[Samba] Problems logging on from XP to Samba PDC w/OpenLDAP

L.P.H. van Belle belle at bazuin.nl
Wed Jun 11 06:34:13 GMT 2008


look here,

you can use this for your profiles
[profiles]
        path = /home/samba/profiles
        comment = Profiel omgeving
        read only = no
        create mask = 0600
        directory mask = 0700
        browseable = Yes
        guest ok = Yes
        csc policy = disable
        # next line is a great way to secure the profiles
        force user = %U
        # next line allows administrator to access all profiles
        valid users = %U @"Domain Admins"

make sure the folder "/home/samba/profiles" has 777 rights, 
all folders after the are owned by user en accessable by administrators

Louis


>-----Oorspronkelijk bericht-----
>Van: samba-bounces+belle=bazuin.nl at lists.samba.org 
>[mailto:samba-bounces+belle=bazuin.nl at lists.samba.org] Namens Jon Doran
>Verzonden: woensdag 11 juni 2008 3:33
>Aan: Samba Mailing List
>Onderwerp: [Samba] Problems logging on from XP to Samba PDC w/OpenLDAP
>
>I've been at this for a few weeks, and have read quite a bit on the  
>subject.  I try to follow "Samba-3 by Example" as much as I 
>can.  I'll  
>apologize in advance
>if my problems should be discussed elsewhere.  Samba's involvement is  
>integral,
>but I have no reason to suspect Samba is at fault.
>
>I'll start by describing what is working.   DHCP and DNS look 
>fine.  Samba is
>sharing folders without incident.  LDAP is authenticating 
>users, and I can log
>into an XP workstation once (!) before being kicked to the 
>curb.  Subsequent
>logons are met with
>   "The system cannot log you on because your profile cannot 
>be loaded".
>
>I also note that supplying an incorrect user/password from the XP box  
>gives the
>appropriate response.  So there is some degree of LDAP goodness.
>
>Roaming profiles are written to the proper share, and all 
>files in a profile
>have the user's uid/gid.  The profile directory is owned by root.
>
>Machines are able to join the domain without trouble.  Their trust  
>accounts are
>setup, and as I mentioned a user gets one logon.
>
>I started out today looking into why profiles could be written 
>but not read.
>I ended up moving /var/lib/ldap aside and building a new 
>database.  I mention
>this so that it is clear the database has been recently wiped, 
>and that the
>client machines are in God knows what state.
>
>A local group policy is on each of my test machines, which has 
>turned off the
>ownership check and should be deleting profiles.  In addition 
>to this at one
>point I have gone in as the local administrator and "cleaned" 
>out stored
>profiles, using both the "User Profiles" off of the computer  
>properties dialog,
>and by deleting files stored in "Documents and Settings".
>
>When I was logged on, folder redirection appeared to be 
>working correctly.
>
>Rather than start out by sharing pages of config files, I 
>wonder if it  
>would be
>possible to narrow things down a bit.  (Although I'll be happy 
>to share the
>files).  My gut feeling is that this is a local machine 
>configuration problem,
>as the LDAP log shows a correct uid/gid match and the system 
>_did_ log me on.
>
>Therefore I wonder why the profile could not be read (we are back to  
>this), and
>are back in Samba terratory.  (As an aside, the local machine group  
>policy says
>not to log a user out if there is a profile problem, but it 
>happens anyways.
>I am guessing that the rest of the policy is preventing the system  
>from creating
>a default profile.
>
>I'll append my smb.conf since I feel that it has a lot of relevance:
>
>Any help would be greatly appreciated.
>Jon Doran
>
>#======================= Global Settings 
>=====================================
>
>[global]
>         workgroup = larc
>         security = user
>         passdb backend = ldapsam:ldap://wintermute.larc.local
>         obey pam restrictions = no
>         smb ports = 139
>
>         ldap admin dn = cn=manager,dc=larc,dc=local
>         ldap suffix = dc=larc,dc=local
>         ldap user suffix = ou=People
>         ldap machine suffix = ou=Computers
>         ldap group suffix = ou=Groups
>         ldap idmap suffix = ou=People
>         ldap passwd sync = yes
>#        log level = 10
>
>         passwd program = /usr/sbin/smbldap-passwd %u
>         passwd chat = *New*password* %n\n *Retype*new*password %n\n
>*all*authentication*tokens*updated*
>
>         machine password timeout = 86400
