[Samba] samba 3.5.6 as PDC & LDAP - roaming profile problem
L.P.H. van Belle
belle at bazuin.nl
Mon Mar 5 00:44:53 MST 2012
Hai,
First, cleanup your profile before making it your default profile.
this ( Ustawienia Lokalne\Temporary Internet Files\Content.IE5\ARGDYVI1 )
should not be there, there should not be any "Temp" folder.
Second, your profiles doesn't look right.
this is mine and this is working: ( adjust your path to : path = /profiles )
set the initial rights on /profiles to 777
new folders are created with the right rights.
[profiles]
path = /home/samba/profiles
comment = Profiel omgeving
read only = no
create mask = 0600
directory mask = 0700
browseable = Yes
guest ok = Yes
csc policy = disable
force user = %U
# next line allows administrator to access all profiles
valid users = %U @"Domain Admins"
>-----Oorspronkelijk bericht-----
>Van: adamsienkiewicz78 at gmail.com
>[mailto:samba-bounces at lists.samba.org] Namens Adam Sienkiewicz
>Verzonden: 2012-02-22 00:15
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] samba 3.5.6 as PDC & LDAP - roaming profile problem
>
>Hi all;
>
>for few weeks I'm trying to implement a new samba PDC server
>for my school.
>It is based on debian squeeze and samba 3.5.6 with lDAP backend.
>I was able to join a computer into domain, LDAP is working,
>mapping home
>drive for users also.
>It seems that almost all works good but with one exeption. The
>one thing
>which is broken is roaming profile support.
>When user is logging into domain windows (I tested win XP prof
>SP2 and win7
>prof SP1) always said:
>"Windows cannot locate the server copy of your roaming profile and is
>attempting to log you on with your local profile. Changes to
>the profile
>will not be copied to the server when you logoff. Possible
>causes of this
>error include network problems or insufficient security rights. If this
>problem persists, contact your network administrator.
>DETAIL – The network name cannot be found."
>and
>"Windows cannot find the local profile and is logging you on with a
>temporary profile. Changes you make to this profile will be
>lost when you
>log off."
>It looks strange because when I put into netlogon share default profile
>windows take it ( I see that background color in windows is
>the same like I
>prevoiusly set into default profil), user is able to browse his profile
>directory and create inside this dirs and files.In samba logs
>there are no
>errors, I can see that /profile share is assigned into user.
>On windows side in c:\windows\debug\userenv log there is:
>
>USERENV(320.324) 18:58:22:898 DeleteProfileEx: Failed to query profile
>guid with error 2
>USERENV(320.324) 18:58:34:758 GetUserGuid: Failed to get user guid with
>1355.
>USERENV(320.324) 18:58:34:758 GetUserGuid: Failed to get user guid with
>1355.
>USERENV(320.324) 18:58:34:804 CheckRoamingShareOwnership:
>owner is S-1-1-0!
>USERENV(320.324) 18:58:34:804 IsCentralProfileReachable:
>Ownership check
>failed with 8007051B
>USERENV(320.324) 18:58:34:804 ReportError: Impersonating user.
>USERENV(320.324) 18:58:36:429 GetUserGuid: Failed to get user guid with
>1355.
>USERENV(320.324) 18:58:36:445 ReportError: Impersonating user.
