[Samba] XP roaming profile problem (access denied)

Kelly Joyner some_assembly_reqd at yahoo.com
Tue Jun 15 17:15:57 GMT 2004

Hi! I was hoping someone had seen this problem, and might be able to 
help me out with it; I've tried the suggestions I found in the mailing 
lists and on web sites, to no avail. I'm running samba 3.0.2 on RHEL 3, 
and XP clients seem to occasionally have problems saving the roaming 
profile, resulting in error messages and the use of the local profile.

The problem is when renaming prf*tmp files for programs that seem like 
they may be using those files when the user is logging out; this is 
mostly the ICA client, although I have seen IE cookies cause the error 
as well.

I have tried disabling oplocks, and setting CSC policy to disable on the 
share, and this reduced the frequency of the error to the point that I 
thought I'd solved it, but after a couple of weeks I found two more 
occurrences. When the error occurs I get the following in the 
USERENV.LOG file on the client machine:

USERENV(208.154) 16:33:37:609 ReconcileFile: Failed to rename file 
<E:\scowman\Application Data\ICAClient\Cache\prf5049.tmp> to 
<E:\scowman\Application Data\ICAClient\Cache\2E78E792.DMA> with error = 32
USERENV(208.154) 16:33:37:609 ReportError: Impersonating user.
USERENV(208.20c) 16:34:08:687 UnloadUserProfileP:  CopyProfileDirectory 
returned FALSE for primary profile.  Error = 32
USERENV(208.20c) 16:34:08:687 ReportError: Impersonating user.

On the server side, I see only (log level = 2):

scowman opened file scowman/Application Data/ICAClient/Cache/prf5049.tmp 
Yes write=No (numopen=5)
[2004/06/09 16:31:14, 2] smbd/close.c:close_normal_file(228)  scowman 
closed file scowman/Application Data/ICAClient/Cache/prf503B.tmp (numopen=4)
[2004/06/09 16:31:14, 2] smbd/close.c:close_normal_file(228)  scowman 
closed file scowman/Application Data/ICAClient/Cache/prf5049.tmp (numopen=3)

The relevant portions of my samba config are:

    # netbios name of this server
    netbios name = pdc
    # domain name of this server
    workgroup = khlsc
    # use the TDBSAM (Trivial Database SAM) backend to store account info.
    passdb backend = tdbsam
    # require client to encrypt passwords
    encrypt passwords = yes

    # Rotate logs when they reach 200MB
    max log size = 200000

    # This should allow us to bypass requiring signorseal, but turning it
    # on breaks XP clients, for some reason.
    ;server schannel = yes

    # Listen for SMB traffic only on port 139. This may help avoid
    # lost connection issues under Windows XP.
    smb ports = 139

# Run a WINS server
    wins support = yes

# Always act as the local master browser
# and domain master browser.  Do not allow
# any other system to take over these roles!
    domain master = yes
    local master = yes
    preferred master = yes
    os level = 255

# Perform domain authentication.
    domain logons = yes

# The profiles share is for storing
# Windows NT/2000/XP roaming profiles.
# Use your own path, and make sure
# the directory exists.

# -- The following options are in effect to resolve the roaming
# profile "access denied" issue.
# Disable opportunistic locking on this share.
oplocks = false
level2 oplocks = false
# Disable client-side caching of profile information.
csc policy = disable
# This should have not effect if oplocks are disabled.
veto oplock files = /prf*.tmp/;
path = /files/profiles
writeable = yes
create mask = 0600
directory mask = 0700
browseable = no
# workaround for Windows 2000 SP4/XP SP1 security issue.
profile acls = yes

Thanks for any assistance!

More information about the samba mailing list