[Samba] Profiles -- default user ntuser.dat not being used at
first logon
John H Terpstra
jht at samba.org
Tue Aug 30 23:03:15 GMT 2005
On Tuesday 30 August 2005 16:40, bsrxxti02 at sneakemail.com wrote:
> I'm trying to set up for my small school lab: Samba as PDC, 11
> workstations running XP Pro, roaming profiles with folder redirection.
>
> (I finally got the workstations to join the domain by adding them by
> hand--so I assume something is wrong with my add machine script, but
> I'll address that issue later, since I have only the 11 XP boxes to deal
> with.)
>
> Now I'm working on getting the user profiles to work, based on TOSHARG
> chapter 23 plus Practical Exercises. But I'm not being successful, and
> I'd appreciate some help:
I suggest you follow the examples in the book "Samba-3 By Example".
The current version is available on-line at:
http://www.samba.org/samba/docs/Samba3-ByExample.pdf
The examples are all from working networks.
>
> My understanding is that when a user logs onto the domain for the first
> time, Windows should copy the default profile from the NETLOGON share on
> the Samba machine.
Corect.
>
> (If this understanding is erroneous, please explain wherein I've
> misunderstood.)
>
> I have added the Samba user "tobedeleted", and put an ntuser.dat file
> for a default user in the /var/lib/samba/netlogon directory, which is
> the path I specified in the [netlogon] share, but Windows gives an error
> to the effect that the user's profile can't be found on the server, and
> that it will therefore create a local profile.
>
> Here's the relevant section of the samba log file for that machine:
>
> [2005/08/30 13:39:43, 0] lib/util_sock.c:write_socket_data(430)
> write_socket_data: write failure. Error = Connection reset by peer
> [2005/08/30 13:39:43, 0] lib/util_sock.c:write_socket(455)
> write_socket: Error writing 4 bytes to socket 25: ERRNO = Connection
> reset by peer
> [2005/08/30 13:39:43, 0] lib/util_sock.c:send_smb(647)
> Error writing 4 bytes to client. -1. (Connection reset by peer)
> [2005/08/30 13:39:55, 0] smbd/service.c:make_connection(794)
> hephaistos (192.168.1.105) couldn't find service var
^^^^^^^^^^^^^^^^^^^
See below why this error is logged!
> [2005/08/30 13:40:14, 1] smbd/service.c:make_connection_snum(642)
> hephaistos (192.168.1.105) connect to service netlogon initially as
> user tobedeleted (uid=501, gid=501) (pid 14621)
> [2005/08/30 13:40:15, 0] smbd/service.c:make_connection(794)
> hephaistos (192.168.1.105) couldn't find service var
> [2005/08/30 13:40:20, 1] smbd/service.c:close_cnum(830)
> hephaistos (192.168.1.105) closed connection to service netlogon
> [2005/08/30 13:40:21, 0] smbd/service.c:make_connection(794)
> hephaistos (192.168.1.105) couldn't find service var
> [2005/08/30 13:40:51, 0] smbd/service.c:make_connection(794)
> hephaistos (192.168.1.105) couldn't find service var
>
> And here is the corresponding section of the smbd log file:
>
> [2005/08/30 13:39:43, 0] lib/util_sock.c:get_peer_addr(1150)
> getpeername failed. Error was Transport endpoint is not connected
>
> I'm puzzled by the "couldn't find service var" message. Is "var"
> supposed to be a service? I thought it was a directory.
>
> I have also copied below my smb.conf file in case it helps someone point
> out my errors:
>
> [global]
> dos charset = CP850
> unix charset = UTF-8
> display charset = LOCALE
> workgroup = HELLAS
> realm =
> netbios name = ZEUS
> netbios aliases =
> netbios scope =
> server string = Samba Server PDC
> interfaces = eth0, lo
> bind interfaces only = No
> security = USER
> auth methods =
> encrypt passwords = Yes
> update encrypted = No
> client schannel = Auto
> server schannel = Auto
> allow trusted domains = Yes
> hosts equiv =
> min password length = 5
> map to guest = Never
> null passwords = No
> obey pam restrictions = No
> password server = *
> smb passwd file = /etc/samba/smbpasswd
> private dir = /etc/samba
> passdb backend = smbpasswd
You really should use either tdbsam or ldapsam. smbpasswd does not store the
complete set of NT4 account attributes.
