[Samba] Roaming Profiles only for Admin?

Albrecht Dreß albrecht.dress at lios-tech.com
Wed Aug 20 07:21:07 GMT 2008


Hi John:

Thanks a lot for your detailed explanations!

Am 19.08.2008 18:35:48 schrieb(en) John H Terpstra:
> Inside the NTUSER.DAT file, that you will find in the user's profile  
> directory on the Samba server, is stored the SID of the user who owns  
> the profile.  If for any reason the user's SID is changed the user  
> will not longer be able to access that profile.
> 
> You can list the SIDs inside the NTUSER.DAT file using the Samba  
> "profiles" tool.

O.k., I did that, and /basically/ the differences between the "working"  
and the "non-working" accounts are in the "Owner SID" and "Trustee SID"  
fields, plus many diffs in stuff like "ACL for  
$$$PROTO.HIV\Software\Microsoft\Protected Storage System Provider\<user  
sid>".

Maybe I should add that I didn't create the accounts using Samba, but  
through a hack to the Kolab groupware server which also uses LDAP as  
backend.  The hack assigns User and Group SID as

User SID == S-1-5-21-<number a>-<number b>-<number c>-<posix uid>;  
posix uid = 2000, 2001, ..., 2999
Group SID == S-1-5-21-<number a>-<number b>-<number c>-3001

where <number a>-<number b>-<number c> is taken from the "net  
getlocalsid" output.

Maybe this approach is plain wrong, i.e. do I have to assign the SID's  
in a different way?  When I look at extra Samba group mappings created  
with LAM, the spacing is always /2/, i.e. group numbers are 3001, 3003,  
3005, etc.  Is that a requirement which explain the effects if I don't  
follow them?

> Disabling of the profile ownership is usually a red-flag that there  
> is a problem with the consistency between the user SIDs stored in  
> NTUSER.DAT and the current SID reported through Samba.  This is what  
> should be fixed, rather than using a sledge-hammer to get around the  
> problem.  Work-arounds often have side-effects.

O.k., got the message ;-)

> Have you recently change the domain (workgroup) name or the machine  
> name? Either will change the Domain and/or machine SID.

Nope.  Initialised LDAP using 'smbldap-populate -b guest -l 65534 -a  
myadmin'.  Joined a workstation to the domain, and never touched any  
setting afterwards.

> Check out the use of the "net" utility to set/record your domain and  
> machine SIDs:
> 
> 	net getdomainsid

SID for domain MY-PDC is: S-1-5-21-<number a>-<number b>-<number c>
SID for domain MY-DOMIAN is: S-1-5-21-<number a>-<number b>-<number c>

> 	net getmachinesid

Hmm, says "No command: getmachinesid"? In LDAP, the machine sid of the  
workstation is "S-1-5-21-<number a>-<number b>-<number c>-1001".

> 	net getlocalsid

SID for domain MY-PDC is: S-1-5-21-<number a>-<number b>-<number c>


More information about the samba mailing list