>USERENV(320.324) 18:58:37:023 RecurseDirectory:
>=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=m
>odern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;t
>pc=development;ord=3934272159358786
>is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
>lokalne\Temporary Internet Files\Content.IE5\ARGDYVI1\, dest =
>C:\Documents
>and Settings\TEMP.TESTADM\Ustawienia lokalne\Temporary Internet
>Files\Content.IE5\ARGDYVI1\
>USERENV(320.324) 18:58:37:039 RecurseDirectory:
>=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=m
>odern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;t
>pc=development;ord=3934272159358786
>is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
>lokalne\Temporary Internet Files\Content.IE5\61Y5M1K7\, dest =
>C:\Documents
>and Settings\TEMP.TESTADM\Ustawienia lokalne\Temporary Internet
>Files\Content.IE5\61Y5M1K7\
>USERENV(320.324) 18:58:37:039 RecurseDirectory:
>=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=m
>odern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;t
>pc=development;ord=3934272159358786
>is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
>lokalne\Temporary Internet Files\Content.IE5\Q6DTJICU\, dest =
>C:\Documents
>and Settings\TEMP.TESTADM\Ustawienia lokalne\Temporary Internet
>Files\Content.IE5\Q6DTJICU\
>USERENV(320.324) 18:58:37:054 RecurseDirectory:
>=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=m
>odern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;t
>pc=development;ord=3934272159358786
>is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
>lokalne\Temporary Internet Files\Content.IE5\I56DMBW1\, dest =
>C:\Documents
>and Settings\TEMP.TESTADM\Ustawienia lokalne\Temporary Internet
>Files\Content.IE5\I56DMBW1\
>USERENV(320.324) 18:58:43:461 GetUserDNSDomainName:
>MyGetUserNameEx failed
>for NameDnsDomain style name with 1332
>USERENV(358.278) 18:58:43:633 GetUserDNSDomainName:
>MyGetUserNameEx failed
>for NameDnsDomain style name with 1332
>USERENV(358.278) 18:58:43:633 GetUserDNSDomainName:
>MyGetUserNameEx failed
>for NameDnsDomain style name with 1332
>USERENV(320.324) 18:58:43:648 GetUserDNSDomainName:
>MyGetUserNameEx failed
>for NameDnsDomain style name with 1332
>USERENV(320.2a0) 18:58:43:664 GetGPOInfo: Local GPO's gpt.ini is not
>accessible, assuming default state.
>USERENV(550.6ac) 18:58:50:945 GetUserDNSDomainName:
>MyGetUserNameEx failed
>for NameDnsDomain style name with 1332
>USERENV(550.758) 18:58:50:992 GetUserDNSDomainName:
>MyGetUserNameEx failed
>for NameDnsDomain style name with 1332
>USERENV(320.f0) 18:58:58:758 GetUserDNSDomainName:
>MyGetUserNameEx failed
>for NameDnsDomain style name with 1332
>USERENV(77c.80) 19:04:24:414 GetUserDNSDomainName:
>MyGetUserNameEx failed
>for NameDnsDomain style name with 1332
>USERENV(320.324) 19:04:34:383 DeleteProfileEx: Failed to query profile
>guid with error 2
>USERENV(320.324) 19:04:51:508 GetUserGuid: Failed to get user guid with
>1355.
>USERENV(320.324) 19:04:51:508 GetUserGuid: Failed to get user guid with
>1355.
>USERENV(320.324) 19:04:51:554 CheckRoamingShareOwnership:
>owner is S-1-1-0!
>USERENV(320.324) 19:04:51:554 IsCentralProfileReachable:
>Ownership check
>failed with 8007051B
>USERENV(320.324) 19:04:51:554 ReportError: Impersonating user.
>USERENV(320.324) 19:04:53:273 GetUserGuid: Failed to get user guid with
>1355.
>USERENV(320.324) 19:04:53:273 ReportError: Impersonating user.
>USERENV(320.324) 19:04:53:883 RecurseDirectory:
>=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=m
>odern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;t
>pc=development;ord=3934272159358786
>is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
>lokalne\Temporary Internet Files\Content.IE5\ARGDYVI1\, dest =
>C:\Documents
>and Settings\TEMP.TESTADM\Ustawienia
>
>Here is my smb.conf
>
>[global]
>workgroup = TESTADM
>netbios name = PDC-SRV
>security = user
>enable privileges = yes
>server string = Samba Server %v
>encrypt passwords = true
>unix password sync = yes
>ldap passwd sync = yes
>passwd program = /usr/sbin/smbldap-passwd -u "%u"
>passwd chat = "Changing *\nNew password*" %n\n "*Retype new
>password*" %n\n"
>
>log level = 3
>syslog = 0
>log file = /var/log/samba/%U_%I.log
>max log size = 100000
>time server = Yes
>socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>mangling method = hash2
