[Samba] samba 3.0.23a + ldap as PDC - should work, but why?
John Mason
jmason at lim.com
Mon Aug 7 18:05:44 GMT 2006
I've got an issue with roaming profiles with samba 3.0.23a and an LDAP backend. I can use the ldap to authenticate an NT and a local user, and I know alot about PAM, NSS, and general linux. BUT, I can't get ANY roaming profiles to work.
Other than my domain name changed for security purposes, the following is my smb.conf file. (I first used SWAT, then did more customization)
smb.conf=====>
=============================================================
[global]
workgroup = DOMAIN.COM
netbios name = PDC
server string = PDC
interfaces = eth0
bind interfaces only = Yes
update encrypted = Yes
private dir = /data/samba/private
passdb backend = ldapsam:ldap://127.0.0.1/
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log level = 10
syslog = 0
password server = PDC
log file = /data/samba/logs/sambalog
#max log size = 50
enable core files = No
smb ports = 139
name resolve order = wins bcast hosts
time server = Yes
deadtime = 10
socket options = TCP_NODELAY SO_RCVBUF=8192
printcap name = CUPS
show add printer wizard = No
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
#shutdown script = /var/lib/samba/scripts/shutdown.sh
#abort shutdown script = /sbin/shutdown -c
logon script = logon.bat
logon path = \\%L\%U\.msprofile
logon drive = h:
logon home = \\%L\%U
server schannel = auto
client schannel = auto
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = uid=root,dc=domain,dc=com
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=domain,dc=com
ldap ssl = no
ldap user suffix = ou=Users
#utmp = Yes
profile acls = Yes
map acl inherit = Yes
printing = cups
case sensitive = Yes
hide unreadable = Yes
hide files = /desktop.ini/
veto oplock files = /*.doc/*.xls/*.mdb/
admin users=root Administrator
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0644
directory mask = 0775
hide files = /desktop.ini/
browseable = No
[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /data/samba/print/drivers
guest ok = Yes
[netlogon]
comment = Network Logon Service
path = /data/samba/netlogon
browseable = No
locking = No
[profiles]
# chmod 1777 /home/%U/.msprofile
path = /home/%U/.msprofile
read only = no
profile acls = yes
create mask = 0600
directory mask = 0700
browseable = No
nt acl support = Yes
force user = %U
valid users = %U @"Domain Admins"
[profdata]
comment = Profile Data Share
path = /data/samba/profdata
read only = No
create mask = 0644
directory mask = 0755
browseable = No
hide files = /desktop.ini/
csc policy = disable
[shared]
comment = Network Shares
path = /data/samba/shared
read only = No
guest ok = Yes
=============================================================
<======== end smb.conf
Also, here's a few "ls"'s so you can see about my permissions.
# > ls -al /data/samba/profdata
total 24K
drwxr-xr-x 6 root root 4.0K Aug 3 14:41 .
drwxr-xr-x 9 root root 4.0K Aug 3 14:28 ..
drwxr-xr-x 11 Administrator Domain Admins 4.0K Aug 3 15:42 Administrator
drwxr-xr-x 12 user1 Domain Users 4.0K Aug 4 08:22 user1
drwxr-xr-x 10 root Domain Admins 4.0K Aug 3 14:30 root
drwxr-xr-x 2 user2 Domain Users 4.0K Aug 3 13:04 user2
and user1's .msprofile:
# > ls -al /home/user1/.msprofile
total 820K
drwxrwxrwt 9 user1 Domain Users 4.0K Aug 7 12:02 .
drwxr-xr-x 43 user1 Domain Users 4.0K Aug 7 08:44 ..
drwxrwxr-x 6 user1 Domain Users 4.0K Aug 7 07:40 Application Data
drwxrwxr-x 2 user1 Domain Users 4.0K Aug 3 13:56 NetHood
-rw-r--r-- 1 user1 Domain Users 768K Aug 7 12:01 NTUSER.DAT
-rw-r--r-- 1 user1 Domain Users 1.0K Aug 7 12:01 ntuser.dat.LOG
-rw-r--r-- 1 user1 Domain Users 610 Aug 7 12:02 ntuser.ini
-r--r--r-- 1 user1 Domain Users 794 Aug 7 12:01 ntuser.pol
drwxrwxr-x 2 user1 Domain Users 4.0K Aug 3 13:56 PrintHood
drwxrwxr-x 2 user1 Domain Users 4.0K Aug 3 13:56 Recent
drwxrwxr-x 2 user1 Domain Users 4.0K Aug 3 13:56 SendTo
drwxrwxr-x 3 user1 Domain Users 4.0K Aug 3 13:56 Start Menu
drwxrwxr-x 2 user1 Domain Users 4.0K Aug 3 13:56 Templates
The second I log in as this user, the ntuser files all become owned by root.... AND the timestamp changes BUT when I re-login to this user, NONE of the changes to the profile are still there!
I can also do this as Administrator.... but the same thing results!
I followed chapter 5 from http://www.samba.org/samba/docs/man/Samba-Guide/happy.html for my setups.
More information about the samba
mailing list