[Samba] Problems logging on from XP to Samba PDC w/OpenLDAP

Jon Doran jondoran at spamcop.net
Wed Jun 11 01:33:21 GMT 2008

I've been at this for a few weeks, and have read quite a bit on the  
subject.  I try to follow "Samba-3 by Example" as much as I can.  I'll  
apologize in advance
if my problems should be discussed elsewhere.  Samba's involvement is  
but I have no reason to suspect Samba is at fault.

I'll start by describing what is working.   DHCP and DNS look fine.  Samba is
sharing folders without incident.  LDAP is authenticating users, and I can log
into an XP workstation once (!) before being kicked to the curb.  Subsequent
logons are met with
   "The system cannot log you on because your profile cannot be loaded".

I also note that supplying an incorrect user/password from the XP box  
gives the
appropriate response.  So there is some degree of LDAP goodness.

Roaming profiles are written to the proper share, and all files in a profile
have the user's uid/gid.  The profile directory is owned by root.

Machines are able to join the domain without trouble.  Their trust  
accounts are
setup, and as I mentioned a user gets one logon.

I started out today looking into why profiles could be written but not read.
I ended up moving /var/lib/ldap aside and building a new database.  I mention
this so that it is clear the database has been recently wiped, and that the
client machines are in God knows what state.

A local group policy is on each of my test machines, which has turned off the
ownership check and should be deleting profiles.  In addition to this at one
point I have gone in as the local administrator and "cleaned" out stored
profiles, using both the "User Profiles" off of the computer  
properties dialog,
and by deleting files stored in "Documents and Settings".

When I was logged on, folder redirection appeared to be working correctly.

Rather than start out by sharing pages of config files, I wonder if it  
would be
possible to narrow things down a bit.  (Although I'll be happy to share the
files).  My gut feeling is that this is a local machine configuration problem,
as the LDAP log shows a correct uid/gid match and the system _did_ log me on.

Therefore I wonder why the profile could not be read (we are back to  
this), and
are back in Samba terratory.  (As an aside, the local machine group  
policy says
not to log a user out if there is a profile problem, but it happens anyways.
I am guessing that the rest of the policy is preventing the system  
from creating
a default profile.

I'll append my smb.conf since I feel that it has a lot of relevance:

Any help would be greatly appreciated.
Jon Doran

#======================= Global Settings =====================================

         workgroup = larc
         security = user
         passdb backend = ldapsam:ldap://wintermute.larc.local
         obey pam restrictions = no
         smb ports = 139

         ldap admin dn = cn=manager,dc=larc,dc=local
         ldap suffix = dc=larc,dc=local
         ldap user suffix = ou=People
         ldap machine suffix = ou=Computers
         ldap group suffix = ou=Groups
         ldap idmap suffix = ou=People
         ldap passwd sync = yes
#        log level = 10

         passwd program = /usr/sbin/smbldap-passwd %u
         passwd chat = *New*password* %n\n *Retype*new*password %n\n

         machine password timeout = 86400

         add user script = /usr/sbin/smbldap-useradd -m %u
         ldap delete dn = yes
         delete user script = /usr/sbin/smbldap-userdel %u
         add machine script = /usr/sbin/smbldap-useradd -w %u
         add group script = /usr/sbin/smbldap-groupadd -p %g
         add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
         delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
         set primary group script = /usr/sbin/smbldap -g %g %u
         # end 5/28 mods

         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         idmap uid = 500-10000000
         idmap gid = 500-10000000
         winbind use default domain = no
         winbind offline logon = false
         winbind enum users = no
         winbind enum groups = no
         client use spnego = true

         #from previous config
         #passdb backend=tdbsam

# ----------------------- Network Related Options -------------------------
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
# server string is the equivalent of the NT Description field
# netbios name can be used to specify a server name not tied to the hostname
# Interfaces lets you configure Samba to use multiple interfaces
# If you have multiple network interfaces then you can list the ones
# you want to listen on (never omit localhost)
# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
# specifiy it as a per share option as well
         server string = Samba Server Version %v
#        netbios name = WINTERMUTE

;        interfaces = lo eth0
;        hosts allow = 127. 192.168.12. 192.168.13.

