[Samba] Roaming Profiles with Samba PDC

John H Terpstra jht at samba.org
Mon Mar 10 18:36:31 GMT 2003


On Mon, 10 Mar 2003, Scott Millhisler wrote:

> I have been working on this problem for quite some time now and have not
> been able to find the solution.

Please see comments below.

- John T.

>
> I have Samba running on Debian Linux 3.0 (Woody) as a primary domain
> controller.  From my Windows 2000 desktop I am able to browse that Linux
> server with Windows Explorer.
>
> My biggest problem is trying to log in to that domain.  Under Windows
> 2000 I am able to join the domain (sjmlinux) but after I restart the
> Windows desktop and attempt to log in to that domain, Windows gives me a
> message like, "cannot create profile directory
> \\servername\profiledirectory.pds".  It then the proceeds to assign me a
> generic profile that cannot be updated.
>
> The profile directory has fairly liberal write access so the Windows
> machine should have sufficient rights to create or delete any files or
> directories it deems necessary.  One, of many, things I do not
> understand is where the .pds suffix that the message indicates is coming
> from.  It certainly is not what I have defined for the profile directory
> in smb.conf is and it is not something that I have seen before.
>
> I have seen some documents that referred to creating a policy file
> (*.pol) with the Windows server policy editor tool.  However, I
> understand profiles to be much more than a single file and that actually
> a directory structure that contain everything desktop colors to your
> recent files list.  Under Windows 2000 this is essentially what you see
> in your subdirectory of the Documents and Settings folder.
>
> I am sure that somebody must have seen this issue before as I have seen
> reference to it in the archives; I had just never seen what the solution
> is.  Below is a snippet of my smb.conf file that I believe would contain
> the pertinent information.
>
> [global]
>
> # Change this for the workgroup/NT-domain name your Samba server will part of
>    workgroup = sjmlinux
>    netbios name = sjmpdc
>
> # server string is the equivalent of the NT Description field
>    server string = %h server (Samba %v)
>
>    guest account = nobody
>    invalid users = root
>
> # This tells Samba to use a separate log file for each machine
> # that connects
>    log file = /var/log/samba/log.%m
>
> # Put a capping on the size of the log files (in Kb).
>    max log size = 1000
>
> # We want Samba to log a minimum amount of information to syslog. Everything
> # should go to /var/log/samba/log.{smb,nmb} instead. If you want to log
> # through syslog you should set the following parameter to something higher.
>    syslog = 0
>
> # "security = user" is always a good idea. This will require a Unix account
> # in this server for every user accessing the server. See
> # security_level.txt for details.
>    security = user
>
> # You may wish to use password encryption. Please read ENCRYPTION.txt,
> # Win95.txt and WinNT.txt in the Samba documentation. Do not enable this
> # option unless you have read those documents
>    encrypt passwords = true
>
> # Support Domain logins
>   domain logons = true
>
> # Admin group (temp solution)
>   domain admin group = @staff
>
> # User profile path
>   logon path = \\%N\home\%u\ntprofile

Suggest you try:

	logon path = \\%L\home\%U\ntprofile

Make absolutely sure that the directory 'ntprofile' exists (and is
writable) - BEFORE - the uyser logs on.

A MUCH better suggestion is to put profiles in a 'profiles' share, that is
the way it is done in MS Windows land. It allows you to set more suitable
smb.conf parameters for profile handling for the shared resource for which
it may be needed.

In this case you would have a share like:

[Profiles]
        comment = Roaming Profile Share
        path = /var/lib/samba/profiles
        read only = No
        profile acls = Yes

and the following to match it:

        logon path = \\%L\Profiles\%U

>
> # Where is the user's home directory and what is the drive
>   logon drive = H:
>   logon home = \\%N\home\%u\pchome

Suggest you se this to:

	logon home = \\%L\home\%U\pchome

Again making sure that the directory 'pchome' exits and is writable.

>
> # Specify a generic logon script for all users
> # this is a relative **DOS** path to the [netlogon] share
>   logon script = logon.bat
>
> # Most people will find that this option gives better performance.
> # See speed.txt and the manual pages for details
> # You may want to add the following on a Linux system:
> #         SO_RCVBUF=8192 SO_SNDBUF=8192
>    socket options = TCP_NODELAY
>
> # set local master to no if you don't want Samba to become a master
> # browser on your network. Otherwise the normal election rules apply
> 	local master = yes
>
> # OS Level determines the precedence of this server in master browser
> # elections. The default value should be reasonable
>    os level = 64
>
>    domain master = yes
>    preferred master = yes
>
>    wins support = yes
>
> # This will prevent nmbd to search for NetBIOS names through DNS.
>    dns proxy = no
>
> # Name mangling options
>    preserve case = yes
>
>    unix password sync = true
>
> # Some defaults for winbind (make sure you're not using the ranges
> # for something else.)
>    winbind uid = 10000-20000
>    winbind gid = 10000-20000
>    template shell = /bin/bash
>
> #======================= Share Definitions =======================
>
> [homes]
>    comment = Home Directories
>    browseable = yes
>
> # By default, the home directories are exported read-only. Change next
> # parameter to 'yes' if you want to be able to write to them.
>    writable = yes
>
> # File creation mask is set to 0700 for security reasons. If you want to
> # create files with group=rw permissions, set next parameter to 0775.
>    create mask = 0775
>
> # Directory creation mask is set to 0700 for security reasons. If you want to
> # create dirs. with group=rw permissions, set next parameter to 0775.
>    directory mask = 0775
>
> valid users = %u
> guest ok = no
> path = /home/%u/pchome
>
> # Un-comment the following and create the netlogon directory for Domain Logons
> # (you need to configure Samba to act as a domain controller too.)
> [netlogon]
>    comment = Network Logon Service
>    path = /home/samba/netlogon
>    guest ok = yes
>    writable = no
>    share modes = no
>    write list = @staff
>
> # Share for User's profiles
> [profiles]
>    path = /home/%u/ntprofile
>    writable = yes
>    directory mode = 0700
>    create mode = 0600
>
> ----------------
> Sincerely,
>
> Scott Millhisler
> SJM Computer Consulting
>
>

-- 
John H Terpstra
Email: jht at samba.org


More information about the samba mailing list