[Samba] winxp roaming profiles and samba group access rights

Sun Aug 15 10:51:07 GMT 2004

Howdy People,

I have a problem with roaming profiles in samba 3.0.5 on redhat9 (
installed from the rpm with rpm -Uv samba.3.0.5.rpm

I am not using LDAP ( dont know how and as I am a Netware person on a very
steep learning curve with Samba, didn't want to complicate the
installation after seeing every second posting on this list as a ldap
problem).
The smb.conf file is listed below.
The confusing thing is that when a winxp user logs in they get the message
"windows cannot find the roaming profile , will attempt to use a local
profile instead...... "  however the profile is created on the server in
the correct location with the appropriate user rights (700) and when the
user logs out the profile is updated !!!!!, BUT it cannot be found at the
next login.
Also it is definitely NOT logging into the domain. A user who is not a
local user of the xpmachine cannot login.
Should I have security = domain  instead of secuity = user ??
Would this fix this issue ?

[global]
log file = /var/log/samba/log.%m
load printers = no
name resolve order = wins bcast lmhosts host
admin users = @admingrp
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
obey pam restrictions = Yes
lm announce = True
domain master = True
username map = /etc/samba/user.map
encrypt passwords = yes
passwd program = /usr/bin/passwd %u
wins support = true
dns proxy = No
netbios name = SAMBASERVER
server string = sambaserver
logon script = logon.bat
unix password sync = yes
workgroup = PINARC
os level = 255
security = user
preferred master = True
max log size = 50
domain logons = Yes
logon drive = h:
logon home =\\%N\%U
logon path = \\%N\profiles\%U
add user script = /usr/sbin/useradd -d /dev/null -g 400 -s /bin/false -M /%u

[Profiles]
comment = Profiles Directory
path = /SYS/profiles
read only = no
create mask = 0600
directory mask = 0700
profile acls = yes
writeable = yes

[netlogon]
comment = For Administration Use
path = /etc/samba/netlogon
valid users = %U
write list = @admingrp
read only = no
create mask = 0644

[homes]
comment = %U home directory
path = /SYS/home/%U
valid users = %S
read only = No
create mask = 0600
browseable = No
directory mask =0700
locking = no

[open]
comment = Pinarc Readable Share
path = /SYS/world/open
read only = No
create mask = 0664
directory mask = 0775
valid users = @mars

I definitely have issues with the samba rights issues as well, as the
print out of the command net groupmap list will indicate.

System Operators (S-1-5-32-549) -> -1
Domain Admins (S-1-5-21-2643210455-489482773-813538922-512) ->admingrp
Domain Users (S-1-5-21-3314183342-3289294326-2282427927-513) -> mars
Replicators (S-1-5-32-552) -> -1
interchange (S-1-5-21-3314183342-3289294326-2282427927-4001) -> inter
Guests (S-1-5-32-546) -> -1
lukeman (S-1-5-21-3314183342-3289294326-2282427927-2803) -> madint Domain
Admins (S-1-5-21-218202318-3803304894-1597324041-512) -> -1
Domain Users (S-1-5-21-2643210455-489482773-813538922-513) -> -1
Domain Guests (S-1-5-21-218202318-3803304894-1597324041-514) -> nogroup
Power Users (S-1-5-32-547) -> -1
Domain Guests (S-1-5-21-2643210455-489482773-813538922-514) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Domain Guests (S-1-5-21-3314183342-3289294326-2282427927-514) -> -1 Domain
Admins (S-1-5-21-3314183342-3289294326-2282427927-512) -> -1 Account
Operators (S-1-5-32-548) -> -1
mad (S-1-5-21-3314183342-3289294326-2282427927-2801) -> mad
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

SID for domain SAMBASERVER is: S-1-5-21-3314183342-3289294326-2282427927

Now, what have I done

Firstly I have tried to remove the duplicate groups with the command
net groupmap delete ntgroup"Domain Users" to no avail.
I have also added the lines, to renew the "associations" if the machine is
rebooted
net groupmap modify ntgroup"Domain Admins" unixgroup=admingrp
net groupmap modify ntgroup"Domain Users" unixgroup=mars
net groupmap modify ntgroup"Domain Guests" unixgroup=nobody
net groupmap add ntgroup"lukeman" unixgroup=mars
net groupmap add ntgroup"interchange" unixgroup=inter
net groupmap add ntgroup"mad" unixgroup=mad

When I lookin the log files for a user
ie. vi /var/log/samba/log.user
I see something like
get_domain_user_groups: primary gid of user[person] is not a Domain group !
get_domain_user_groups: you should fix it, NT doesn't like that.

Now you will have to take my word for it , but after tearing hair out for
the better part of two days whilst searching the university of google for
examples and the samba guide at samba.org ( which is verry comprehensive,
one might almost say to much so unless you know EXACTLY what you are
looking for ), nothing would give me more pleasure than  fixing this. I
just dont know how !!
At this stage of my nervous breakdown, I think single syllable replies
using very small words, with lots of examples are in order.
Any and all help greatfully received

Regards

Greg Andrews
-- 
System Manager
RGTechnologies Pty Ltd
606 Skipton Street
Ballarat 3350
613 53363603
0417 511 731
andrews at rgt.com.au