[Samba] Problems logging on from XP to Samba PDC w/OpenLDAP
John H Terpstra
jht at samba.org
Wed Jun 11 01:52:09 GMT 2008
On Tuesday 10 June 2008 20:33:21 Jon Doran wrote:
> I've been at this for a few weeks, and have read quite a bit on the
> subject. I try to follow "Samba-3 by Example" as much as I can. I'll
> apologize in advance
> if my problems should be discussed elsewhere. Samba's involvement is
> integral,
> but I have no reason to suspect Samba is at fault.
Jon,
Email me you phone number (jht at samba.org) so I can work with you to resolve
this.
Cheers,
John T.
> I'll start by describing what is working. DHCP and DNS look fine. Samba
> is sharing folders without incident. LDAP is authenticating users, and I
> can log into an XP workstation once (!) before being kicked to the curb.
> Subsequent logons are met with
> "The system cannot log you on because your profile cannot be loaded".
>
> I also note that supplying an incorrect user/password from the XP box
> gives the
> appropriate response. So there is some degree of LDAP goodness.
>
> Roaming profiles are written to the proper share, and all files in a
> profile have the user's uid/gid. The profile directory is owned by root.
>
> Machines are able to join the domain without trouble. Their trust
> accounts are
> setup, and as I mentioned a user gets one logon.
>
> I started out today looking into why profiles could be written but not
> read. I ended up moving /var/lib/ldap aside and building a new database. I
> mention this so that it is clear the database has been recently wiped, and
> that the client machines are in God knows what state.
>
> A local group policy is on each of my test machines, which has turned off
> the ownership check and should be deleting profiles. In addition to this
> at one point I have gone in as the local administrator and "cleaned" out
> stored profiles, using both the "User Profiles" off of the computer
> properties dialog,
> and by deleting files stored in "Documents and Settings".
>
> When I was logged on, folder redirection appeared to be working correctly.
>
> Rather than start out by sharing pages of config files, I wonder if it
> would be
> possible to narrow things down a bit. (Although I'll be happy to share the
> files). My gut feeling is that this is a local machine configuration
> problem, as the LDAP log shows a correct uid/gid match and the system _did_
> log me on.
>
> Therefore I wonder why the profile could not be read (we are back to
> this), and
> are back in Samba terratory. (As an aside, the local machine group
> policy says
> not to log a user out if there is a profile problem, but it happens
> anyways. I am guessing that the rest of the policy is preventing the system
> from creating
> a default profile.
>
> I'll append my smb.conf since I feel that it has a lot of relevance:
>
> Any help would be greatly appreciated.
> Jon Doran
>
> #======================= Global Settings
> =====================================
>
> [global]
> workgroup = larc
> security = user
> passdb backend = ldapsam:ldap://wintermute.larc.local
> obey pam restrictions = no
> smb ports = 139
>
> ldap admin dn = cn=manager,dc=larc,dc=local
> ldap suffix = dc=larc,dc=local
> ldap user suffix = ou=People
> ldap machine suffix = ou=Computers
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=People
> ldap passwd sync = yes
> # log level = 10
>
> passwd program = /usr/sbin/smbldap-passwd %u
> passwd chat = *New*password* %n\n *Retype*new*password %n\n
> *all*authentication*tokens*updated*
>
> machine password timeout = 86400
>
> add user script = /usr/sbin/smbldap-useradd -m %u
> ldap delete dn = yes
> delete user script = /usr/sbin/smbldap-userdel %u
> add machine script = /usr/sbin/smbldap-useradd -w %u
> add group script = /usr/sbin/smbldap-groupadd -p %g
> add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
> delete user from group script = /usr/sbin/smbldap-groupmod -x %u
> %g set primary group script = /usr/sbin/smbldap -g %g %u
> # end 5/28 mods
>
>
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> idmap uid = 500-10000000
> idmap gid = 500-10000000
> winbind use default domain = no
> winbind offline logon = false
> winbind enum users = no
> winbind enum groups = no
> client use spnego = true
>
> #from previous config
> #passdb backend=tdbsam
>
> # ----------------------- Network Related Options -------------------------
> #
> # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
> #
> # server string is the equivalent of the NT Description field
> #
> # netbios name can be used to specify a server name not tied to the
> hostname #
> # Interfaces lets you configure Samba to use multiple interfaces
> # If you have multiple network interfaces then you can list the ones
> # you want to listen on (never omit localhost)
> #
> # Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
> # specifiy it as a per share option as well
> #
> server string = Samba Server Version %v
> # netbios name = WINTERMUTE
>
> ; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
> ; hosts allow = 127. 192.168.12. 192.168.13.
>
> # --------------------------- Logging Options -----------------------------
> #
> # Log File let you specify where to put logs and how to split them up.
> #
> # Max Log Size let you specify the max size log files should reach
>
> # logs split per machine
> log file = /var/log/samba/log.%m
> # max 50KB per log file, then rotate
> max log size = 50
>
> # ----------------------- Standalone Server Options
> ------------------------ #
> # Scurity can be set to user, share(deprecated) or server(deprecated)
> #
> # Backend to store user information in. New installations should
> # use either tdbsam or ldapsam. smbpasswd is available for backwards
> # compatibility. tdbsam requires no further configuration.
