 4.0K Aug  3 13:56 Recent
drwxrwxr-x  2 user1 Domain Users 4.0K Aug  3 13:56 SendTo
drwxrwxr-x  3 user1 Domain Users 4.0K Aug  3 13:56 Start Menu
drwxrwxr-x  2 user1 Domain Users 4.0K Aug  3 13:56 Templates
 
The second I log in as this user, the ntuser files all become owned by root.... AND the timestamp changes BUT when I re-login to this user, NONE of the changes to the profile are still there!
 
I can also do this as Administrator.... but the same thing results!
I followed chapter 5 from http://www.samba.org/samba/docs/man/Samba-Guide/happy.html for my setups.
 
 
 


More information about the samba mailing list