[Samba] Problems logging on from XP to Samba PDC w/OpenLDAP
L.P.H. van Belle
belle at bazuin.nl
Wed Jun 11 06:34:13 GMT 2008
look here,
you can use this for your profiles
[profiles]
path = /home/samba/profiles
comment = Profiel omgeving
read only = no
create mask = 0600
directory mask = 0700
browseable = Yes
guest ok = Yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
# next line allows administrator to access all profiles
valid users = %U @"Domain Admins"
make sure the folder "/home/samba/profiles" has 777 rights,
all folders after the are owned by user en accessable by administrators
Louis
>-----Oorspronkelijk bericht-----
>Van: samba-bounces+belle=bazuin.nl at lists.samba.org
>[mailto:samba-bounces+belle=bazuin.nl at lists.samba.org] Namens Jon Doran
>Verzonden: woensdag 11 juni 2008 3:33
>Aan: Samba Mailing List
>Onderwerp: [Samba] Problems logging on from XP to Samba PDC w/OpenLDAP
>
>I've been at this for a few weeks, and have read quite a bit on the
>subject. I try to follow "Samba-3 by Example" as much as I
>can. I'll
>apologize in advance
>if my problems should be discussed elsewhere. Samba's involvement is
>integral,
>but I have no reason to suspect Samba is at fault.
>
>I'll start by describing what is working. DHCP and DNS look
>fine. Samba is
>sharing folders without incident. LDAP is authenticating
>users, and I can log
>into an XP workstation once (!) before being kicked to the
>curb. Subsequent
>logons are met with
> "The system cannot log you on because your profile cannot
>be loaded".
>
>I also note that supplying an incorrect user/password from the XP box
>gives the
>appropriate response. So there is some degree of LDAP goodness.
>
>Roaming profiles are written to the proper share, and all
>files in a profile
>have the user's uid/gid. The profile directory is owned by root.
>
>Machines are able to join the domain without trouble. Their trust
>accounts are
>setup, and as I mentioned a user gets one logon.
>
>I started out today looking into why profiles could be written
>but not read.
>I ended up moving /var/lib/ldap aside and building a new
>database. I mention
>this so that it is clear the database has been recently wiped,
>and that the
>client machines are in God knows what state.
>
>A local group policy is on each of my test machines, which has
>turned off the
>ownership check and should be deleting profiles. In addition
>to this at one
>point I have gone in as the local administrator and "cleaned"
>out stored
>profiles, using both the "User Profiles" off of the computer
>properties dialog,
>and by deleting files stored in "Documents and Settings".
>
>When I was logged on, folder redirection appeared to be
>working correctly.
>
>Rather than start out by sharing pages of config files, I
>wonder if it
>would be
>possible to narrow things down a bit. (Although I'll be happy
>to share the
>files). My gut feeling is that this is a local machine
>configuration problem,
>as the LDAP log shows a correct uid/gid match and the system
>_did_ log me on.
>
>Therefore I wonder why the profile could not be read (we are back to
>this), and
>are back in Samba terratory. (As an aside, the local machine group
>policy says
>not to log a user out if there is a profile problem, but it
>happens anyways.
>I am guessing that the rest of the policy is preventing the system
>from creating
>a default profile.
>
>I'll append my smb.conf since I feel that it has a lot of relevance:
>
>Any help would be greatly appreciated.
>Jon Doran
>
>#======================= Global Settings
>=====================================
>
>[global]
> workgroup = larc
> security = user
> passdb backend = ldapsam:ldap://wintermute.larc.local
> obey pam restrictions = no
> smb ports = 139
>
> ldap admin dn = cn=manager,dc=larc,dc=local
> ldap suffix = dc=larc,dc=local
> ldap user suffix = ou=People
> ldap machine suffix = ou=Computers
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=People
> ldap passwd sync = yes
># log level = 10
>
> passwd program = /usr/sbin/smbldap-passwd %u
> passwd chat = *New*password* %n\n *Retype*new*password %n\n
>*all*authentication*tokens*updated*
>
> machine password timeout = 86400
>
> add user script = /usr/sbin/smbldap-useradd -m %u
> ldap delete dn = yes
> delete user script = /usr/sbin/smbldap-userdel %u
> add machine script = /usr/sbin/smbldap-useradd -w %u
> add group script = /usr/sbin/smbldap-groupadd -p %g
> add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
> delete user from group script =
>/usr/sbin/smbldap-groupmod -x %u %g
> set primary group script = /usr/sbin/smbldap -g %g %u
> # end 5/28 mods
>
>
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> idmap uid = 500-10000000
> idmap gid = 500-10000000
> winbind use default domain = no
> winbind offline logon = false
> winbind enum users = no
> winbind enum groups = no
> client use spnego = true
>
> #from previous config
> #passdb backend=tdbsam
>
># ----------------------- Network Related Options
>-------------------------
>#
># workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
>#
># server string is the equivalent of the NT Description field
>#
># netbios name can be used to specify a server name not tied
>to the hostname
>#
># Interfaces lets you configure Samba to use multiple interfaces
># If you have multiple network interfaces then you can list the ones
># you want to listen on (never omit localhost)
>#
># Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
># specifiy it as a per share option as well
>#
> server string = Samba Server Version %v
># netbios name = WINTERMUTE
>
>; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
>; hosts allow = 127. 192.168.12. 192.168.13.
>
># --------------------------- Logging Options
>-----------------------------
>#
># Log File let you specify where to put logs and how to split them up.
