[Samba] Roaming profiles in domain level
Li, Ying (ESG)
ying.li2 at hp.com
Fri Apr 29 17:31:46 GMT 2005
In my case, profile directory was already owned
by a domain user who has a local account for
Samba. I can see the profile directory can be
successfully opened and accessed from the log
file. The problem seems Samba handled security
descriptor request in different way with Windows.
1) security_desc response is different with Windows.
Flags:Canonicalized pathnames bit is not set. But
Flags2: unicode string bit, Error code type bit,
Security Signatures, Extended Attributes are not
set in Samba. But Windows did.
In Secruity Descriptor, Samba responsed owner ACL
and group ACL as well as NT User ACL. But Windows
only simply responsed a ACL only for owner.
2) incoming requests after NT_QUERY_SECERITY_DESC
request are different with Windows.
If profiles are stored in a Windows domain member,
incoming requests are close/NT_Create_AndXs/ReadAndXs
for loading a profile. If profiles are stored to
Samba. I only can see Close/Logoff/TreeDisconnect
Requests. No loading profiles requests occurred
from Windows client.
So my case doesn't looks like profile owner issue.
Could I ask you if you successfully use roaming
profiles in Samba domain level? Is it 2.2 or 3.0?
Thanks for your response.
> -----Original Message-----
> From: Dirk.Laurenz at fujitsu-siemens.com
> [mailto:Dirk.Laurenz at fujitsu-siemens.com]
> Sent: Thursday, April 28, 2005 10:50 PM
> To: Li, Ying (ESG); samba at lists.samba.org
> Subject: RE: [Samba] Roaming profiles in domain level
> Windows checks the security acl of a profile.
> The user must be owner!
> Mit freundlichem Gruß,
> Dirk Laurenz
> Systems Engineer
> Fujitsu Siemens Computers
> S CE DE SE PS N/O
> Sales Central Europe Deutschland
> Professional Service Nord / Ost
> Hildesheimer Strasse 25
> 30880 Laatzen
> Telephone: +49 (511) 84 89 - 18 08
> Telefax: +49 (511) 84 89 - 25 18 08
> Mobile: +49 (170) 22 10 781
> Email: mailto:dirk.laurenz at fujitsu-siemens.com
> Internet: http://www.fujitsu-siemens.com
> -| -----Original Message-----
> -| From:
> -| samba-bounces+dirk.laurenz=fujitsu-siemens.com at lists.samba.o
> -| rg
> -| [mailto:samba-bounces+dirk.laurenz=fujitsu-siemens.com at lists
> -| .samba.org] On Behalf Of Li, Ying (ESG)
> -| Sent: Friday, April 29, 2005 12:27 AM
> -| To: samba at lists.samba.org
> -| Subject: [Samba] Roaming profiles in domain level
> -| Hi Everyone,
> -| Does anybody use roaming profiles in domain level?
> -| I'm looking for helps for setting up Samba as a NT4
> domain member to
> -| support roaming profiles for sharing during domain logon
> of Windows
> -| clients. I ran into the problems. log files couldn't show
> -| messages, except for BUFFER_TOO_SMALL.
> -| If a profile share directory is mounted on a Windows NT DC or a
> -| Windows domain member, all Windows clients can successfully use
> -| roaming profiles in that share during domain logon. If
> the profile
> -| share is mounted on a Samba server that is a NT4 domain
> member, and
> -| successfully joined to the domain, then all Windows
> client can save
> -| profiles to the share. But only Windows NT clients can
> load roaming
> -| profiles from Samba.
> -| WinXP(SP1/SP2
> -| and Win2K(SP4) couldn't download roaming profiles from Samba
> -| profiles share.
> -| I captured network traffics of domain logon for profiles
> stored on
> -| both Windows and Samba domain members. By comparing
> behaviors, it
> -| looks Samba couldn't handle the case well. I've tried both
> -| Samba2.2.12 and samba3.0.7. All have the same problem. So I'm
> -| looking for others' experiences, and see if Samba has
> capability to
> -| provide roaming profiles in domain level.
> -| I have all log files or ethereal log files. If needed, I
> can send
> -| to you as reference. Any hints or helps, it would be greatly
> -| appreciated.
> -| Thanks in advance.
> -| -Ying Li
> -| smb.conf
> -| [global]
> -| server string = Samba Serves as Roaming profiles
> -| security = DOMAIN
> -| workgroup = NT4_DOMAIN_NAME
> -| password server = *
> -| encrypt passwords = yes
> -| log level = 10
> -| log file = /var/opt/samba/log.%m # followings for
> Samba3.0 only
> -| idmap uid = 10000-20000
> -| idmap gid = 10000-20000
> -| winbind use default domain = yes
> -| winbind enum users = yes
> -| winbind enum groups = yes
> -| winbind separator = ;
> -| [profiles]
> -| path = /profiles
> -| browseable = no
> -| guest ok = yes
> -| The directory /profiles is owned by root with 777
> permission, and
> -| includes all directories for a profile saved by Windows.
> On Windows
> -| DC, setup profile path to \\sambaserver\profiles\username for all
> -| domain users.
> -| --
> -| To unsubscribe from this list go to the following URL and read the
> -| instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba