[Samba] samba roaming profiles not working

Sun Sep 19 21:11:06 MDT 2010

On 19/09/10 07:55 PM, Philippe LeCavalier wrote:
>  Gary,
>
>  On Fri, 2010-09-17 at 14:21 -0400, Gary Dale wrote:
>
> > I've been at this for hours now and am still not getting it to
> > work. I've been through the lists trying to find an answer and so
> > far as I can tell, everything is configured OK. Obviously it's not,
> > but I'm stuck.
> >
> > I recently installed Squeeze on my home server, overwriting a Lenny
> >  installation. I've been able to add my NT (Windows XP/Pro) domain
> >  accounts back in and pdbedit shows the expected values - e.g.:
> >
> > root at whenim64:/home/samba/profiles# pdbedit -Lv garydale Unix
> > username: garydale NT username: Account Flags: [U ] User SID:
> > S-1-5-21-832165970-4128531365-4003982369-1002 Primary Group SID:
> > S-1-5-21-832165970-4128531365-4003982369-513 Full Name: Gary Dale
> > Home Directory: \\whenim64\home\garydale HomeDir Drive: m: Logon
> > Script: Profile Path: \\whenim64\home\samba\profiles\garydale
> > Domain: RAHIM-DALE Account desc: Workstations: Munged dial: Logon
> > time: 0 Logoff time: 9223372036854775807 seconds since the Epoch
> > Kickoff time: 9223372036854775807 seconds since the Epoch Password
> > last set: Wed, 15 Sep 2010 14:05:50 EDT Password can change: Wed,
> > 15 Sep 2010 14:05:50 EDT Password must change: never Last bad
> > password : 0 Bad password count : 0 Logon hours :
> > FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
>  ^What's this?^
That's the pdbedit output from the command at the start of the section

>
> >
> > However, although I can log on, I can't get the roaming profiles
> > working. I get the "windows cannot locate the server copy of your
> > roaming profile" message. Since my Unix account names/numbers are
> > the same and the profiles are in the previously working /home
> > folder that didn't get touched, I can't see how it''s a permissions
> > problem. Noneheless, I removed an old profile which should have let
> > WIndows create a new one. It didn't. I still got the same error.
> >
> > I did have to reinstate the groupmaps (don't know why the samba
> > install doesn't do this) but they seem OK.
> >
> > root at whenim64:/home/samba/profiles# net groupmap list Domain Admins
> > (S-1-5-21-832165970-4128531365-4003982369-512) -> ntadmins Domain
> > Users (S-1-5-21-832165970-4128531365-4003982369-513) -> users
> > Domain Guests (S-1-5-21-832165970-4128531365-4003982369-514) ->
> > nogroup Domain Computers
> > (S-1-5-21-832165970-4128531365-4003982369-515) -> machines
> >
> > My smb.conf tests OK with testparm. SWAT reports all the daemons
> > are running. I can map shares (with read/write) without needing
> > extra authentication.
> >
> > My smb.conf (minus the shares & printers) is:
>
>  [...]
>
> > logon path = \\%N\home\samba\profiles\%U
>
>  In 'man smb.conf'
>
>  Windows clients can sometimes maintain a connection to the [homes]
>  share, even though there is no user logged in. Therefore, it is
>  vital that the logon path does not include a reference to the homes
>  share (i.e. setting this parameter to \\%N\homes \profile_path will
>  cause problems). [...] If you want profiles stored in the home dir
>  use the default setting ie \ \%N\%U\Profile

>
> > [Profiles] profile acls = yes create mode = 0600 directory mode =
> > 0700 path = /home/samba/profiles
>
>  Set this to \\%N\%U\Profile OR edit [global] to the reflect this.
>  Either way, it needs to be identical and fall within an allowable
>  setting.
>
>  May I also add that in my opinion you've gone a little overboard
>  with the settings in [global] I've been using Samba as a DC for many
>  years and have never needed to change so many settings. I would
>  suggest starting with defaults and editing as needed...Just a
>  thought.
>
>  Cheers, Phil

Actually the [global] settings are pretty much the defaults. Possibly 
it's a Debian thing or the way SWAT leaves it. I added the add machine 
script and changed the logon path.

It turned out you were right about the duplication of the path between 
logon path and the profiles share. Removing the duplicated path from the 
logon path fixed it. I knew it was something stupid that I was missing.  :)

Thanks.