[Samba] Samba PDC problem

John H Terpstra jht at Samba.Org
Tue Jul 12 14:17:57 GMT 2005


On Tuesday 12 July 2005 01:50, Nicola Murino wrote:
> My clients are windows xp sp2, however there is the same function:
>
> Start->Run->gpedit.msc
> LocalComputerPolicy -> ComputerConfiguration
> AdministrativeTemplates -> System -> User Profile -> Do not check for
> user ownership of Roaming profiles set to enable
>
> now a basic PDC works :-),
>
> thanks
> Nicola
>
> P.S. If this is a common problem (I have this issue with different samba
> versions on different distributions) maybe would be a good idea insert
> this issue in samba faq or in documentation such as samba by example or
> other samba official doc (excuse me if it is already inserted)

Please refer to the book, "The Official Samba-3 HOWTO and Reference Guide", 
second edition, Chapter 26, Section 26.2.2.3.

This book is being printed and is due to be released at LinuxWorld San 
Francisco. You can obtain a PDF of it from:
http://www.samba.org/samba/docs/Samba3-HOWTO.pdf

Cheers,
John T.

>
> Пустовалов Леонид Тимофеевич ha scritto:
> >Hello Nicola,
> >
> >Monday, July 11, 2005, 8:16:16 PM, you wrote:
> >
> >if client = windows 2000
> >try to Start -> Run -> gpedit.msc
> >LocalComputerPolicy -> ComputerConfiguration ->
> >AdministrativeTemplates -> System -> Logon -> Do not check for user
> >ownership of Roaming profiles
> >set to Enable
> >
> >NM> Hi all,
> >
> >NM> I'm trying to configure samba as PDC, I have a problem when windows
> >NM> client log in this is the error:
> >
> >NM> Windows cannot load the profile and is logging you on with a temporary
> >NM> profile. Changes you make to this profile will be lost when  you log
> > off
> >
> >NM> I have samba-3.0.11 and smbldap-tools-0.8.8. I tryed also samba-3.0.14
> >NM> and smbldap-tools-0-9.1, I have the same problem on Gentoo and on
> > Fedora NM> Core4
> >
> >NM> my configuration file
> >
> >NM> smb.conf:
> >
> >NM> [global]
> >NM>         workgroup = THEOREMATICA
> >NM>         netbios name = FERRARI
> >NM>         enable privileges = yes
> >NM>         interfaces = 10.88.77.201
> >NM>         bind interfaces only = yes
> >NM>         username map = /etc/samba/smbusers
> >NM>         server string = Samba PDC Server
> >NM>         hosts allow = 10.88.77.0/24 127.0.0.0/8
> >NM>         security = user
> >NM>         encrypt passwords = Yes
> >NM>         min passwd length = 3
> >NM>         obey pam restrictions = No
> >NM>         #unix password sync = Yes
> >NM>         #passwd program = /usr/sbin/smbldap-passwd -u %u
> >NM>         #passwd chat = "Changing password for*\nNew password*" %n\n
> >NM> "*Retype new password*" %n\n"
> >NM>         ldap passwd sync = Yes
> >NM>         log level = 0
> >NM>         syslog = 0
> >NM>         log file = /var/log/samba/log.%m
> >NM>         max log size = 100000
> >NM>         time server = Yes
> >NM>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> >NM>         mangling method = hash2
> >NM>         Dos charset = 850
> >NM>         Unix charset = ISO8859-1
> >
> >NM>         logon script = STARTUP.BAT
> >NM>         #logon script =
> >NM>         #logon drive = H:
> >NM>         logon drive =
> >NM>         #logon home = \\%L\%U
> >NM>         logon home =
> >NM>         #logon path = \\%L\profiles\%U
> >NM>         logon path =
> >
> >NM>         domain logons = Yes
> >NM>         #os level = 65
> >NM>         os level = 200
> >NM>         preferred master = Yes
> >NM>         domain master = Yes
> >NM>         wins support = Yes
> >NM>         name resolve order = wins lmhosts hosts bcast
> >NM>         dns proxy = no
> >NM>         passdb backend = ldapsam:ldap://127.0.0.1/
> >NM>         # passdb backend = ldapsam:"ldap://127.0.0.1/
> >NM> ldap://slave.idealx.com"
