[Samba] Windows host profile problem (write access denied)

Rich McClellan richmc at gmail.com
Thu Jun 14 20:21:30 GMT 2007


Some users on a Windows XP Professional host are (lately) unable to use
their roaming profile.  A Windows error message states that due to a
security problem or a corrupt profile, that it is unusable.  A second error
message immediately following the first states that a temporary profile will
be used and that any changes will not be saved.  Other users are able to log
on with their profile, but they are unable to save changes to it when
logging off (the Windows error message suggests it is bad hardware or a
network problem that prevents the write).

The PDC is running Samba version 3.0.23c-2.el5.2.0.2 on CentOS 5.0 x86_64
with kernel 2.6.18-  OpenLDAP is the backend (v 2.3.27-5).

There are no obvious error messages on the Samba server.  The following
error message shows up only when the computer with problems is online:
smbd[11981]:  [2007/06/14 12:34:01.108071, 0]
smbd[11981]:       smbldap_open: cannot access LDAP when not root..

Typing `smbstatus` on the PDC shows that the user logging on is being denied
write access to the files in their profile.  The output of smbstatus looks
something like this:
11981 510 DENY_WRITE 0x20089 RDONLY NONE <home dir> <profile item> <date>

The unix permissions are "correct".  No problems with other permissions from
the Windows side (i.e., writing to H:) have appeared.

Interestingly, Windows error messages regarding "unable to write file foo to
.../USER_A/windows/profile/..." appear when USER_B logs in.

Here's the Samba configuration file from the PDC (aka Asterix/ldap (and
there's a BDC named Obelix/bdc/ldap2)):
# Samba config file created using SWAT
# from (
# Date: 2007/05/15 15:24:29

   workgroup = FOO
        server string = Primary Domain Controller
        password server = *
        passdb backend = ldapsam:"ldap://ldap.foo.com ldap://ldap2.foo.com"
#       log level = 0
#       log level = 50 passdb:50 auth:20 winbind:20
        log file = /var/log/samba/%m.log
        max log size = 50
        debug hires timestamp = Yes
        smb ports = 139
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        logon script = %U.bat
#       logon path = \\%N\%U\windows\profile
        logon path = \\asterix\%U\windows\profile
        logon home = \\asterix\%U
        logon drive = H:
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        local master = Yes
        security = User
        dns proxy = No
        wins support = Yes
        ldap admin dn = cn=ldapadmin,dc=foo,dc=com
        ldap group suffix = ou=Group
        ldap machine suffix = ou=Computers
        ldap passwd sync = Yes
        ldap suffix = dc=foo,dc=com
        ldap ssl = no
        idmap backend = ldap:ldap://ldap.foo.com
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        interfaces = eth0 lo
        bind interfaces only = yes
        passwd chat debug = Yes

        template shell = /bin/false
        winbind use default domain = false
        path = /var/lib/samba/netlogon
        browseable = No
        comment = Home Directories
        read only = No
        browseable = No

        comment = stuff for everybody
        path = /export/common
        read only = No

        comment = Literature repository
        path = /export/papers
        read only = No

        comment = useful programs
        path = /export/src
        read only = No

        comment = Administrative stuff
        path = /export/admin
        invalid users = user1
        valid users = user2, user3
        write list = user2, user3
        read only = No
        create mask = 0740
        security mask = 0770
        directory mask = 0750
        directory security mask = 0700
        browseable = No

        comment = executive storage
        path = /export/exec
        invalid users = user1, user2
        valid users = user3
        read only = No
        create mask = 0740
        security mask = 0770
        directory mask = 0750
        directory security mask = 0770
        browseable = No

        comment = Dell 1815dn laser printer
        path = /var/spool/samba
        guest ok = Yes
        printable = Yes
        cups options = "raw"


Thanks for your time+help!

More information about the samba mailing list