[Samba] local copy microsoft/credentials directory profile redirection

charles charlesaburrell at gmail.com
Wed Oct 21 13:16:00 MDT 2009 

> Date: Mon, 19 Oct 2009 13:25:48 -0600
> Subject: [Samba] local copy microsoft/credentials directory profile
> redirection
> hello,
>
> i've set up a domain controller to replace a production server.
> both servers use profile redirection for all user environment directories.
>
> my problem is that when logging onto the new domain and server, windows
> will
> create in the %userprofile% local directory an Application Directory
> containing Microsoft/Credentials/*SID*, although a copy exists on the
> server.
>
> this directory is used to store the user's network passwords.
>
> because a blank credential directory is created stored network passwords
> (explorer only) are not used. all other applications use the network copy
> of
> the directory (as they should).
>
> redirection is done through adm here are the pertinent settings:
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User
> Shell Folders]
> "AppData"="%logonserver%\profiles\%username%\Application Data"
> "Cookies"="%logonserver%\profiles\%username%\Cookies"
> "Desktop"="%logonserver%\%username%\Desktop"
> "Personal"="%logonserver%\%username%\My Documents"
> "Local AppData"="%logonserver%\profiles\%username%\Local
> Settings\Application Data"
> "Cache"="c:\temp\users\%username%\Local Settings\Temporary Internet Files"
> "History"="c:\temp\users\%username%\Local Settings\History"
> "Local Settings"="c:\temp\users\%username%\Local Settings"
>
> the same client joined to current domain (with the same adm settings) will
> not reproduce un-desired behavior.
>
> does anyone have any suggestions, guesses, etc?
>
>
> clients: windows xp sp3 (offline files disabled; set to delete local copies
> of profiles at log off)
>
> os: ubuntu 9.04 server
>
> samba: 3.3.2-1ubuntu3.2
>
> config:
>
> Server role:
> ROLE_DOMAIN_PDC
> [global]
>        workgroup = domain-name
>        server string = server-name
>        passdb backend = ldapsam:ldap://127.0.0.1
>        passwd program = /usr/sbin/smbldap-passwd -u "%u"
>        passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> *all*authentication*tokens*updated*
>        log level = 5 vfs:0 smb:0
>        syslog = 0
>        log file = /var/log/samba/log.%h
>        max log size = 10000000
>        max xmit = 65535
>        socket options = TCP_NODELAY SO_SNDBUF=1638400 SO_RCVBUF=1638400
> SO_KEEPALIVE
>        printcap name = cups
>        show add printer wizard = No
>        max stat cache size = 1024
>        add user script = /usr/sbin/smbldap-useradd -m "%u"
>        delete user script = /usr/sbin/smbldap-userdel "%u"
>        add group script = /usr/sbin/smbldap-groupadd -p "%g"
>        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
>        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
> "%g"
>        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>        add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
>        logon script = logon.bat
>        logon path = \\%N\hives\%U
>        logon drive = " "
>        domain logons = Yes
>        os level = 65
>        preferred master = Yes
>        domain master = Yes
>        kernel oplocks = No
>        ldap admin dn = cn=admin,dc=domain-name,dc=bz
>        ldap group suffix = ou=Groups
>        ldap idmap suffix = ou=Idmap
>        ldap machine suffix = ou=Computers
>        ldap suffix = dc=domain-name,dc=bz
>        ldap ssl = no
>        ldap user suffix = ou=Users
>        utmp = Yes
>        panic action = /usr/share/samba/panic-action %d
>        cups options = raw
>        case sensitive = No
>        hide files = /desktop.ini/
>
> [netlogon]
>        path = /usershare/netlogon
>        write list = jorge
>        guest ok = Yes
>
> [hives]
>        comment = Profile Hive Directory
>        path = /userdata/hives/%a
>        read only = No
>        create mask = 0600
>        directory mask = 0700
>        browseable = No
>        csc policy = disable
>        oplocks = No
>        level2 oplocks = No
>        vfs objects = full_audit, recycle
>        full_audit:priority = notice
>        full_audit:facility = local5
>        full_audit:failure = connect mkdir rename unlink rmdir pwrite
>        full_audit:success = connect disconnect mkdir rename unlink rmdir
> pwrite
>        full_audit:prefix = %u|%S - %m|%I
>        recycle:maxsize = 0
>        recycle:versions = yes
>        recycle:touch = yes
>        recycle:keeptree = yes
>        recycle:repository = /userdata/user_trash/%U
>
> [profiles]
>        comment = Profile Data Directory
>        path = /userdata/profiles/%a
>        read only = No
>        create mask = 0600
>        directory mask = 0700
>        browseable = No
>        csc policy = disable
>        oplocks = No
>        level2 oplocks = No
>
> [printers]
>        comment = Printers
>        path = /var/spool/samba
>        admin users = @lpadmin
>        write list = @lpadmin, root
>        guest ok = Yes
>        printable = Yes
>        browseable = No
>
> [print$]
>        comment = Printer Drivers
>        path = /etc/samba/drivers
>        admin users = @lpadmin
>        write list = @lpadmin, root
> --
> Charles
>
> Belmopan, Belize
>
> "... we just love cars and we love driving them!"
>
> http://www.cardomain.com/ride/2400106
>
>
>
>
solved.

the problem was the use of the %logonserver% variable in my policy file. it
appears that the variable is not yet resolvable at the time the logon
process checks for the existence of a credential file.

using the actual server-name for the AppData environment remedied the
problem.

good luck.

More information about the samba mailing list