[Samba] NTConfig.POL not working for Win 2000 (for XP working fine)?

Robert Schetterer robert at schetterer.org
Sun Nov 20 21:25:55 GMT 2005

Tomasz Chmielewski schrieb:
> Robert Schetterer schrieb:
>> Tomasz Chmielewski schrieb:
>>> Tomasz Chmielewski schrieb:
>>>> I'm just exploring the Profile Editor, described on 
>>>> http://www.pcc-services.com/custom_poledit.html - and policies 
>>>> saved to NTConfig.pol file and copied to the netlogon share work 
>>>> great for Windows XP machines.
>>>> However, with Windows 2000, they don't work at all. Winh XP 
>>>> machines - policies are applied.
>>>> I see in Samba logs that the NTConfig.pol is copied from the server 
>>>> to the w2k workstation, but it has no effect.
>>>> This Profile Editor is designed for Windows 2000, as it was shipped 
>>>> with w2k SP4, so I expected it will work with 2000.
>>>> Am I missing something?
>>> I searched the internet, but no clue about the issue :(
>>> In the event log it is as eventid: 1000, source: uservenv, and in 
>>> the log itself it says something like (translated from German):
>>> RegLoadKey aborted. Returned value "False Parameter." for 
>>> C:\Documents and Settings\Administrator.DOMAIN\prfCA.tmp
>>> prfCA.tmp (and other such tmp files) are the exact copy of the 
>>> NTConfig.POL that is saved in the netlogon directory.
>>> I tried creating other NTConfig.POL files (with only basic setting 
>>> like IE start site), but this message just shows all the time, and 
>>> settings are not applied.
>>> Any clue?
>>> I use Windows 2000 SP4, and Samba 3.0.20.
>>> Windows XP works fine with NTConfig.POL files and the same Samba.
>> this ist stuff need to be fixed in the profile share
>> should be like this
>> [profiles]
>>   path = /var/lib/samba/profiles
>> #   vfs objects = extd_audit
>>   read only = no
>>   create mask = 0755
>>   directory mask = 0755
>>   browseable = No
>>   guest ok = Yes
>>   profile acls = yes
>>   csc policy = disable
>>   force user = %U
>>   hide files = /desktop.ini/ntuser.ini/NTUSER.*/
>>   locking = No
>>   oplocks = False
>>   level2 oplocks = False
>> #  valid users = %U, @"Domain Admins"
> why [profiles]?
> as it's explained here: https://bugzilla.samba.org/show_bug.cgi?id=3042
> one has to put this into [netlogon] share:
> acl check permissions = no
C:\Documents and Settings\Administrator.DOMAIN\prfCA.tmp is in the users 
and in know this behavior
and fixed it with this entries in profile share

my netlogon share is like this
   path = /var/lib/samba/netlogon/
   vfs objects = vscan-clamav, extd_audit
   read only = no
   public = yes
   write list = @"Domain Admins"
   create mask = 0755
   directory mask = 0755
   browseable = No
   locking = No
   oplocks = False
   level2 oplocks = False

the prfCA.tmp always comes up for me when the win client crashes at 
backwriting ( power loss etc )
the profile to the server , after reboot this file has the wrong 
permissions an cant be loaded from the server profile
so a profile failure apears with this file.
I cant image what setting  acl check permissions = no  in the netlogon 
share should be involved to this failure
i only use server profile no caching on the clients , controlled by adms,
i dont wanna struggle with bugzilla but i see no relation to the 
netlogon share as it only a share for the scripts neeeded
at login time, but has nothing to do with C:\Documents and 
which is always part of the profile, but after all setting the parameter 
acl check permissions = no mabe a good idea at all cause it will help 
against failures with acls in the netlogon and the profile share, 
perhaps John has som clearing words.
I guess setting create mask = 0755 directory mask = 0755 fixes this 
failure too, but that could a security lack at all, and will not like by 
some people or network setups.


More information about the samba mailing list