[Samba] local copy microsoft/credentials directory profile redirection

charles charlesaburrell at gmail.com
Mon Oct 19 13:25:48 MDT 2009 

hello,

i've set up a domain controller to replace a production server.
both servers use profile redirection for all user environment directories.

my problem is that when logging onto the new domain and server, windows will
create in the %userprofile% local directory an Application Directory
containing Microsoft/Credentials/*SID*, although a copy exists on the
server.

this directory is used to store the user's network passwords.

because a blank credential directory is created stored network passwords
(explorer only) are not used. all other applications use the network copy of
the directory (as they should).

redirection is done through adm here are the pertinent settings:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User
Shell Folders]
"AppData"="%logonserver%\profiles\%username%\Application Data"
"Cookies"="%logonserver%\profiles\%username%\Cookies"
"Desktop"="%logonserver%\%username%\Desktop"
"Personal"="%logonserver%\%username%\My Documents"
"Local AppData"="%logonserver%\profiles\%username%\Local
Settings\Application Data"
"Cache"="c:\temp\users\%username%\Local Settings\Temporary Internet Files"
"History"="c:\temp\users\%username%\Local Settings\History"
"Local Settings"="c:\temp\users\%username%\Local Settings"

the same client joined to current domain (with the same adm settings) will
not reproduce un-desired behavior.

does anyone have any suggestions, guesses, etc?


clients: windows xp sp3 (offline files disabled; set to delete local copies
of profiles at log off)

os: ubuntu 9.04 server

samba: 3.3.2-1ubuntu3.2

config:

Server role:
ROLE_DOMAIN_PDC
[global]
        workgroup = domain-name
        server string = server-name
        passdb backend = ldapsam:ldap://127.0.0.1
        passwd program = /usr/sbin/smbldap-passwd -u "%u"
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
        log level = 5 vfs:0 smb:0
        syslog = 0
        log file = /var/log/samba/log.%h
        max log size = 10000000
        max xmit = 65535
        socket options = TCP_NODELAY SO_SNDBUF=1638400 SO_RCVBUF=1638400
SO_KEEPALIVE
        printcap name = cups
        show add printer wizard = No
        max stat cache size = 1024
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
        add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
        logon script = logon.bat
        logon path = \\%N\hives\%U
        logon drive = " "
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        kernel oplocks = No
        ldap admin dn = cn=admin,dc=domain-name,dc=bz
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Computers
        ldap suffix = dc=domain-name,dc=bz
        ldap ssl = no
        ldap user suffix = ou=Users
        utmp = Yes
        panic action = /usr/share/samba/panic-action %d
        cups options = raw
        case sensitive = No
        hide files = /desktop.ini/

[netlogon]
        path = /usershare/netlogon
        write list = jorge
        guest ok = Yes

[hives]
        comment = Profile Hive Directory
        path = /userdata/hives/%a
        read only = No
        create mask = 0600
        directory mask = 0700
        browseable = No
        csc policy = disable
        oplocks = No
        level2 oplocks = No
        vfs objects = full_audit, recycle
        full_audit:priority = notice
        full_audit:facility = local5
        full_audit:failure = connect mkdir rename unlink rmdir pwrite
        full_audit:success = connect disconnect mkdir rename unlink rmdir
pwrite
        full_audit:prefix = %u|%S - %m|%I
        recycle:maxsize = 0
        recycle:versions = yes
        recycle:touch = yes
        recycle:keeptree = yes
        recycle:repository = /userdata/user_trash/%U

[profiles]
        comment = Profile Data Directory
        path = /userdata/profiles/%a
        read only = No
        create mask = 0600
        directory mask = 0700
        browseable = No
        csc policy = disable
        oplocks = No
        level2 oplocks = No

[printers]
        comment = Printers
        path = /var/spool/samba
        admin users = @lpadmin
        write list = @lpadmin, root
        guest ok = Yes
        printable = Yes
        browseable = No

[print$]
        comment = Printer Drivers
        path = /etc/samba/drivers
        admin users = @lpadmin
        write list = @lpadmin, root
--
Charles

Belmopan, Belize

"... we just love cars and we love driving them!"

http://www.cardomain.com/ride/2400106

More information about the samba mailing list