[Samba] configuration needed to load roaming profiles off of a BDC?

Adam Williams awilliam at mdah.state.ms.us
Tue Dec 4 14:30:43 GMT 2007 

I have a PDC named GOMER with IP 10.8.3.37 and a BDC named BLDG1 with IP 
10.8.3.231, both in the domain ADAMSTEST.  I have a user testuser who 
logged in successfully to GOMER and has a roaming profile in 
/var/lib/samba/profiles/testuser.  So I changed the TCP/IP settings of 
the windows XP computer testuser uses from the WINS server of 10.8.3.37 
to 10.8.3.231 so it would use BLDG1 for authentication and roaming 
profiles.  So then I logged in and logged out as testuser, but it loaded 
and saved the profile to GOMER.  Why is this?  What samba configuration 
changes do I need so that BLDG1 will load roaming profiles for users?

[root at gomer testuser]# testparm
Load smb config files from /etc/samba/smb.conf
WARNING: The "printer admin" option is deprecated
Processing section "[homes]"
Processing section "[accounts]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[print$]"
Processing section "[homes]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

[global]
        unix charset = LOCALE
        workgroup = ADAMSTEST
        server string = Samba Server %v on gomer
        interfaces = 10.8.3.37/24, 127.0.0.1/8
        bind interfaces only = Yes
        update encrypted = Yes
        passdb backend = ldapsam:ldap://gomer.mdah.state.ms.us
        username map = /etc/samba/smbusers
        log level = 3
        syslog = 0
        log file = /var/log/samba/%m
        max log size = 50
        name resolve order = wins bcast hosts
        time server = Yes
        printcap name = CUPS
        show add printer wizard = No
        add user script = /usr/sbin/smbldap-useradd -a -m "%u"
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x 
"%u" "%g"
        set primary group script = /usr/sbin/smbldap-groupmod -g "%g" "%u"
        add machine script = /usr/sbin/smbldap-useradd -w "%u"
        logon script = scripts\logon.bat
        logon path = \\%L\profiles\%U
        logon drive = X:
        logon home = \\gomer\%U
        domain logons = Yes
        preferred master = Yes
        wins support = Yes
        ldap admin dn = cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
        ldap group suffix = ou=Group
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=People
        ldap passwd sync = Yes
        ldap suffix = dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
        ldap user suffix = ou=People
        idmap backend = ldap:ldap://gomer.mdah.state.ms.us
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template homedir = /home/winnt/%D/%U
        template shell = /bin/bash
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups = Yes
        printer admin = root, awilliam
        hosts allow = 10.8.
        map acl inherit = Yes
        printing = cups
        print command =
        lpq command = %p
        lprm command =

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        create mask = 0600
        force create mode = 0600
        directory mask = 0700
        force directory mode = 0700
        browseable = No

[accounts]
        comment = Accounting Files
        path = /data/accounts
        read only = No

[netlogon]
        comment = network logon service
        path = /var/lib/samba/netlogon
        guest ok = Yes
        locking = No

[profiles]
        comment = Profile Share
        path = /var/lib/samba/profiles
        read only = No
        profile acls = Yes

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = root, awilliam

[root at bldg1 profiles]# testparm
Load smb config files from /etc/samba/smb.conf
WARNING: The "printer admin" option is deprecated
Processing section "[homes]"
Processing section "[accounts]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_BDC
Press enter to see a dump of your service definitions

[global]
        unix charset = LOCALE
        workgroup = ADAMSTEST
        server string = Samba Server %v on bldg1
        interfaces = eth0, lo
        bind interfaces only = Yes
        update encrypted = Yes
        passdb backend = ldapsam:ldap://gomer.mdah.state.ms.us
        username map = /etc/samba/smbusers
        log level = 9
        syslog = 0
        log file = /var/log/samba/%m
        max log size = 50
        name resolve order = wins bcast hosts
        time server = Yes
        printcap name = CUPS
        show add printer wizard = No
        logon script = scripts\logon.bat
        logon path = \\bldg1\profiles\%U
        logon drive = X:
        domain logons = Yes
        preferred master = Yes
        domain master = No
        wins server = 10.8.3.37
        ldap admin dn = cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
        ldap group suffix = ou=Group
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=People
        ldap passwd sync = Yes
        ldap suffix = dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
        ldap user suffix = ou=People
        idmap backend = ldap:ldap://gomer.mdah.state.ms.us
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /sbin/nologin
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        printer admin = root, adam
        map acl inherit = Yes
        printing = cups
        print command =
        lpq command = %p
        lprm command =