>
>
>
> # ----------------------- Domain Members Options ------------------------
> #
> # Security must be set to domain or ads
> #
> # Use the realm option only with security = ads
> # Specifies the Active Directory realm the host is part of
> #
> # Backend to store user information in. New installations should
> # use either tdbsam or ldapsam. smbpasswd is available for backwards
> # compatibility. tdbsam requires no further configuration.
> #
> # Use password server option only with security = server or if you can't
> # use the DNS to locate Domain Controllers
> # The argument list may include:
> # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
> # or to auto-locate the domain controller/s
> # password server = *
>
> # realm = LARC.LOCAL
> # password server = larcserver.larc.local
>
> # ----------------------- Domain Controller Options
> ------------------------ #
> # Security must be set to user for domain controllers
> #
> # Backend to store user information in. New installations should
> # use either tdbsam or ldapsam. smbpasswd is available for backwards
> # compatibility. tdbsam requires no further configuration.
> #
> # Domain Master specifies Samba to be the Domain Master Browser. This
> # allows Samba to collate browse lists between subnets. Don't use this
> # if you already have a Windows NT domain controller doing this job
> #
> # Domain Logons let Samba be a domain logon server for Windows
> workstations. #
> # Logon Scrpit let yuou specify a script to be run at login time on the
> client # You need to provide it in a share called NETLOGON
> #
> # Logon Path let you specify where user profiles are stored (UNC path)
> #
> # Various scripts can be used on a domain controller or stand-alone
> # machine to add or delete corresponding unix accounts
> #
>
> domain master = yes
> domain logons = yes
>
> logon path = \\%L\profiles\%U
> logon drive = H:
>
> # logon home is for Win9X clients
> logon home = \\wintermute\home\%U
>
>
> # ----------------------- Browser Control Options
> ---------------------------- #
> # set local master to no if you don't want Samba to become a master
> # browser on your network. Otherwise the normal election rules apply
> #
> # OS Level determines the precedence of this server in master browser
> # elections. The default value should be reasonable
> #
> # Preferred Master causes Samba to force a local browser election on
> startup # and gives it a slightly higher chance of winning the election
> local master = yes
> os level = 65
> preferred master = yes
>
> #----------------------------- Name Resolution
> ------------------------------- # Windows Internet Name Serving Support
> Section:
> # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
> #
> # - WINS Support: Tells the NMBD component of Samba to enable it's WINS
> Server #
> # - WINS Server: Tells the NMBD components of Samba to be a WINS Client
> #
> # - WINS Proxy: Tells Samba to answer name resolution queries on
> # behalf of a non WINS capable client, for this to work there must be
> # at least one WINS Server on the network. The default is NO.
> #
> # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
> # via DNS nslookups.
>
> wins support = yes
> # wins server = w.x.y.z; # register with another
> wins server
> ; wins proxy = yes
>
> dns proxy = yes
>
> # --------------------------- Printing Options
> ----------------------------- #
> # Load Printers let you load automatically the list of printers rather
> # than setting them up individually
> #
> # Cups Options let you pass the cups libs custom options, setting it to raw
> # for example will let you use drivers on your Windows clients
> #
> # Printcap Name let you specify an alternative printcap file
> #
> # You can choose a non default printing system using the Printing option
>
> ; load printers = yes
> cups options = raw
>
> ; printcap name = /etc/printcap
> #obtain list of printers automatically on SystemV
> ; printcap name = lpstat
> ; printing = cups
>
> # --------------------------- Filesystem Options
> --------------------------- #
> # The following options can be uncommented if the filesystem supports
> # Extended Attributes and they are enabled (usually by the mount option
> # user_xattr). Thess options will let the admin store the DOS attributes
> # in an EA and make samba not mess with the permission bits.
> #
> # Note: these options can also be set just per share, setting them in
> global # makes them the default for all shares
>
> ; map archive = no
> ; map hidden = no
> ; map read only = no
> ; map system = no
> ; encrypt passwords = yes
> ; guest ok = no
> guest account = nobody
> username map = /etc/samba/smbusers
> ; store dos attributes = yes
>
>
> #============================ Share Definitions
> ==============================
>
> [homes]
> comment = Home Directories
> path=/home
> browseable = no
> writable = yes
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> browseable = no
> ; guest ok = no
> ; writable = no
> printable = yes
>
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> guest ok = yes
> locking = no
> writable = no
> browsable = yes
> read only = yes
> share modes = no
>
> [profiles]
> comment = Profile Share
> path = /var/lib/samba/profiles
> writable = yes
> create mode = 0700
> directory mode = 0700
> public = yes
> guest ok = yes
> browsable = yes
>
> # profile acls = yes
> # read only = no
> # create mask = 0600
> # directory mask = 0700
> # store dos attributes = yes
> # short preserve case = no
> # case sensitive = no
> # guest ok = no
> # printable = no
> # browsable = no
> # # turn off client-side caching
> # csc policy = disabled
> # hide files =
> /desktop.ini/outlook.*lnk/*Briefcase*/ntuser.ini/NTUSER.*/
>
> [profdata]
> comment = Profile Data Share
> path = /var/lib/samba/profdata
> read only = no
> profile acls = yes
--
John H Terpstra
Samba-Team Member
Phone: +1 (512) 970-0256
Author:
The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228
Samba-3 by Example, 2 Ed., ISBN: 0131882221X
Hardening Linux, ISBN: 0072254971
Other books in production.
More information about the samba
mailing list