>
>         add user script = /usr/sbin/smbldap-useradd -m %u
>         ldap delete dn = yes
>         delete user script = /usr/sbin/smbldap-userdel %u
>         add machine script = /usr/sbin/smbldap-useradd -w %u
>         add group script = /usr/sbin/smbldap-groupadd -p %g
>         add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
>         delete user from group script = 
>/usr/sbin/smbldap-groupmod -x %u %g
>         set primary group script = /usr/sbin/smbldap -g %g %u
>         # end 5/28 mods
>
>
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         idmap uid = 500-10000000
>         idmap gid = 500-10000000
>         winbind use default domain = no
>         winbind offline logon = false
>         winbind enum users = no
>         winbind enum groups = no
>         client use spnego = true
>
>         #from previous config
>         #passdb backend=tdbsam
>
># ----------------------- Network Related Options 
>-------------------------
>#
># workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
>#
># server string is the equivalent of the NT Description field
>#
># netbios name can be used to specify a server name not tied 
>to the hostname
>#
># Interfaces lets you configure Samba to use multiple interfaces
># If you have multiple network interfaces then you can list the ones
># you want to listen on (never omit localhost)
>#
># Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
># specifiy it as a per share option as well
>#
>         server string = Samba Server Version %v
>#        netbios name = WINTERMUTE
>
>;        interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
>;        hosts allow = 127. 192.168.12. 192.168.13.
>
># --------------------------- Logging Options 
>-----------------------------
>#
># Log File let you specify where to put logs and how to split them up.
>#
># Max Log Size let you specify the max size log files should reach
>
>         # logs split per machine
>         log file = /var/log/samba/log.%m
>         # max 50KB per log file, then rotate
>         max log size = 50
>
># ----------------------- Standalone Server Options 
>------------------------
>#
># Scurity can be set to user, share(deprecated) or server(deprecated)
>#
># Backend to store user information in. New installations should
># use either tdbsam or ldapsam. smbpasswd is available for backwards
># compatibility. tdbsam requires no further configuration.
>
>
>
># ----------------------- Domain Members Options 
>------------------------
>#
># Security must be set to domain or ads
>#
># Use the realm option only with security = ads
># Specifies the Active Directory realm the host is part of
>#
># Backend to store user information in. New installations should
># use either tdbsam or ldapsam. smbpasswd is available for backwards
># compatibility. tdbsam requires no further configuration.
>#
># Use password server option only with security = server or if 
>you can't
># use the DNS to locate Domain Controllers
># The argument list may include:
>#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
># or to auto-locate the domain controller/s
>#   password server = *
>
>#        realm = LARC.LOCAL
>#        password server = larcserver.larc.local
>
># ----------------------- Domain Controller Options 
>------------------------
>#
># Security must be set to user for domain controllers
>#
># Backend to store user information in. New installations should
># use either tdbsam or ldapsam. smbpasswd is available for backwards
># compatibility. tdbsam requires no further configuration.
>#
># Domain Master specifies Samba to be the Domain Master Browser. This
># allows Samba to collate browse lists between subnets. Don't use this
># if you already have a Windows NT domain controller doing this job
>#
># Domain Logons let Samba be a domain logon server for Windows 
>workstations.
>#
># Logon Scrpit let yuou specify a script to be run at login 
>time on the client
># You need to provide it in a share called NETLOGON
>#
># Logon Path let you specify where user profiles are stored (UNC path)
>#
># Various scripts can be used on a domain controller or stand-alone
># machine to add or delete corresponding unix accounts
>#
>
>         domain master = yes
>         domain logons = yes
>
>         logon path = \\%L\profiles\%U
>         logon drive = H:
>
>         # logon home is for Win9X clients
>         logon home = \\wintermute\home\%U
>
>
># ----------------------- Browser Control Options 
