[Samba] Roaming Profiles with Samba PDC

Scott Millhisler sjmlistread at sjm.net
Mon Mar 10 17:35:17 GMT 2003

I have been working on this problem for quite some time now and have not been able to find the solution.

I have Samba running on Debian Linux 3.0 (Woody) as a primary domain controller.  From my Windows 2000 desktop I am able to browse that Linux server with Windows Explorer.

My biggest problem is trying to log in to that domain.  Under Windows 2000 I am able to join the domain (sjmlinux) but after I restart the Windows desktop and attempt to log in to that domain, Windows gives me a message like, "cannot create profile directory \\servername\profiledirectory.pds".  It then the proceeds to assign me a generic profile that cannot be updated.

The profile directory has fairly liberal write access so the Windows machine should have sufficient rights to create or delete any files or directories it deems necessary.  One, of many, things I do not understand is where the .pds suffix that the message indicates is coming from.  It certainly is not what I have defined for the profile directory in smb.conf is and it is not something that I have seen before.

I have seen some documents that referred to creating a policy file (*.pol) with the Windows server policy editor tool.  However, I understand profiles to be much more than a single file and that actually a directory structure that contain everything desktop colors to your recent files list.  Under Windows 2000 this is essentially what you see in your subdirectory of the Documents and Settings folder.

I am sure that somebody must have seen this issue before as I have seen reference to it in the archives; I had just never seen what the solution is.  Below is a snippet of my smb.conf file that I believe would contain the pertinent information.


# Change this for the workgroup/NT-domain name your Samba server will part of
   workgroup = sjmlinux
   netbios name = sjmpdc 

# server string is the equivalent of the NT Description field
   server string = %h server (Samba %v)

   guest account = nobody
   invalid users = root

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 1000

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smb,nmb} instead. If you want to log
# through syslog you should set the following parameter to something higher.
   syslog = 0

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# security_level.txt for details.
   security = user

# You may wish to use password encryption. Please read ENCRYPTION.txt,
# Win95.txt and WinNT.txt in the Samba documentation. Do not enable this
# option unless you have read those documents
   encrypt passwords = true

# Support Domain logins
  domain logons = true

# Admin group (temp solution)
  domain admin group = @staff

# User profile path
  logon path = \\%N\home\%u\ntprofile

# Where is the user's home directory and what is the drive
  logon drive = H:
  logon home = \\%N\home\%u\pchome

# Specify a generic logon script for all users
# this is a relative **DOS** path to the [netlogon] share
  logon script = logon.bat

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
# You may want to add the following on a Linux system:
#         SO_RCVBUF=8192 SO_SNDBUF=8192
   socket options = TCP_NODELAY

# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
	local master = yes

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
   os level = 64

   domain master = yes
   preferred master = yes

   wins support = yes

# This will prevent nmbd to search for NetBIOS names through DNS.
   dns proxy = no

# Name mangling options
   preserve case = yes

   unix password sync = true

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
   winbind uid = 10000-20000
   winbind gid = 10000-20000
   template shell = /bin/bash

#======================= Share Definitions =======================

   comment = Home Directories
   browseable = yes

# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
   writable = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
   create mask = 0775

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0775

valid users = %u
guest ok = no
path = /home/%u/pchome

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
   comment = Network Logon Service
   path = /home/samba/netlogon
   guest ok = yes
   writable = no
   share modes = no
   write list = @staff

# Share for User's profiles
   path = /home/%u/ntprofile
   writable = yes
   directory mode = 0700
   create mode = 0600


Scott Millhisler
SJM Computer Consulting

More information about the samba mailing list