[Samba] Roaming profile problems - XP profiles not being saved (Windows 7 profiles work)
Richard Basch
basch at alum.mit.edu
Sun Jan 24 09:40:57 MST 2010
Ever since I upgraded Samba from 3.0.x to 3.4.x, and reconfigured it to
support Windows 7 clients, I am having issues with roaming profiles on my
Windows XP clients.
All the machines have been rejoined to the domain, domain authentication
appears to be working fine, the home drive is mounted ok, and the profile
information is even read, but never updated upon logout. A user with no
profile will have an empty profile directory created. I used to have the
profile under 'homes', which I changed after reading several articles about
not configuring as such, but to no avail.
I can't find any obvious errors in the Samba logs, using a variety of
debugging levels, but I probably haven't configured logging correctly (so if
Samba logs are requested, please let me know the logging I should enable).
The key item is Windows 7 profiles DO WORK. It is annoying it requires a
separate profile, but c'est le vie. Only my Windows XP clients are failing.
I have suspected it may be a registry setting in Windows XP, but I can't
seem to identify which parameter.
I did change the setting using the Policy Editor of:
Do not check for user ownership of Roaming Profile Folders = Enabled
(on one computer), to no avail.
In my smb.conf, you will see references to LDAP... all the users are
configured with:
SambaProfilePath = \\<samba-host-FQDN>\profiles\<username>
(No variables are referenced.)
/home/profiles is mode 1777, owned by root. Anyone can write there (and as
I previously said, I have seen the profile directory being created, just not
populated... and it is the same mountpoint that is also used for my Windows
7 (.V2) profiles, which work properly.
Enclosed is my smb.conf... any suggestions would be welcome. This list is
full of helpful people. My last issue to get Windows 7 domain joining was
great... I had to set StrongKeys = Required in the client's registry (I
never imagined Required would have been synonymous with if you don't do
this, it won't bother to negotiate the stronger setting).
smb.conf
========
[global]
;include = /etc/samba/dhcp.conf
workgroup = N2HA
realm = INTERNAL.BRIGHT-PROSPECTS.COM
security = user
map to guest = Bad User
usershare allow guests = Yes
server string = %h (Samba %v)
hosts allow = 192.168.0.0/16
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
smb ports = 445 139
;os level = 65
local master = yes
domain master = yes
preferred master = yes
domain logons = yes
winbind use default domain = yes
netbios aliases = SAMBA
;printing = cups
;printcap name = cups
;printcap cache time = 750
;cups options = raw
name resolve order = wins lmhosts bcast
wins support = yes
dns proxy = no
ea support = yes
enable asu support = yes
time server = yes
deadtime = 10
max log size = 4096
hide dot files = no
hide special files = yes
hide unreadable = yes
template shell = /bin/false
veto oplock files = /*.pst/*.nsf/*.doc/*.xls/*.mdb/
client lanman auth = no
client ntlmv2 auth = yes
client plaintext auth = no
encrypt passwords = yes
lanman auth = no
ntlm auth = yes
null passwords = yes
server signing = auto
server schannel = auto
passdb backend = ldapsam:ldaps://ldap.internal.bright-prospects.com/
obey pam restrictions = no
ldap ssl = no
ldap admin dn = "uid=ntadmin,ou=User,dc=bright-prospects,dc=com"
ldap suffix = dc=bright-prospects,dc=com
ldap machine suffix = sambaDomainName=N2HA,ou=Network
ldap user suffix = ou=User
ldap group suffix = ou=Group
ldap idmap suffix = ou=IdMap,ou=Network
ldap passwd sync = yes
ldap delete dn = no
;add user script = /home/admin/bin/smbldap-useradd -m %u
;delete user script = /home/admin/bin/smbldap-userdel %u
;add group script = /home/admin/bin/smbldap-groupadd -p %g
;delete group script = /home/admin/bin/smbldap-groupdel %g
add machine script = /home/admin/bin/smbldap-useradd -w %u
add user to group script = /home/admin/bin/smbldap-groupmod -m %u %g
delete user from group script = /home/admin/bin/smbldap-groupmod -x
%u %g
set primary group script = /home/admin/bin/smbldap-usermod -g %g %u
passwd program = /home/admin/bin/smbldap-passwd %u
vfs objects = recycle
recycle: directory_mode = 0770
recycle: keeptree = 1
recycle: touch = 1
recycle: minsize = 1
recycle: maxsize = 5000000
recycle: exclude = *.tmp *.temp ~$* *.obj *.~??
recycle: exclude_dir = /RealTimeBackup
;vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
;log level = 3 auth:5 smb:10
[homes]
comment = Home Directories
;valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
;
locking = no
hide files = /.*/desktop.ini/thumbs.db/*.bitmap/NTUSER.*/
hide unreadable = no
path = /home/%S
[profiles]
comment = Network Profiles Service
;path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
;
path = /home/profiles
hide files =
guest ok = yes
browseable = yes
;writeable = yes
;inherit acls = yes
profile acls = yes
csc policy = disable
force user = %U
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
[Profiles.V2]
copy = profiles
path = /home/profiles/%U.V2
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
browseable = yes
write list = root
csc policy = disable
More information about the samba
mailing list