[Samba] Roaming Profiles only for Admin?
Albrecht Dreß
albrecht.dress at lios-tech.com
Wed Aug 20 07:21:07 GMT 2008
Hi John:
Thanks a lot for your detailed explanations!
Am 19.08.2008 18:35:48 schrieb(en) John H Terpstra:
> Inside the NTUSER.DAT file, that you will find in the user's profile
> directory on the Samba server, is stored the SID of the user who owns
> the profile. If for any reason the user's SID is changed the user
> will not longer be able to access that profile.
>
> You can list the SIDs inside the NTUSER.DAT file using the Samba
> "profiles" tool.
O.k., I did that, and /basically/ the differences between the "working"
and the "non-working" accounts are in the "Owner SID" and "Trustee SID"
fields, plus many diffs in stuff like "ACL for
$$$PROTO.HIV\Software\Microsoft\Protected Storage System Provider\<user
sid>".
Maybe I should add that I didn't create the accounts using Samba, but
through a hack to the Kolab groupware server which also uses LDAP as
backend. The hack assigns User and Group SID as
User SID == S-1-5-21-<number a>-<number b>-<number c>-<posix uid>;
posix uid = 2000, 2001, ..., 2999
Group SID == S-1-5-21-<number a>-<number b>-<number c>-3001
where <number a>-<number b>-<number c> is taken from the "net
getlocalsid" output.
Maybe this approach is plain wrong, i.e. do I have to assign the SID's
in a different way? When I look at extra Samba group mappings created
with LAM, the spacing is always /2/, i.e. group numbers are 3001, 3003,
3005, etc. Is that a requirement which explain the effects if I don't
follow them?
> Disabling of the profile ownership is usually a red-flag that there
> is a problem with the consistency between the user SIDs stored in
> NTUSER.DAT and the current SID reported through Samba. This is what
> should be fixed, rather than using a sledge-hammer to get around the
> problem. Work-arounds often have side-effects.
O.k., got the message ;-)
> Have you recently change the domain (workgroup) name or the machine
> name? Either will change the Domain and/or machine SID.
Nope. Initialised LDAP using 'smbldap-populate -b guest -l 65534 -a
myadmin'. Joined a workstation to the domain, and never touched any
setting afterwards.
> Check out the use of the "net" utility to set/record your domain and
> machine SIDs:
>
> net getdomainsid
SID for domain MY-PDC is: S-1-5-21-<number a>-<number b>-<number c>
SID for domain MY-DOMIAN is: S-1-5-21-<number a>-<number b>-<number c>
> net getmachinesid
Hmm, says "No command: getmachinesid"? In LDAP, the machine sid of the
workstation is "S-1-5-21-<number a>-<number b>-<number c>-1001".
> net getlocalsid
SID for domain MY-PDC is: S-1-5-21-<number a>-<number b>-<number c>
More information about the samba
mailing list