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        browseable = No

[accounts]
        comment = Accounting Files
        path = /data/accounts
        read only = No

[netlogon]
        comment = network logon service
        path = /var/lib/samba/netlogon
        guest ok = Yes
        locking = No

[profiles]
        comment = Profile Share
        path = /var/lib/samba/profiles
        read only = No
        profile acls = Yes

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = root, awilliam

[root at gomer testuser]# net getlocalsid GOMER
SID for domain GOMER is: S-1-5-21-2209012884-4204503957-3043144422
[root at gomer testuser]# net getlocalsid ADAMSTEST
SID for domain ADAMSTEST is: S-1-5-21-2139886109-2393431639-217723040
[root at bldg1 profiles]# net getlocalsid BLDG1
SID for domain BLDG1 is: S-1-5-21-2511021845-112538546-4165081779

[root at gomer ~]# ldapsearch -D 
'cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us' -b 
"uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w 
xxxxxxxx -x
# extended LDIF
#
# LDAPv3
# base <uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us> 
with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# testuser, People, gomer.mdah.state.ms.us
dn: uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
uid: testuser
cn: test user
telephoneNumber: 5766888
roomNumber: IS
homePhone: 3738042
givenName: test
sn: user
mail: testuser at dc=mdah,dc=state,dc=ms,dc=us
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: sambaSamAccount
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 101
homeDirectory: /home/testuser
gecos: test user,IS,5766888,3738042
sambaSID: S-1-5-21-2139886109-2393431639-217723040-2002
sambaPasswordHistory: 
00000000000000000000000000000000000000000000000000000000
 00000000
sambaPwdMustChange: 0
sambaAcctFlags: [U          ]
sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxx
sambaNTPassword: xxxxxxxxxxxxxxxxxxxxxxxxxx
sambaPwdLastSet: 1196178148
userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
shadowLastChange: 13844
shadowMax: 99999

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

[root at gomer testuser]# pwd && ls -ltr
/var/lib/samba/profiles/testuser
request done: ld 0x895a058 msgid 1
request done: ld 0x895a058 msgid 2
request done: ld 0x895a058 msgid 3
total 612
drwx--x--x+ 3 testuser testuser   4096 2007-11-07 03:50 Start Menu
drwx--x--x+ 2 testuser testuser   4096 2007-11-07 03:50 PrintHood
drwx--x--x+ 2 testuser testuser   4096 2007-11-07 03:50 NetHood
drwx------+ 2 testuser testuser   4096 2007-11-07 03:50 Desktop
drwx--x--x+ 2 testuser testuser   4096 2007-11-07 12:06 Templates
drwx--x--x+ 2 testuser testuser   4096 2007-11-07 12:42 Cookies
drwx--x--x+ 2 testuser testuser   4096 2007-11-09 10:38 SendTo
drwx--x--x+ 4 testuser testuser   4096 2007-11-09 10:38 Application Data
drwx--x--x+ 2 testuser testuser   4096 2007-11-09 10:38 Recent
drwx--x--x+ 4 testuser testuser   4096 2007-11-09 10:38 My Documents
drwx--x--x+ 3 testuser testuser   4096 2007-11-09 10:38 Favorites
-rwx------  1 testuser testuser   1024 2007-12-04 08:18 ntuser.dat.LOG
-rwx------  1 testuser testuser 524288 2007-12-04 08:18 NTUSER.DAT
-rw-------  1 testuser testuser    178 2007-12-04 08:20 ntuser.ini

[root at bldg1 profiles]# cd /var/lib/samba/profiles/testuser
-bash: cd: /var/lib/samba/profiles/testuser: No such file or directory

More information about the samba mailing list