[Samba] RE: Roaming Profile, LDAP, samba PDC/(pseudo)BDC, and nt acl support

[Adam Fairhall]

I've done some further testing cutting down the smb.conf file to the
bare minimum and now only have a single pdc.  With ldap it is still
necessary to ctrl-alt-del before you can logout, shutdown, etc
properly.  If you don't you end up with a blank screen and have to hit
ctrl-alt-del and use the Windows Security Settings popup to logout,
shutdown or reboot.  

The first time you hit ctrl-alt-del nothing seems to happen, the popup
doesn't appear.  This particular problem doesn't appear to be related at
all to profiles.

If I switch to using a non ldap compiled samba (and remove the ldap
lines from the smb.conf file) everything starts working smoothly.  I
took the log level up to 256 in both ldap and nonldap versions and have
the logs available, but since they're 1.5MB and 0.9MB respectively
(compressed) I'll offer to forward them on to individuals rather than
post them to the list.

In addition if you have ldap configured and 'map hidden' & 'map system'
set to 'yes', you have the same problem and work around as appears in
the README.Win2kSP2 file. ie you need to set 'nt acl support = no' for
the profile share.  As soon as you stop using ldap it no longer matters.

As far as environment goes the only things left that I could see
affecting this are the versions we are using.

Samba 2.2.3a
Kernel 2.2.19 (debian potato)
OpenLDAP 2.0.18

the simplified smb.conf (with a couple of substitutions)

[global]
        workgroup = OPUS.CO.NZ
        netbios name = <hostname>
        encrypt passwords = Yes
        log level = 1
        log file = /var/samba/log.%m
        load printers = No
        domain admin group = root, @onv7
        logon path = \\%N\profile\%U
        logon drive = z:
        domain logons = Yes
        preferred master = True
        domain master = True
        wins support = Yes
        ldap server = <ldapserver>
        ldap port = 389
        ldap suffix = <base dn>
        ldap admin dn = <root dn>
        ldap ssl = no
        lock dir = /var/samba/locks
        NIS homedir = Yes
        read only = No

[homes]
        comment = homedrive of %U
        browseable = No

[profile]
        comment = User Profiles
        path = /var/samba/profile
        create mask = 0770
        directory mask = 0770
        nt acl support = No
        browseable = No


and just in case from the slapd.conf file
#######################################################################
# access control
#######################################################################
defaultaccess           read
access to attrs=lmPassword,ntPassword
        by dn=<root dn> write
        by * none
access to filter=(mailentry=no)
        by * none
access to attr=userpasswd
        by * compare
access to dn=<base dn>
        by self         write
        by *            read

Thanks

Adam
:->