>unix charset = ISO8859-2
>dos charset = CP852
>logon script = %G.bat
>logon drive = H:
> logon home =
> logon path =\\172.16.220.131\profiles\%U
>domain logons = Yes
>domain master = Yes
>os level = 65
>preferred master = Yes
>wins support = yes
>passdb backend = ldapsam:ldap://127.0.0.1/
>ldap admin dn = cn=admin,dc=slackware,dc=local
>ldap suffix = dc=slackware,dc=local
> ldap group suffix = ou=groups
> ldap user suffix = ou=users
> ldap machine suffix = ou=Computers
>#ldap idmap suffix = ou=Idmap
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> #ldap delete dn = Yes
> delete user script = /usr/sbin/smbldap-userdel "%u"
> add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> delete group script = /usr/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/sbin/smbldap-groupmod
>-m "%u" "%g"
> delete user from group script =
>/usr/sbin/smbldap-groupmod -x "%u"
>"%g"
>set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
>admin users = domainadm
>ldap ssl = no
>host msdfs = no
>
># printers configuration
>#printer admin = @"Print Operators"
>load printers = Yes
>create mask = 0640
>directory mask = 0750
>#force create mode = 0640
>#force directory mode = 0750
>nt acl support = No
>printing = cups
>printcap name = cups
>deadtime = 10
>guest ok = no
>;guest account = nobody
>;map to guest = Bad User
>dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
>show add printer wizard = yes
>; to maintain capital letters in shortcuts in any of the
>profile folders:
>preserve case = yes
>short preserve case = yes
>case sensitive = no
>
>[netlogon]
>path = /home/netlogon/
>comment = Netwok Logon Service
>browseable = No
>writable = yes
>writelist = @domainadm
>
>[homes]
> comment = Home Directories
> path = /home/%U
> ;valid users = /home/%S
> read only = No
> browseable = No
> create mask = 0644
> directory mask = 0711
> ;admin users = piotrbrudny
> nt acl support = no
>
>
>[profiles]
>path = /profiles
>read only = no
>writable = yes
>create mask = 0600
>directory mask = 0700
>browseable = No
>guest ok = no
>profile acls = no
>;nt acl support = no
>#a bylo acls=yes
>csc policy = disable
># next line is a great way to secure the profiles
>force user = %U
>valid users = %U @"Domain Admins" @users
>map acl inherit = yes
>[printers]
> comment = Network Printers
> #printer admin = @"Print Operators"
> guest ok = yes
> printable = yes
> path = /home/spool/
> browseable = No
> read only = Yes
> printable = Yes
> print command = /usr/bin/lpr -P%p -r %s
> lpq command = /usr/bin/lpq -P%p
> lprm command = /usr/bin/lprm -P%p %j
> # print command = /usr/bin/lpr -U%U@%M -P%p -r %s
> # lpq command = /usr/bin/lpq -U%U@%M -P%p
> # lprm command = /usr/bin/lprm -U%U@%M -P%p %j
> # lppause command = /usr/sbin/lpc -U%U@%M hold %p %j
> # lpresume command = /usr/sbin/lpc -U%U@%M release %p %j
> # queuepause command = /usr/sbin/lpc -U%U@%M stop %p
> # queueresume command = /usr/sbin/lpc -U%U@%M start %p
>
>[print$]
> path = /home/printers
> guest ok = No
> browseable = Yes
> read only = Yes
> valid users = @"Print Operators"
> write list = @"Print Operators"
> create mask = 0664
> directory mask = 0775
>
>[public]
>path = /tmp
>guest ok = yes
>browseable = Yes
>
>and also some info about roaming profiles directory permissions
>
>drwxrwxrwt 13 root root 4096 Feb 17 20:05 profiles
>
>oot at debldap4:~# tree -p -g -u /profiles
>/profiles
>????????? [drwx------ czarus Domain U] czarus
>????????? [drwx------ domainad domainad] domainadm
>????????? [drwxrwxrwx jas Domain A] jas
>????????? [drwx------ root root ] root
>????????? [drwx------ sambaroo Domain U] sambaroot2
>????????? [drwx------ sambaroo Domain U] sambaroot2.V2
>????????? [drwx------ sambaroo Domain U] sambaroot3
>????????? [drwx------ sambaroo Domain U] sambaroot3.V2
>????????? [drwx------ test2 Domain U] test2
>??? ????????? [drwx------ test2 Domain U] dfd
>????????? [drwx------ test5 domainad] test5
>????????? [drwx------ test4 domainad] %u
>
>12 directories, 0 files
>
>dirs in /profiles directory was created automatically during
>logon process.
>
>I googled few days I tryed all what I can find but with no
>luck. It will be
>great if somebody could help me with this because I have no
>idea what is a
>root cause of my issue.
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list