[Samba] Problems logging on from XP to Samba PDC w/OpenLDAP
Jon Doran
jondoran at spamcop.net
Wed Jun 11 01:33:21 GMT 2008
I've been at this for a few weeks, and have read quite a bit on the
subject. I try to follow "Samba-3 by Example" as much as I can. I'll
apologize in advance
if my problems should be discussed elsewhere. Samba's involvement is
integral,
but I have no reason to suspect Samba is at fault.
I'll start by describing what is working. DHCP and DNS look fine. Samba is
sharing folders without incident. LDAP is authenticating users, and I can log
into an XP workstation once (!) before being kicked to the curb. Subsequent
logons are met with
"The system cannot log you on because your profile cannot be loaded".
I also note that supplying an incorrect user/password from the XP box
gives the
appropriate response. So there is some degree of LDAP goodness.
Roaming profiles are written to the proper share, and all files in a profile
have the user's uid/gid. The profile directory is owned by root.
Machines are able to join the domain without trouble. Their trust
accounts are
setup, and as I mentioned a user gets one logon.
I started out today looking into why profiles could be written but not read.
I ended up moving /var/lib/ldap aside and building a new database. I mention
this so that it is clear the database has been recently wiped, and that the
client machines are in God knows what state.
A local group policy is on each of my test machines, which has turned off the
ownership check and should be deleting profiles. In addition to this at one
point I have gone in as the local administrator and "cleaned" out stored
profiles, using both the "User Profiles" off of the computer
properties dialog,
and by deleting files stored in "Documents and Settings".
When I was logged on, folder redirection appeared to be working correctly.
Rather than start out by sharing pages of config files, I wonder if it
would be
possible to narrow things down a bit. (Although I'll be happy to share the
files). My gut feeling is that this is a local machine configuration problem,
as the LDAP log shows a correct uid/gid match and the system _did_ log me on.
Therefore I wonder why the profile could not be read (we are back to
this), and
are back in Samba terratory. (As an aside, the local machine group
policy says
not to log a user out if there is a profile problem, but it happens anyways.
I am guessing that the rest of the policy is preventing the system
from creating
a default profile.
I'll append my smb.conf since I feel that it has a lot of relevance:
Any help would be greatly appreciated.
Jon Doran
#======================= Global Settings =====================================
[global]
workgroup = larc
security = user
passdb backend = ldapsam:ldap://wintermute.larc.local
obey pam restrictions = no
smb ports = 139
ldap admin dn = cn=manager,dc=larc,dc=local
ldap suffix = dc=larc,dc=local
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
ldap idmap suffix = ou=People
ldap passwd sync = yes
# log level = 10
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password %n\n
*all*authentication*tokens*updated*
machine password timeout = 86400
add user script = /usr/sbin/smbldap-useradd -m %u
ldap delete dn = yes
delete user script = /usr/sbin/smbldap-userdel %u
add machine script = /usr/sbin/smbldap-useradd -w %u
add group script = /usr/sbin/smbldap-groupadd -p %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap -g %g %u
# end 5/28 mods
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind use default domain = no
winbind offline logon = false
winbind enum users = no
winbind enum groups = no
client use spnego = true
#from previous config
#passdb backend=tdbsam
# ----------------------- Network Related Options -------------------------
#
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
#
# server string is the equivalent of the NT Description field
#
# netbios name can be used to specify a server name not tied to the hostname
#
# Interfaces lets you configure Samba to use multiple interfaces
# If you have multiple network interfaces then you can list the ones
# you want to listen on (never omit localhost)
#
# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
# specifiy it as a per share option as well
#
server string = Samba Server Version %v
# netbios name = WINTERMUTE
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
; hosts allow = 127. 192.168.12. 192.168.13.
# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
# ----------------------- Standalone Server Options ------------------------
#
# Scurity can be set to user, share(deprecated) or server(deprecated)
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
# ----------------------- Domain Members Options ------------------------
#
# Security must be set to domain or ads
#
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Use password server option only with security = server or if you can't
# use the DNS to locate Domain Controllers
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *
# realm = LARC.LOCAL
# password server = larcserver.larc.local
# ----------------------- Domain Controller Options ------------------------
#
# Security must be set to user for domain controllers
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
#
# Domain Logons let Samba be a domain logon server for Windows workstations.
#
# Logon Scrpit let yuou specify a script to be run at login time on the client
# You need to provide it in a share called NETLOGON
#
# Logon Path let you specify where user profiles are stored (UNC path)
#
# Various scripts can be used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
#
domain master = yes
domain logons = yes
logon path = \\%L\profiles\%U
logon drive = H:
# logon home is for Win9X clients
logon home = \\wintermute\home\%U
# ----------------------- Browser Control Options ----------------------------
#
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
#
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
#
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
local master = yes
os level = 65
preferred master = yes
#----------------------------- Name Resolution -------------------------------
# Windows Internet Name Serving Support Section:
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
#
# - WINS Support: Tells the NMBD component of Samba to enable it's WINS Server
#
# - WINS Server: Tells the NMBD components of Samba to be a WINS Client
#
# - WINS Proxy: Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
#
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups.
wins support = yes
# wins server = w.x.y.z; # register with another
wins server
; wins proxy = yes
dns proxy = yes
# --------------------------- Printing Options -----------------------------
#
# Load Printers let you load automatically the list of printers rather
# than setting them up individually
#
# Cups Options let you pass the cups libs custom options, setting it to raw
# for example will let you use drivers on your Windows clients
#
# Printcap Name let you specify an alternative printcap file
#
# You can choose a non default printing system using the Printing option
; load printers = yes
cups options = raw
; printcap name = /etc/printcap
#obtain list of printers automatically on SystemV
; printcap name = lpstat
; printing = cups
# --------------------------- Filesystem Options ---------------------------
#
# The following options can be uncommented if the filesystem supports
# Extended Attributes and they are enabled (usually by the mount option
# user_xattr). Thess options will let the admin store the DOS attributes
# in an EA and make samba not mess with the permission bits.
#
# Note: these options can also be set just per share, setting them in global
# makes them the default for all shares
; map archive = no
; map hidden = no
; map read only = no
; map system = no
; encrypt passwords = yes
; guest ok = no
guest account = nobody
username map = /etc/samba/smbusers
; store dos attributes = yes
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
path=/home
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
; guest ok = no
; writable = no
printable = yes
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
locking = no
writable = no
browsable = yes
read only = yes
share modes = no
[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
writable = yes
create mode = 0700
directory mode = 0700
public = yes
guest ok = yes
browsable = yes
# profile acls = yes
# read only = no
# create mask = 0600
# directory mask = 0700
# store dos attributes = yes
# short preserve case = no
# case sensitive = no
# guest ok = no
# printable = no
# browsable = no
# # turn off client-side caching
# csc policy = disabled
# hide files =
/desktop.ini/outlook.*lnk/*Briefcase*/ntuser.ini/NTUSER.*/
[profdata]
comment = Profile Data Share
path = /var/lib/samba/profdata
read only = no
profile acls = yes
More information about the samba
mailing list