> algorithmic rid base = 1000
> root directory =
> guest account = nobody
> enable privileges = No
> pam password change = No
> passwd program =
> passwd chat = *new*password* %n\n *new*password* %n\n *changed*
> passwd chat debug = No
> passwd chat timeout = 2
> check password script =
> username map = /etc/samba/smbusers
> password level = 0
> username level = 0
> unix password sync = No
> restrict anonymous = 0
> lanman auth = Yes
> ntlm auth = Yes
> client NTLMv2 auth = No
> client lanman auth = Yes
> client plaintext auth = Yes
> preload modules =
> use kerberos keytab = No
> log level = 0
> syslog = 1
> syslog only = No
> log file = /var/log/samba/%m.log
> max log size = 50
> debug timestamp = Yes
> debug hires timestamp = No
> debug pid = No
> debug uid = No
> smb ports = 445 139
Change to:
smb ports = 139
> large readwrite = Yes
> max protocol = NT1
> min protocol = CORE
> read bmpx = No
> read raw = Yes
> write raw = Yes
> disable netbios = No
> acl compatibility =
> defer sharing violations = Yes
> nt pipe support = Yes
> nt status support = Yes
> announce version = 4.9
> announce as = NT
> max mux = 50
> max xmit = 16644
> name resolve order = wins lmhosts host bcast
> max ttl = 259200
> max wins ttl = 518400
> min wins ttl = 21600
> time server = No
> unix extensions = Yes
> use spnego = Yes
> client signing = auto
> server signing = No
> client use spnego = Yes
> change notify timeout = 60
> deadtime = 0
> getwd cache = Yes
> keepalive = 300
> kernel change notify = Yes
> lpq cache time = 30
> max smbd processes = 0
> paranoid server security = Yes
> max disk size = 0
> max open files = 10000
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> use mmap = Yes
> hostname lookups = No
> name cache timeout = 660
> load printers = Yes
> printcap cache time = 0
> printcap name = /etc/printcap
> cups server =
> disable spoolss = No
> enumports command =
> addprinter command =
> deleteprinter command =
> show add printer wizard = Yes
> os2 driver map =
> mangling method = hash2
> mangle prefix = 1
> stat cache = Yes
> machine password timeout = 604800
> add user script = /usr/sbin/useradd -m %u
> delete user script = /usr/sbin/userdel -r %u
> add group script = /usr/sbin/groupadd %g
> delete group script = /usr/sbin/groupdel %g
> add user to group script = /usr/sbin/usermod -G %g %u
> delete user from group script =
> set primary group script =
> add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u
> shutdown script =
> abort shutdown script =
> logon script =
> logon path = \\%N\var\lib\samba\profiles\%U
No! No!
logon path = \\%L\profiles\%U
> logon drive =
> logon home = \\%N\var\lib\samba\profdata\%U
No! No!
