[Samba] storing profiles on a 3rd host (NetApp), and [profiles] section of smb.conf

Justin Zachor zachor-samba at gamelogic.com
Thu Nov 18 16:59:37 GMT 2004

Is it okay to use an NFS-mounted path in the [profiles] path statement?

How do I make sure that owner & permissions don't get set to root on 
certain profile files when the user profile is migrated to the PDC 
'logon path' area?

I've set out to move our Windows PCs into a samba PDC domain, and my 
first profile migration was tripped up by some improper permissions that 
were set on some of the profile files when I copied the profile (as 
Administrator, on the Windows client) from the Win2K client to the PDC. 
(this was using the typical Windows utility: System | User Profiles | 
Copy To...) Plus, our previous Samba admin set a few things in smb.conf 
that I don't understand:

1. There's a [profiles] section that is commented --
Can I change /var/lib/samba/profiles to a directory on our NetApp filer? 
(the Samba server has root privilege on the NetApp, and the NetApp is a 
PDC client of Samba).

2. Do I even need this section? The "logon path = \\netapp\profiles\%u" 
in PDC section seems to work somewhat, but my permissions need to be 
tweaked after being uploaded; How do I force create/directory modes? 
Should I use a [profiles] section for that? (please see smb.conf below)

3. In the [netlogon] section, can I move /var/lib/samba/netlogon to
a path nfs-mounted from my NetApp? (e.g. would /netapp/samba/netlogon 
only be accessed by the smb/PDC daemon?)

4. path was left out of [Homes] section --
I don't know why this section has no paths.

I know there's a ton of info on this around the web, but I didn't find
much of anything written about this scenario, where the general file
server is a third host, not the Samba server. Also, the NetApp can act
as a PDC, but we're using NIS in a mostly Debian/Max OSX environment.

What happens now:

After adding a Win2K system to the domain, using local Administrator I
copied a local user profile to \\netapp\profiles\<user>

However, upon trying to login I get these errors:

"Windows cannot copy file \\netapp\profiles\user\Application
Data\Microsoft\Protect\S-1-5-21-515...\ to location C:\Documents and
Data\Microsoft\Protect\S-1-5-21-515...\. Contact your network

DETAIL - Access is denied."

"Windows cannot load the profile and is logging you on with a
temporary profile. Changes you make to this profile will be lost when
you log off."

Performing a chown -R user:group to the profile makes the errors go 
away. Is there a better fix, such as Otto's notes below?

Otto writes:

Excerpt of above URL -- use these in [profiles] section
   force create mode = 0600
   force directory mode = 0700

Sure enough, permissions are:
drwx------    2 root   daemon    4096 Nov 12 14:58 S-1-5-21-515...

Only after recursively chown'ing user's profile can they login:
netapp:/profiles#  chown -R user /profiles/user

My setup is:
   -  Debian Samba server
   -  NetApp filer (fileserver)
   -  Win2K clients


# -- BEGIN PDC --
     domain logons = yes
     logon path = \\netapp\profiles\%u
     logon drive = H:
     logon home = \\netapp\%u\.winprofile
     logon script = logon.bat

     add user to group script = /usr/sbin/usermod -G %g %u
     add machine script = /usr/sbin/adduser --firstuid 9001 \
         --lastuid 9500 \
         --gid 9000 --home /dev/null --shell /bin/false \
         --no-create-home \
         --disabled-password --gecos "%u Samba Machine Account" \
         --force-badname %u
     admin users = @ntadmins
     workgroup = FOOBAR
# -- END PDC --

     invalid users = root
<snip> (many misc settings)

     comment = Network Logon Service
     browseable = no
     path = /var/lib/samba/netlogon
     read only = yes
     write list = @ntadmins
#    path = /var/lib/samba/profiles # path = /netapp/profiles ???
#    read only = no
#    create mask = 0600
#    directory mask = 0700
    comment = Home Directories
    browseable = no
    force create mode = 0755
    force directory mode = 0755
    writable = yes
Thanks in advance

More information about the samba mailing list