"security = server" and NT roaming profiles (was SAMBA digest 1493)

Luke Kenneth Casson Leighton lkcl at switchboard.net
Mon Nov 17 19:05:32 GMT 1997

On Tue, 18 Nov 1997, Graham Allan wrote:

> On Sat, 15 Nov 1997, Luke Kenneth Casson Leighton wrote:
> >On Sat, 15 Nov 1997, Gerald W. Carter wrote:
> >
> >> > If I am using the password server as an NT box then there
> >> > is no local NIS/passwd/smbpasswd file and so if I connect
> >> > via an NT box how does samba know where the home directory
> >> > is? Or do I have to maintain a local passwd file as well?
> >> 
> >> You will have to specify \\sambaserver\homes in the NT user profile as
> >> the home directory.
> >
> >ah, this is the right approach, but will throw up a slight difficulty.  
> >
> >when a user logs in, no connection is established under the user's account,
> >because the user has not been verified.  a connection is made under the
> >_machine_ account: a "Workstation Trust Account", i believe it is called. 
> >
> >unfortunately, once this connection is made, it is maintained 
> >continuously until the machine is switched off.  no users are involved, 
> >therefore the [homes] %U substitution doesn't work.
> >
> >the NT workstations _still_ try and read the profile using this machine 
> >account, and fail to do so, because it only exists once the _user_ is 
> >connected...
> Is this a recent change, in samba 1.9.17p4? NT roaming profiles suddenly
> stopped working for me when changing from 1.9.17p2 to 1.9.17p4.
> This is with both home directories and roaming profiles stored on the
> samba server:
> user home directory = \\samba-server\username		[homes]
> roaming profile     = \\samba-server\username\profile   [subdir of home]
> and using security = server
> Worked ok in 1.9.16 (with max mux fix) - 1.9.17p2. Now with 1.9.17p4,
> the connection to the roaming profile is refused when a user logs in.
> But when login is complete, the home directory is mounted correctly and
> all other services are available.

ok, so let me get this straight.

deducing your configuration from your message, you have:

- NT workstations.
- an NT server with profiles that indicate that the profile's location is 
  on a samba server
- a samba server in "security = server" mode, which tells NT workstations
  to do password challenges against the NT server.

no modifications were made to your clients, and when you upgraded from 
1.9.17p2 to 1.9.17p4, the profiles stopped loading?

that sounds logical.  NOT.

graham, i've not dealt with "security = server" mode, only with "security =
user", but your experiences may lead us to understand how to deal with 
this mode properly.

please could you send in a report to samba-bugs at samba.anu.edu.au, so that 
we can track this one down?



<a href="mailto:lkcl at switchboard.net"  > Luke Kenneth Casson Leighton  </a>
<a href="http://mailhost.cb1.com/~lkcl"> Samba Consultancy and Support </a>

More information about the samba mailing list