> >NM>         # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
> >NM>         ldap admin dn = cn=Manager,dc=theorematica,dc=it
> >NM>         ldap suffix = dc=theorematica,dc=it
> >NM>         ldap group suffix = ou=Groups
> >NM>         ldap user suffix = ou=Users
> >NM>         ldap machine suffix = ou=Computers
> >NM>         ldap idmap suffix = ou=Users
> >NM>         #ldap ssl = start tls
> >NM>         add user script = /usr/sbin/smbldap-useradd -m "%u"
> >NM>         ldap delete dn = Yes
> >NM>         #delete user script = /usr/sbin/smbldap-userdel "%u"
> >NM>         add machine script = /usr/sbin/smbldap-useradd -w "%u"
> >NM>         add group script = /usr/sbin/smbldap-groupadd -p "%g"
> >NM>         #delete group script = /usr/sbin/smbldap-groupdel "%g"
> >NM>         add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
> > "%g" NM>         delete user from group script =
> > /usr/sbin/smbldap-groupmod -x NM> "%u" "%g"
> >NM>         set primary group script = /usr/sbin/smbldap-usermod -g "%g"
> > "%u"
> >
> >NM> # printers configuration
> >NM>         printer admin = @"Print Operators"
> >NM>         load printers = Yes
> >NM>         create mask = 0640
> >NM>         directory mask = 0750
> >NM>         nt acl support = No
> >NM>         printing = cups
> >NM>         printcap name = cups
> >NM>         deadtime = 10
> >NM>         guest account = nobody
> >NM>         map to guest = Bad User
> >NM>         dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
> >NM>         show add printer wizard = yes
> >NM> ; to maintain capital letters in shortcuts in any of the profile
> > folders: NM>         preserve case = yes
> >NM>         short preserve case = yes
> >NM>         case sensitive = no
> >
> >NM> [homes]
> >NM>         comment = Directory personale di %U, %u
> >NM>         read only = No
> >NM>         create mask = 0644
> >NM>         directory mask = 0775
> >NM>         browseable = No
> >
> >NM> [netlogon]
> >NM>         path = /var/lib/samba/netlogon
> >NM>         browseable = No
> >NM>         read only = yes
> >
> >NM> [doc]
> >NM>         path=/usr/share/doc
> >NM>         public=yes
> >NM>         writable=no
> >NM>         read only=no
> >NM>         create mask = 0750
> >NM>         guest ok = Yes
> >
> >NM> [profiles]
> >NM>         path = /var/lib/samba/profiles
> >NM>         writable = yes
> >NM>         create mask = 0600
> >NM>         directory mask = 0700
> >NM> #        browseable = no
> >NM> #       default case = lower
> >NM> #       preserve case = no
> >NM> #       short preserve case = no
> >NM> #       case sensitive = no
> >NM> #       hide files = /desktop.ini/ntuser.ini/NTUSER.*/
> >NM> #        guest ok = no
> >NM>         #profile acls = Yes
> >NM> #        profile acls = No
> >NM> #        csc policy = disable
> >NM> # next line is a great way to secure the profiles
> >NM> #        force user = %U
> >NM> # next line allows administrator to access all profiles
> >NM>         #valid users = %U @"Domain Admins"
> >NM>         #valid users = %U
> >NM>         #root preexec = PROFILE=/var/lib/samba/profiles/%u; if [ ! -e
> >NM> $PROFILE ]; then mkdir -pm700 $PROFILE; chown %u:%g $PROFILE;fi
> >
> >NM> I tryed most combinations of the commented options in profiles section
> >
> >NM> ls -la /var/lib/samba/profiles/
> >NM> total 0
> >NM> drwxr-x---  4 root   root          96 Jul 11 18:51 .
> >NM> drwxr-xr-x  6 root   root         144 Jun 23 21:16 ..
> >NM> drwx------  2 nicola Domain Users  48 Jul 11 18:20 nicola
> >NM> drwx------  2 test   Domain Users  48 Jul 11 17:54 test
> >
> >NM> please some suggestions,
> >
> >NM> thanks
> >NM> Nicola

-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.


More information about the samba mailing list