>----------------------------
>#
># set local master to no if you don't want Samba to become a master
># browser on your network. Otherwise the normal election rules apply
>#
># OS Level determines the precedence of this server in master browser
># elections. The default value should be reasonable
>#
># Preferred Master causes Samba to force a local browser 
>election on startup
># and gives it a slightly higher chance of winning the election
>         local master = yes
>         os level = 65
>         preferred master = yes
>
>#----------------------------- Name Resolution 
>-------------------------------
># Windows Internet Name Serving Support Section:
># Note: Samba can be either a WINS Server, or a WINS Client, 
>but NOT both
>#
># - WINS Support: Tells the NMBD component of Samba to enable 
>it's WINS Server
>#
># - WINS Server: Tells the NMBD components of Samba to be a WINS Client
>#
># - WINS Proxy: Tells Samba to answer name resolution queries on
>#   behalf of a non WINS capable client, for this to work there must be
>#   at least one        WINS Server on the network. The default is NO.
>#
># DNS Proxy - tells Samba whether or not to try to resolve 
>NetBIOS names
># via DNS nslookups.
>
>         wins support = yes
>#        wins server = w.x.y.z;                # register with 
>another  
>wins server
>;        wins proxy = yes
>
>         dns proxy = yes
>
># --------------------------- Printing Options 
>-----------------------------
>#
># Load Printers let you load automatically the list of printers rather
># than setting them up individually
>#
># Cups Options let you pass the cups libs custom options, 
>setting it to raw
># for example will let you use drivers on your Windows clients
>#
># Printcap Name let you specify an alternative printcap file
>#
># You can choose a non default printing system using the 
>Printing option
>
>;        load printers = yes
>         cups options = raw
>
>;        printcap name = /etc/printcap
>         #obtain list of printers automatically on SystemV
>;        printcap name = lpstat
>;        printing = cups
>
># --------------------------- Filesystem Options 
>---------------------------
>#
># The following options can be uncommented if the filesystem supports
># Extended Attributes and they are enabled (usually by the mount option
># user_xattr). Thess options will let the admin store the DOS 
>attributes
># in an EA and make samba not mess with the permission bits.
>#
># Note: these options can also be set just per share, setting 
>them in global
># makes them the default for all shares
>
>;        map archive = no
>;        map hidden = no
>;        map read only = no
>;        map system = no
>;        encrypt passwords = yes
>;        guest ok = no
>         guest account = nobody
>         username map = /etc/samba/smbusers
>;        store dos attributes = yes
>
>
>#============================ Share Definitions 
>==============================
>
>[homes]
>         comment = Home Directories
>         path=/home
>         browseable = no
>         writable = yes
>
>[printers]
>         comment = All Printers
>         path = /var/spool/samba
>         browseable = no
>;        guest ok = no
>;        writable = no
>         printable = yes
>
>[netlogon]
>         comment = Network Logon Service
>         path = /var/lib/samba/netlogon
>         guest ok = yes
>         locking = no
>         writable = no
>         browsable = yes
>         read only = yes
>         share modes = no
>
>[profiles]
>         comment = Profile Share
>         path = /var/lib/samba/profiles
>         writable = yes
>         create mode = 0700
>         directory mode = 0700
>         public = yes
>         guest ok = yes
>         browsable = yes
>
>#        profile acls = yes
>#        read only = no
>#        create mask = 0600
>#        directory mask = 0700
>#        store dos attributes = yes
>#        short preserve case = no
>#        case sensitive = no
>#        guest ok = no
>#        printable = no
>#        browsable = no
>#        # turn off client-side caching
>#        csc policy = disabled
>#        hide files =  
>/desktop.ini/outlook.*lnk/*Briefcase*/ntuser.ini/NTUSER.*/
>
>[profdata]
>         comment = Profile Data Share
>         path = /var/lib/samba/profdata
>         read only = no
>         profile acls = yes
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba
>



More information about the samba mailing list