[Samba] storing profiles on a 3rd host (NetApp),
and [profiles] section of smb.conf
Justin Zachor
zachor-samba at gamelogic.com
Thu Nov 18 16:59:37 GMT 2004
1.
Is it okay to use an NFS-mounted path in the [profiles] path statement?
2.
How do I make sure that owner & permissions don't get set to root on
certain profile files when the user profile is migrated to the PDC
'logon path' area?
--------------------------------------------------------
I've set out to move our Windows PCs into a samba PDC domain, and my
first profile migration was tripped up by some improper permissions that
were set on some of the profile files when I copied the profile (as
Administrator, on the Windows client) from the Win2K client to the PDC.
(this was using the typical Windows utility: System | User Profiles |
Copy To...) Plus, our previous Samba admin set a few things in smb.conf
that I don't understand:
1. There's a [profiles] section that is commented --
Can I change /var/lib/samba/profiles to a directory on our NetApp filer?
(the Samba server has root privilege on the NetApp, and the NetApp is a
PDC client of Samba).
2. Do I even need this section? The "logon path = \\netapp\profiles\%u"
in PDC section seems to work somewhat, but my permissions need to be
tweaked after being uploaded; How do I force create/directory modes?
Should I use a [profiles] section for that? (please see smb.conf below)
3. In the [netlogon] section, can I move /var/lib/samba/netlogon to
a path nfs-mounted from my NetApp? (e.g. would /netapp/samba/netlogon
only be accessed by the smb/PDC daemon?)
4. path was left out of [Homes] section --
I don't know why this section has no paths.
BTW,
I know there's a ton of info on this around the web, but I didn't find
much of anything written about this scenario, where the general file
server is a third host, not the Samba server. Also, the NetApp can act
as a PDC, but we're using NIS in a mostly Debian/Max OSX environment.
--------------------------------------------------------
What happens now:
After adding a Win2K system to the domain, using local Administrator I
copied a local user profile to \\netapp\profiles\<user>
However, upon trying to login I get these errors:
"Windows cannot copy file \\netapp\profiles\user\Application
Data\Microsoft\Protect\S-1-5-21-515...\ to location C:\Documents and
Settings\user.FOOBAR\Application
Data\Microsoft\Protect\S-1-5-21-515...\. Contact your network
administrator.
DETAIL - Access is denied."
"Windows cannot load the profile and is logging you on with a
temporary profile. Changes you make to this profile will be lost when
you log off."
Performing a chown -R user:group to the profile makes the errors go
away. Is there a better fix, such as Otto's notes below?
--------------------------------------------------------
Otto writes:
http://lists.samba.org/archive/samba/1999-November/015480.html
Excerpt of above URL -- use these in [profiles] section
force create mode = 0600
force directory mode = 0700
Sure enough, permissions are:
drwx------ 2 root daemon 4096 Nov 12 14:58 S-1-5-21-515...
Only after recursively chown'ing user's profile can they login:
netapp:/profiles# chown -R user /profiles/user
My setup is:
- Debian Samba server
- NetApp filer (fileserver)
- Win2K clients
------------smb.conf--------------
[global]
# -- BEGIN PDC --
domain logons = yes
logon path = \\netapp\profiles\%u
logon drive = H:
logon home = \\netapp\%u\.winprofile
logon script = logon.bat
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/adduser --firstuid 9001 \
--lastuid 9500 \
--gid 9000 --home /dev/null --shell /bin/false \
--no-create-home \
--disabled-password --gecos "%u Samba Machine Account" \
--force-badname %u
admin users = @ntadmins
workgroup = FOOBAR
# -- END PDC --
invalid users = root
<snip> (many misc settings)
[netlogon]
comment = Network Logon Service
browseable = no
path = /var/lib/samba/netlogon
read only = yes
write list = @ntadmins
#[profiles]
# path = /var/lib/samba/profiles # path = /netapp/profiles ???
# read only = no
# create mask = 0600
# directory mask = 0700
[homes]
comment = Home Directories
browseable = no
force create mode = 0755
force directory mode = 0755
writable = yes
--------------------------------------------------------
Thanks in advance
JAZ
==========
More information about the samba
mailing list