[Samba] samba 3.5.6 as PDC & LDAP - roaming profile problem

Adam Sienkiewicz adamsienkiewicz78 at gmail.com
Tue Feb 21 16:15:12 MST 2012


Hi all;

for few weeks I'm trying to implement a new samba PDC server for my school.
It is based on debian squeeze and samba 3.5.6 with lDAP backend.
I was able to join a computer into domain, LDAP is working, mapping home
drive for users also.
It seems that almost all works good but with one exeption. The one thing
which is broken is roaming profile support.
When user is logging into domain windows (I tested win XP prof SP2 and win7
prof SP1) always said:
"Windows cannot locate the server copy of your roaming profile and is
attempting to log you on with your local profile. Changes to the profile
will not be copied to the server when you logoff. Possible causes of this
error include network problems or insufficient security rights. If this
problem persists, contact your network administrator.
DETAIL – The network name cannot be found."
and
"Windows cannot find the local profile and is logging you on with a
temporary profile. Changes you make to this profile will be lost when you
log off."
It looks strange because when I put into netlogon share default profile
windows take it ( I see that background color in windows is the same like I
prevoiusly set into default profil), user is able to browse his profile
directory and create inside this dirs and files.In samba logs there are no
errors, I can see that /profile share is assigned into user.
On windows side in c:\windows\debug\userenv log there is:

USERENV(320.324) 18:58:22:898 DeleteProfileEx:  Failed to query profile
guid with error 2
USERENV(320.324) 18:58:34:758 GetUserGuid: Failed to get user guid with
1355.
USERENV(320.324) 18:58:34:758 GetUserGuid: Failed to get user guid with
1355.
USERENV(320.324) 18:58:34:804 CheckRoamingShareOwnership: owner is S-1-1-0!
USERENV(320.324) 18:58:34:804 IsCentralProfileReachable: Ownership check
failed with 8007051B
USERENV(320.324) 18:58:34:804 ReportError: Impersonating user.
USERENV(320.324) 18:58:36:429 GetUserGuid: Failed to get user guid with
1355.
USERENV(320.324) 18:58:36:445 ReportError: Impersonating user.
USERENV(320.324) 18:58:37:023 RecurseDirectory:
=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=modern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;tpc=development;ord=3934272159358786
is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
lokalne\Temporary Internet Files\Content.IE5\ARGDYVI1\, dest = C:\Documents
and Settings\TEMP.TESTADM\Ustawienia lokalne\Temporary Internet
Files\Content.IE5\ARGDYVI1\
USERENV(320.324) 18:58:37:039 RecurseDirectory:
=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=modern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;tpc=development;ord=3934272159358786
is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
lokalne\Temporary Internet Files\Content.IE5\61Y5M1K7\, dest = C:\Documents
and Settings\TEMP.TESTADM\Ustawienia lokalne\Temporary Internet
Files\Content.IE5\61Y5M1K7\
USERENV(320.324) 18:58:37:039 RecurseDirectory:
=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=modern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;tpc=development;ord=3934272159358786
is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
lokalne\Temporary Internet Files\Content.IE5\Q6DTJICU\, dest = C:\Documents
and Settings\TEMP.TESTADM\Ustawienia lokalne\Temporary Internet
Files\Content.IE5\Q6DTJICU\
USERENV(320.324) 18:58:37:054 RecurseDirectory:
=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=modern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;tpc=development;ord=3934272159358786
is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
lokalne\Temporary Internet Files\Content.IE5\I56DMBW1\, dest = C:\Documents
and Settings\TEMP.TESTADM\Ustawienia lokalne\Temporary Internet
Files\Content.IE5\I56DMBW1\
USERENV(320.324) 18:58:43:461 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(358.278) 18:58:43:633 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(358.278) 18:58:43:633 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(320.324) 18:58:43:648 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(320.2a0) 18:58:43:664 GetGPOInfo:  Local GPO's gpt.ini is not
accessible, assuming default state.
USERENV(550.6ac) 18:58:50:945 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(550.758) 18:58:50:992 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(320.f0) 18:58:58:758 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(77c.80) 19:04:24:414 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(320.324) 19:04:34:383 DeleteProfileEx:  Failed to query profile
guid with error 2
USERENV(320.324) 19:04:51:508 GetUserGuid: Failed to get user guid with
1355.
USERENV(320.324) 19:04:51:508 GetUserGuid: Failed to get user guid with
1355.
USERENV(320.324) 19:04:51:554 CheckRoamingShareOwnership: owner is S-1-1-0!
USERENV(320.324) 19:04:51:554 IsCentralProfileReachable: Ownership check
failed with 8007051B
USERENV(320.324) 19:04:51:554 ReportError: Impersonating user.
USERENV(320.324) 19:04:53:273 GetUserGuid: Failed to get user guid with
1355.
USERENV(320.324) 19:04:53:273 ReportError: Impersonating user.
USERENV(320.324) 19:04:53:883 RecurseDirectory:
=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=modern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;tpc=development;ord=3934272159358786
is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
lokalne\Temporary Internet Files\Content.IE5\ARGDYVI1\, dest = C:\Documents
and Settings\TEMP.TESTADM\Ustawienia