>#
># Max Log Size let you specify the max size log files should reach
>
> # logs split per machine
> log file = /var/log/samba/log.%m
> # max 50KB per log file, then rotate
> max log size = 50
>
># ----------------------- Standalone Server Options
>------------------------
>#
># Scurity can be set to user, share(deprecated) or server(deprecated)
>#
># Backend to store user information in. New installations should
># use either tdbsam or ldapsam. smbpasswd is available for backwards
># compatibility. tdbsam requires no further configuration.
>
>
>
># ----------------------- Domain Members Options
>------------------------
>#
># Security must be set to domain or ads
>#
># Use the realm option only with security = ads
># Specifies the Active Directory realm the host is part of
>#
># Backend to store user information in. New installations should
># use either tdbsam or ldapsam. smbpasswd is available for backwards
># compatibility. tdbsam requires no further configuration.
>#
># Use password server option only with security = server or if
>you can't
># use the DNS to locate Domain Controllers
># The argument list may include:
># password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
># or to auto-locate the domain controller/s
># password server = *
>
># realm = LARC.LOCAL
># password server = larcserver.larc.local
>
># ----------------------- Domain Controller Options
>------------------------
>#
># Security must be set to user for domain controllers
>#
># Backend to store user information in. New installations should
># use either tdbsam or ldapsam. smbpasswd is available for backwards
># compatibility. tdbsam requires no further configuration.
>#
># Domain Master specifies Samba to be the Domain Master Browser. This
># allows Samba to collate browse lists between subnets. Don't use this
># if you already have a Windows NT domain controller doing this job
>#
># Domain Logons let Samba be a domain logon server for Windows
>workstations.
>#
># Logon Scrpit let yuou specify a script to be run at login
>time on the client
># You need to provide it in a share called NETLOGON
>#
># Logon Path let you specify where user profiles are stored (UNC path)
>#
># Various scripts can be used on a domain controller or stand-alone
># machine to add or delete corresponding unix accounts
>#
>
> domain master = yes
> domain logons = yes
>
> logon path = \\%L\profiles\%U
> logon drive = H:
>
> # logon home is for Win9X clients
> logon home = \\wintermute\home\%U
>
>
># ----------------------- Browser Control Options
>----------------------------
>#
># set local master to no if you don't want Samba to become a master
># browser on your network. Otherwise the normal election rules apply
>#
># OS Level determines the precedence of this server in master browser
># elections. The default value should be reasonable
>#
># Preferred Master causes Samba to force a local browser
>election on startup
># and gives it a slightly higher chance of winning the election
> local master = yes
> os level = 65
> preferred master = yes
>
>#----------------------------- Name Resolution
>-------------------------------
># Windows Internet Name Serving Support Section:
># Note: Samba can be either a WINS Server, or a WINS Client,
>but NOT both
>#
># - WINS Support: Tells the NMBD component of Samba to enable
>it's WINS Server
>#
># - WINS Server: Tells the NMBD components of Samba to be a WINS Client
>#
># - WINS Proxy: Tells Samba to answer name resolution queries on
># behalf of a non WINS capable client, for this to work there must be
># at least one WINS Server on the network. The default is NO.
>#
># DNS Proxy - tells Samba whether or not to try to resolve
>NetBIOS names
># via DNS nslookups.
>
> wins support = yes
># wins server = w.x.y.z; # register with
>another
>wins server
>; wins proxy = yes
>
> dns proxy = yes
>
># --------------------------- Printing Options
>-----------------------------
>#
># Load Printers let you load automatically the list of printers rather
># than setting them up individually
>#
># Cups Options let you pass the cups libs custom options,
>setting it to raw
># for example will let you use drivers on your Windows clients
>#
># Printcap Name let you specify an alternative printcap file
>#
># You can choose a non default printing system using the
>Printing option
>
>; load printers = yes
> cups options = raw
>
>; printcap name = /etc/printcap
> #obtain list of printers automatically on SystemV
>; printcap name = lpstat
>; printing = cups
>
># --------------------------- Filesystem Options
>---------------------------
>#
># The following options can be uncommented if the filesystem supports
># Extended Attributes and they are enabled (usually by the mount option
># user_xattr). Thess options will let the admin store the DOS
>attributes
># in an EA and make samba not mess with the permission bits.
>#
># Note: these options can also be set just per share, setting
>them in global
># makes them the default for all shares
>
>; map archive = no
>; map hidden = no
>; map read only = no
>; map system = no
>; encrypt passwords = yes
>; guest ok = no
> guest account = nobody
> username map = /etc/samba/smbusers
>; store dos attributes = yes
>
>
>#============================ Share Definitions
>==============================
>
>[homes]
> comment = Home Directories
> path=/home
> browseable = no
> writable = yes
>
>[printers]
> comment = All Printers
> path = /var/spool/samba
> browseable = no
>; guest ok = no
>; writable = no
> printable = yes
>
>[netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> guest ok = yes
> locking = no
> writable = no
> browsable = yes
> read only = yes
> share modes = no
>
>[profiles]
> comment = Profile Share
> path = /var/lib/samba/profiles
> writable = yes
> create mode = 0700
> directory mode = 0700
> public = yes
> guest ok = yes
> browsable = yes
>
># profile acls = yes
># read only = no
># create mask = 0600
># directory mask = 0700
># store dos attributes = yes
># short preserve case = no
># case sensitive = no
># guest ok = no
># printable = no
># browsable = no
># # turn off client-side caching
># csc policy = disabled
># hide files =
>/desktop.ini/outlook.*lnk/*Briefcase*/ntuser.ini/NTUSER.*/
>
>[profdata]
> comment = Profile Data Share
> path = /var/lib/samba/profdata
> read only = no
> profile acls = yes
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list