[Samba] Server-Profile only applied when domain user gets Admin privileges on WinXP

Richard Herrmann richard.herrmann at xntrex.de
Wed Apr 21 07:38:52 MDT 2010

After upgrade from 3.0.x to 3.4.3 (on new hardware) profiles only apply when
the domain users are Members of the local WinXP admin group!? The Account
behaves like a guest account - Modifications can not be saved (e.g. the left
side of the XP/SP3 task menu remains empty, Control Panel can not be changed
to classic view, .).


No problems at all with profiles created unter samba version 3.4.3.


I extended smb.conf by "profile acl = yes" and "passdb backend = smbpasswd"
(tdbsam did'nt change the behaviour) :



        server string = BDC

        log level = 1 passdb:5 auth:5 winbind:2

        workgroup = xyz

        printing = cups

        printcap name = cups

        printcap cache time = 750

        cups options = raw

        printer admin = @ntadmin, root, administrator

        username map = /etc/samba/smbusers

        map to guest = Bad User

#       include = /etc/samba/dhcp.conf

        logon path = \\%L\profiles\.msprofile

        logon drive = Z:

        security = user

        encrypt passwords = yes

        netbios name = svtest

        smb passwd file = /etc/samba/smbpasswd

        smb ports = 139

        passdb backend = smbpasswd

        passwd program = /usr/bin/passwd %u

        passwd chat = "New password:" %n "Re-enter new password:" %n
"*Password changed*"

        passwd chat debug = Yes

        add user script = /usr/sbin/useradd -m %u

        delete user script = /usr/sbin/userdel -r %u

        add group script = /usr/sbin/groupadd %g

        delete group script = /usr/sbin/groupdel %g

        add user to group script = /usr/sbin/usermod -G %g %u

        add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody
-s /bin/false %m$

        logon script = %u.bat

        domain master = yes

        domain logons = yes

        local master = yes

        wins support = yes

        preferred master = yes

        os level = 65

        hide dot files = yes

        time server = yes

        max log size = 1000

        oplocks = yes

        fake oplocks = no

        read raw = yes

        write raw = yes

        socket options = TCP_NODELAY

        getwd cache = yes

        usershare allow guests = No


        comment = Home Directories

        valid users = %S

        browseable = no

        read only = No

        inherit acls = Yes

        guest ok = no

        printable = no


        comment = Network Profiles Service

        path = %H

        read only = No

        store dos attributes = Yes

        create mask = 0660

        directory mask = 0770

        browseable = no

        guest ok = no

        printable = no

        profile acls = Yes


        comment = All users

        path = /data/home

        read only = No

        inherit acls = Yes

        veto files = /aquota.user/groups/shares/

        browseable = no

        guest ok = no

        printable = no


        comment = Network Logon Service

        path = /data/netlogon

        read only = Yes

        browseable = no

        write list = @admin

        csc policy = disable


Did I miss something to make the server configuration compatibel with
version 3.4 or do I have to modify the content / ACLs of all existing



Any help would be appreciated.


Richard Herrmann

More information about the samba mailing list