Here is my smb.conf

[global]
workgroup = TESTADM
netbios name = PDC-SRV
security = user
enable privileges = yes
server string = Samba Server %v
encrypt passwords = true
unix password sync = yes
ldap passwd sync = yes
passwd program = /usr/sbin/smbldap-passwd -u "%u"
passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"

log level = 3
syslog = 0
log file = /var/log/samba/%U_%I.log
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
unix charset = ISO8859-2
dos charset = CP852
logon script = %G.bat
logon drive = H:
        logon home =
        logon path =\\172.16.220.131\profiles\%U
domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
wins support = yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=admin,dc=slackware,dc=local
ldap suffix = dc=slackware,dc=local
        ldap group suffix = ou=groups
        ldap user suffix = ou=users
        ldap machine suffix = ou=Computers
#ldap idmap suffix = ou=Idmap
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        #ldap delete dn = Yes
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
admin users = domainadm
ldap ssl = no
host msdfs = no

# printers configuration
#printer admin = @"Print Operators"
load printers = Yes
create mask = 0640
directory mask = 0750
#force create mode = 0640
#force directory mode = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest ok = no
;guest account = nobody
;map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the profile folders:
preserve case = yes
short preserve case = yes
case sensitive = no

[netlogon]
path = /home/netlogon/
comment = Netwok Logon Service
browseable = No
writable = yes
writelist = @domainadm

[homes]
    comment = Home Directories
    path = /home/%U
    ;valid users = /home/%S
    read only = No
    browseable = No
    create mask = 0644
    directory mask = 0711
    ;admin users = piotrbrudny
    nt acl support = no


[profiles]
path = /profiles
read only = no
writable = yes
create mask = 0600
directory mask = 0700
browseable = No
guest ok = no
profile acls = no
;nt acl support = no
#a bylo acls=yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
valid users = %U @"Domain Admins" @users
map acl inherit = yes
[printers]
        comment = Network Printers
        #printer admin = @"Print Operators"
        guest ok = yes
        printable = yes
        path = /home/spool/
        browseable = No
        read only  = Yes
        printable = Yes
        print command = /usr/bin/lpr -P%p -r %s
        lpq command = /usr/bin/lpq -P%p
        lprm command = /usr/bin/lprm -P%p %j
        # print command = /usr/bin/lpr -U%U@%M -P%p -r %s
        # lpq command = /usr/bin/lpq -U%U@%M -P%p
        # lprm command = /usr/bin/lprm -U%U@%M -P%p %j
        # lppause command = /usr/sbin/lpc -U%U@%M hold %p %j
        # lpresume command = /usr/sbin/lpc -U%U@%M release %p %j
        # queuepause command = /usr/sbin/lpc -U%U@%M stop %p
        # queueresume command = /usr/sbin/lpc -U%U@%M start %p

[print$]
        path = /home/printers
        guest ok = No
        browseable = Yes
        read only = Yes
        valid users = @"Print Operators"
        write list = @"Print Operators"
        create mask = 0664
        directory mask = 0775

[public]
path = /tmp
guest ok = yes
browseable = Yes

and also some info about roaming profiles directory permissions

drwxrwxrwt 13 root root  4096 Feb 17 20:05 profiles

oot at debldap4:~# tree -p -g -u /profiles
/profiles
├── [drwx------ czarus   Domain U]  czarus
├── [drwx------ domainad domainad]  domainadm
├── [drwxrwxrwx jas      Domain A]  jas
├── [drwx------ root     root    ]  root
├── [drwx------ sambaroo Domain U]  sambaroot2
├── [drwx------ sambaroo Domain U]  sambaroot2.V2
├── [drwx------ sambaroo Domain U]  sambaroot3
├── [drwx------ sambaroo Domain U]  sambaroot3.V2
├── [drwx------ test2    Domain U]  test2
│   └── [drwx------ test2    Domain U]  dfd
├── [drwx------ test5    domainad]  test5
└── [drwx------ test4    domainad]  %u

12 directories, 0 files

dirs in /profiles directory was created automatically during logon process.

I googled few days I tryed all what I can find but with no luck. It will be
great if somebody could help me with this because I have no idea what is a
root cause of my issue.


More information about the samba mailing list