[Samba] Roaming profiles in domain level

Fri Apr 29 17:31:46 GMT 2005

Hi,

In my case, profile directory was already owned 
by a domain user who has a local account for 
Samba. I can see the profile directory can be 
successfully opened and accessed from the log 
file. The problem seems Samba handled security 
descriptor request in different way with Windows. 
For example: 
1) security_desc response is different with Windows.
Flags:Canonicalized pathnames bit is not set. But 
Windows did.
Flags2: unicode string bit, Error code type bit, 
Security Signatures, Extended Attributes are not 
set in Samba. But Windows did.
In Secruity Descriptor, Samba responsed owner ACL 
and group ACL as well as NT User ACL. But Windows 
only simply responsed a ACL only for owner.

2) incoming requests after NT_QUERY_SECERITY_DESC 
request are different with Windows.
If profiles are stored in a Windows domain member, 
incoming requests are close/NT_Create_AndXs/ReadAndXs 
for loading a profile. If profiles are stored to 
Samba. I only can see Close/Logoff/TreeDisconnect 
Requests. No loading profiles requests occurred 
from Windows client.

So my case doesn't looks like profile owner issue. 
Could I ask you if you successfully use roaming 
profiles in Samba domain level? Is it 2.2 or 3.0?

Thanks for your response.
-Ying

> -----Original Message-----
> From: Dirk.Laurenz at fujitsu-siemens.com 
> [mailto:Dirk.Laurenz at fujitsu-siemens.com] 
> Sent: Thursday, April 28, 2005 10:50 PM
> To: Li, Ying (ESG); samba at lists.samba.org
> Subject: RE: [Samba] Roaming profiles in domain level
> 
> Hi,
> 
> Windows checks the security acl of a profile.
> The user must be owner!
> 
> Mit freundlichem Gruß,
> 
> 
> 
> Dirk Laurenz
> Systems Engineer	
> 
> Fujitsu Siemens Computers
> S CE DE SE PS N/O
> Sales Central Europe Deutschland
> Professional Service Nord / Ost
> 
> Hildesheimer Strasse 25
> 30880 Laatzen
> Germany
> 
> Telephone:	+49 (511) 84 89 - 18 08
> Telefax:	+49 (511) 84 89 - 25 18 08
> Mobile:	+49 (170) 22 10 781
> Email:	mailto:dirk.laurenz at fujitsu-siemens.com
> Internet:	http://www.fujitsu-siemens.com
>             http://www.fujitsu-siemens.de/services/index.html
> **************************************************************
> *****************************************************
>   
> 
> -|  -----Original Message-----
> -|  From: 
> -|  samba-bounces+dirk.laurenz=fujitsu-siemens.com at lists.samba.o
> -|  rg
> -|  [mailto:samba-bounces+dirk.laurenz=fujitsu-siemens.com at lists
> -|  .samba.org] On Behalf Of Li, Ying (ESG)
> -|  Sent: Friday, April 29, 2005 12:27 AM
> -|  To: samba at lists.samba.org
> -|  Subject: [Samba] Roaming profiles in domain level
> -|  
> -|  Hi Everyone,
> -|  
> -|  Does anybody use roaming profiles in domain level?
> -|  
> -|  I'm looking for helps for setting up Samba as a NT4 
> domain member to  
> -| support roaming profiles for sharing during domain logon 
> of Windows  
> -| clients. I ran into the problems. log files couldn't show 
> specified  
> -| messages, except for BUFFER_TOO_SMALL.
> -|  
> -|  If a profile share directory is mounted on a Windows NT DC  or a 
> -| Windows  domain member, all Windows clients can successfully use  
> -| roaming profiles  in that share during domain logon. If 
> the profile 
> -| share is  mounted on a  Samba server that is a NT4 domain 
> member, and 
> -| successfully  joined to the  domain, then all Windows 
> client can save 
> -| profiles to the  share. But only  Windows NT clients can 
> load roaming 
> -| profiles from Samba.
> -|  WinXP(SP1/SP2
> -|  and Win2K(SP4) couldn't download roaming profiles from  Samba 
> -| profiles  share.
> -|  
> -|  I captured network traffics of domain logon for profiles  
> stored on 
> -| both  Windows and Samba domain members. By comparing 
> behaviors,  it 
> -| looks Samba  couldn't handle the case well. I've tried both 
> -| Samba2.2.12 and  samba3.0.7. All have the same problem. So  I'm 
> -| looking for others' experiences, and see if Samba has  
> capability to  
> -| provide roaming profiles in domain level.
> -|  
> -|  I have all log files or ethereal log files. If needed, I  
> can send 
> -| to you  as reference. Any hints or helps, it would be greatly 
> -| appreciated.
> -|  
> -|  Thanks in advance.
> -|  -Ying Li
> -|  
> -|  smb.conf
> -|  [global]
> -|      server string = Samba Serves as Roaming profiles
> -|      security = DOMAIN
> -|      workgroup = NT4_DOMAIN_NAME
> -|      password server = *
> -|      encrypt passwords = yes
> -|      log level = 10
> -|      log file = /var/opt/samba/log.%m  # followings for 
> Samba3.0 only
> -|      idmap uid = 10000-20000
> -|      idmap gid = 10000-20000
> -|      winbind use default domain = yes
> -|      winbind enum users = yes
> -|      winbind enum groups = yes
> -|      winbind separator = ;
> -|  [profiles]
> -|      path = /profiles
> -|      browseable = no
> -|      guest ok = yes
> -|  
> -|  The directory /profiles is owned by root with 777 
> permission, and  
> -| includes all directories for a profile saved by Windows. 
> On  Windows 
> -| DC,  setup profile path to \\sambaserver\profiles\username for all 
> -| domain  users.
> -|  --
> -|  To unsubscribe from this list go to the following URL and read the
> -|  instructions:  https://lists.samba.org/mailman/listinfo/samba
> -|  
> 