logon home = \\%L\profdata\%U
> domain logons = Yes
> os level = 64
> lm announce = Auto
> lm interval = 60
> preferred master = Yes
> local master = Yes
> domain master = Yes
> browse list = Yes
> enhanced browsing = Yes
> dns proxy = No
> wins proxy = No
> wins server =
> wins support = Yes
> wins hook =
> wins partners =
> kernel oplocks = Yes
> lock spin count = 3
> lock spin time = 10
> oplock break wait time = 0
> ldap admin dn =
> ldap delete dn = No
> ldap filter = (uid=%u)
> ldap group suffix =
> ldap idmap suffix =
> ldap machine suffix =
> ldap passwd sync = no
> ldap replication sleep = 1000
> ldap suffix =
> ldap ssl = no
> ldap timeout = 15
> ldap user suffix =
> add share command =
> change share command =
> delete share command =
> config file =
> preload =
> lock directory = /var/cache/samba
> pid directory = /var/run
> utmp directory =
> wtmp directory =
> utmp = No
> default service =
> message command =
> dfree command =
> get quota command =
> set quota command =
> remote announce =
> remote browse sync =
> socket address = 0.0.0.0
> homedir map = auto.home
> afs username map =
> afs token lifetime = 604800
> log nt token command =
> time offset = 0
> NIS homedir = No
> panic action =
> host msdfs = No
> enable rid algorithm = Yes
> idmap backend =
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> template primary group = nobody
> template homedir = /var/lib/samba/profdata/%D/%U
> template shell = /bin/false
> winbind separator = \
> winbind cache time = 300
> winbind enable local accounts = No
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = No
> winbind trusted domains only = No
> winbind nested groups = No
> comment =
> path =
> username =
> invalid users =
> valid users =
> admin users = chaos
> read list =
> write list =
> printer admin =
> force user =
> force group =
> read only = Yes
> create mask = 0744
> force create mode = 00
> security mask = 0777
> force security mode = 00
> directory mask = 0755
> force directory mode = 00
> directory security mask = 0777
> force directory security mode = 00
> force unknown acl user = No
> inherit permissions = No
> inherit acls = No
> guest only = No
> guest ok = Yes
> only user = No
> hosts allow =
> hosts deny =
> allocation roundup size = 1048576
> ea support = No
> nt acl support = Yes
> profile acls = No
> map acl inherit = No
> afs share = No
> block size = 1024
> max connections = 0
> min print space = 0
> strict allocate = No
> strict sync = No
> sync always = No
> use sendfile = No
> write cache size = 0
> max reported print jobs = 0
> max print jobs = 1000
> printable = No
> printing = cups
> cups options = raw
> print command =
> lpq command = %p
> lprm command =
> lppause command =
> lpresume command =
> queuepause command =
> queueresume command =
> printer name =
> use client driver = No
> default devmode = No
> force printername = No
> default case = lower
> case sensitive = Auto
> preserve case = Yes
> short preserve case = Yes
> mangling char = ~
> hide dot files = Yes
> hide special files = No
> hide unreadable = No
> hide unwriteable files = No
> delete veto files = No
> veto files =
> hide files =
> veto oplock files =
> map system = No
> map hidden = No
> map archive = Yes
> mangled names = Yes
> mangled map =
> store dos attributes = No
> browseable = Yes
> blocking locks = Yes
> csc policy = manual
> fake oplocks = No
> locking = Yes
> oplocks = Yes
> level2 oplocks = Yes
> oplock contention limit = 2
> posix locking = Yes
> strict locking = Yes
> share modes = Yes
> copy =
> include =
> preexec =
> preexec close = No
> postexec =
> root preexec =
> root preexec close = No
> root postexec =
> available = Yes
> volume =
> fstype = NTFS
> set directory = No
> wide links = Yes
> follow symlinks = Yes
> dont descend =
> magic script =
> magic output =
> delete readonly = No
> dos filemode = No
> dos filetimes = Yes
> dos filetime resolution = No
> fake directory create times = No
> vfs objects =
> msdfs root = No
> msdfs proxy =
>
> [homes]
> comment = Home Directories
> path = //%N/var/lib/samba/profdata/%U
> read only = No
> browseable = No
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> printable = Yes
> browseable = No
>
> [chaos]
> path = /home/chaos
> valid users = chaos
> read only = No
>
> [netlogon]
> path = /var/lib/samba/netlogon
> write list = @admins
>
> [profiles]
> path = /var/lib/samba/profiles
> read only = No
> create mask = 0600
> directory mask = 0700
[profdata]
path = /var/lib/samba/profdata
read only = no
Please look over the examples in "Samba-3 By Example" Chapters 3-5. If it is
not clear, contact me off-line.
- John T.
--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228
Samba-3 by Example, 2 Ed., ISBN: 0131882221X
Hardening Linux, ISBN: 0072254971
Other books in production.
More information about the samba
mailing list