REPORT: Profile problems & solution

Andrew Perrin - Demography aperrin at demog.Berkeley.EDU
Thu May 6 15:50:44 GMT 1999


Readers of the list may remember our vexing problems with profiles, which
seemed to coincide with the upgrade of Samba from 1.9.19-prealpha to the
2.0.3 level. We are now running 2.0.3 as both login server and file

The problem, essentially, was that the first user to log into a PC after
it had joined the domain worked fine; subsequent users were unable to
access the HKEY_USERS hive of the registry, and therefore their
user-defined preferences weren't available. The only reliable solution we
found was to wipe out both local and roaming profiles and start again.
However, even after doing that, the second and following users had similar

Jean-Francois kindly provided advice on the Domain SID bug and Jeremy's
patch for big-endian machines, both of which proved helpful; however, the
problem persisted in a less-consistent way.

After much agony, we noted that the NTUSER.DAT that showed up in the
roaming profile directory of the user that DIDN'T work actually belonged
to the first user, e.g., the one that had worked. That is: say I had
logged into a PC as the first user; then I logged off and nttest logged
on. The NTUSER.DAT file saved in nttest's profile directory, when
examined, had clear references to my preferences in it (just using strings
ntuser.dat).  We further noted that the ntprofile share was staying open
for an indeterminate amount of time, so we guessed that there was a
similar problem to the [homes] share, that is, that NT was keeping the
connection open for quite a while.  (As is strongly recommended, we keep
the profiles in a different share.)  So... we changed the permission on
each user's profile directory to 0700 - accessible only by the user. Now,
happily, if a user tries to login while the ntprofile directory is still
connected, at least they just get an error for that particular session
rather than screwing up their profile forever.

Moral of the story:
- Set profile directories to chmod 0700, owned by the user.
- If possible, use a deadtime parameter to try to get NT to release the
ntprofile share.

Andrew J. Perrin - aperrin at - NT/Unix Admin/Support
Department of Demography    -    University of California at Berkeley
2232 Piedmont Avenue #2120  -    Berkeley, California, 94720-2120 USA --------------------------SEIU1199

More information about the samba-ntdom mailing list