# --------------------------- Logging Options -----------------------------
# Log File let you specify where to put logs and how to split them up.
# Max Log Size let you specify the max size log files should reach

         # logs split per machine
         log file = /var/log/samba/log.%m
         # max 50KB per log file, then rotate
         max log size = 50

# ----------------------- Standalone Server Options ------------------------
# Scurity can be set to user, share(deprecated) or server(deprecated)
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.

# ----------------------- Domain Members Options ------------------------
# Security must be set to domain or ads
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
# Use password server option only with security = server or if you can't
# use the DNS to locate Domain Controllers
# The argument list may include:
#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
#   password server = *

#        realm = LARC.LOCAL
#        password server = larcserver.larc.local

# ----------------------- Domain Controller Options ------------------------
# Security must be set to user for domain controllers
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
# Domain Logons let Samba be a domain logon server for Windows workstations.
# Logon Scrpit let yuou specify a script to be run at login time on the client
# You need to provide it in a share called NETLOGON
# Logon Path let you specify where user profiles are stored (UNC path)
# Various scripts can be used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts

         domain master = yes
         domain logons = yes

         logon path = \\%L\profiles\%U
         logon drive = H:

         # logon home is for Win9X clients
         logon home = \\wintermute\home\%U

# ----------------------- Browser Control Options ----------------------------
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
         local master = yes
         os level = 65
         preferred master = yes

#----------------------------- Name Resolution -------------------------------
# Windows Internet Name Serving Support Section:
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
# - WINS Support: Tells the NMBD component of Samba to enable it's WINS Server
# - WINS Server: Tells the NMBD components of Samba to be a WINS Client
# - WINS Proxy: Tells Samba to answer name resolution queries on
#   behalf of a non WINS capable client, for this to work there must be
#   at least one        WINS Server on the network. The default is NO.
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups.

         wins support = yes
#        wins server = w.x.y.z;                # register with another  
wins server
;        wins proxy = yes

         dns proxy = yes

# --------------------------- Printing Options -----------------------------
# Load Printers let you load automatically the list of printers rather
# than setting them up individually
# Cups Options let you pass the cups libs custom options, setting it to raw
# for example will let you use drivers on your Windows clients
# Printcap Name let you specify an alternative printcap file
# You can choose a non default printing system using the Printing option

;        load printers = yes
         cups options = raw

;        printcap name = /etc/printcap
         #obtain list of printers automatically on SystemV
;        printcap name = lpstat
;        printing = cups

# --------------------------- Filesystem Options ---------------------------
# The following options can be uncommented if the filesystem supports
# Extended Attributes and they are enabled (usually by the mount option
# user_xattr). Thess options will let the admin store the DOS attributes
# in an EA and make samba not mess with the permission bits.
# Note: these options can also be set just per share, setting them in global
# makes them the default for all shares

;        map archive = no
;        map hidden = no
;        map read only = no
;        map system = no
;        encrypt passwords = yes
;        guest ok = no
         guest account = nobody
         username map = /etc/samba/smbusers
;        store dos attributes = yes

#============================ Share Definitions ==============================

         comment = Home Directories
         browseable = no
         writable = yes

         comment = All Printers
         path = /var/spool/samba
         browseable = no
;        guest ok = no
;        writable = no
         printable = yes

         comment = Network Logon Service
         path = /var/lib/samba/netlogon
         guest ok = yes
         locking = no
         writable = no
         browsable = yes
         read only = yes
         share modes = no

         comment = Profile Share
         path = /var/lib/samba/profiles
         writable = yes
         create mode = 0700
         directory mode = 0700
         public = yes
         guest ok = yes
         browsable = yes

#        profile acls = yes
#        read only = no
#        create mask = 0600
#        directory mask = 0700
#        store dos attributes = yes
#        short preserve case = no
#        case sensitive = no
#        guest ok = no
#        printable = no
#        browsable = no
#        # turn off client-side caching
#        csc policy = disabled
#        hide files =  

         comment = Profile Data Share
         path = /var/lib/samba/profdata
         read only = no
         profile acls = yes

More information about the samba mailing list