[Samba] NTConfig.POL not working for Win 2000 (for XP working
robert at schetterer.org
Sun Nov 20 21:25:55 GMT 2005
Tomasz Chmielewski schrieb:
> Robert Schetterer schrieb:
>> Tomasz Chmielewski schrieb:
>>> Tomasz Chmielewski schrieb:
>>>> I'm just exploring the Profile Editor, described on
>>>> http://www.pcc-services.com/custom_poledit.html - and policies
>>>> saved to NTConfig.pol file and copied to the netlogon share work
>>>> great for Windows XP machines.
>>>> However, with Windows 2000, they don't work at all. Winh XP
>>>> machines - policies are applied.
>>>> I see in Samba logs that the NTConfig.pol is copied from the server
>>>> to the w2k workstation, but it has no effect.
>>>> This Profile Editor is designed for Windows 2000, as it was shipped
>>>> with w2k SP4, so I expected it will work with 2000.
>>>> Am I missing something?
>>> I searched the internet, but no clue about the issue :(
>>> In the event log it is as eventid: 1000, source: uservenv, and in
>>> the log itself it says something like (translated from German):
>>> RegLoadKey aborted. Returned value "False Parameter." for
>>> C:\Documents and Settings\Administrator.DOMAIN\prfCA.tmp
>>> prfCA.tmp (and other such tmp files) are the exact copy of the
>>> NTConfig.POL that is saved in the netlogon directory.
>>> I tried creating other NTConfig.POL files (with only basic setting
>>> like IE start site), but this message just shows all the time, and
>>> settings are not applied.
>>> Any clue?
>>> I use Windows 2000 SP4, and Samba 3.0.20.
>>> Windows XP works fine with NTConfig.POL files and the same Samba.
>> this ist stuff need to be fixed in the profile share
>> should be like this
>> path = /var/lib/samba/profiles
>> # vfs objects = extd_audit
>> read only = no
>> create mask = 0755
>> directory mask = 0755
>> browseable = No
>> guest ok = Yes
>> profile acls = yes
>> csc policy = disable
>> force user = %U
>> hide files = /desktop.ini/ntuser.ini/NTUSER.*/
>> locking = No
>> oplocks = False
>> level2 oplocks = False
>> # valid users = %U, @"Domain Admins"
> why [profiles]?
> as it's explained here: https://bugzilla.samba.org/show_bug.cgi?id=3042
> one has to put this into [netlogon] share:
> acl check permissions = no
C:\Documents and Settings\Administrator.DOMAIN\prfCA.tmp is in the users
and in know this behavior
and fixed it with this entries in profile share
my netlogon share is like this
path = /var/lib/samba/netlogon/
vfs objects = vscan-clamav, extd_audit
read only = no
public = yes
write list = @"Domain Admins"
create mask = 0755
directory mask = 0755
browseable = No
locking = No
oplocks = False
level2 oplocks = False
the prfCA.tmp always comes up for me when the win client crashes at
backwriting ( power loss etc )
the profile to the server , after reboot this file has the wrong
permissions an cant be loaded from the server profile
so a profile failure apears with this file.
I cant image what setting acl check permissions = no in the netlogon
share should be involved to this failure
i only use server profile no caching on the clients , controlled by adms,
i dont wanna struggle with bugzilla but i see no relation to the
netlogon share as it only a share for the scripts neeeded
at login time, but has nothing to do with C:\Documents and
which is always part of the profile, but after all setting the parameter
acl check permissions = no mabe a good idea at all cause it will help
against failures with acls in the netlogon and the profile share,
perhaps John has som clearing words.
I guess setting create mask = 0755 directory mask = 0755 fixes this
failure too, but that could a security lack at all, and will not like by
some people or network setups.
More information about the samba