[Samba] BDC needs a [profile] and [netlogon] share ?
?icro MEGAS
micromegas at mail333.com
Fri May 24 04:55:34 MDT 2013
Hi all,
I have a BDC which uses the LDAP backend of my PDC. Unfortunately all the users who log-in in the morning and who are processed by this BDC, do not get their logon script executed. The BDC logs this error message:
[2013/05/24 07:28:11.946577, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [foobar] -> [foobar] -> [foobar] succeeded
[2013/05/24 07:28:11.948108, 0] param/loadparm.c:8686(process_usershare_file)
process_usershare_file: stat of /var/lib/samba/usershares/netlogon failed. File or directory not found
[2013/05/24 07:28:12.976867, 0] param/loadparm.c:8686(process_usershare_file)
process_usershare_file: stat of /var/lib/samba/usershares/netlogon failed. Access denied
[2013/05/24 07:28:12.979372, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: foobar
I did not understand, why the BDC looks for the netlogon at /var/lib/samba/usershares/netlogon so I double-checked my smb.conf, on both PDC and BDC. Here are the relevant option in smb.conf:
***PDC***smb.conf:
[global]
...
security = user
passdb backend = ldapsam:ldap://172.16.0.1
logon script = %U.bat
logon path = \\pdc\profiles\%U
logon drive = U:
domain logons = Yes
preferred master = Yes
local master = Yes
domain master = Yes
os level = 254
wins support = Yes
...
[netlogon]
comment = Logon batch
path = /file01/netlogon
write list = "@Domain Admins"
[profiles]
comment = Centralized Roaming Profiles
path = /file01/profile
read only = No
browseable = No
***BDC***smb.conf:
[global]
...
security = user
passdb backend = ldapsam:ldap://172.16.0.1/
logon script = \\pdc\netlogon\%U.bat
logon path = \\pdc\profiles\%U
logon drive = U:
domain logons = Yes
preferred master = No
local master = No
domain master = No
os level = 20
password server = *
; wins server = 172.16.0.1
I realized that no [netlogon] and [profiles] share exist on the BDC. But there are no problems with profiles known for users who were handled by the BDC. Only logon scripts don't work? Is it possible that the option "logon script = " DOES NOT ALLOW the use of UNC path like I am using it? So this is the problem and samba falls back to the default path /var/lib/samba/usershares/netlogon and tries there to look for the logon script ???
If so, how should my [netlogon] share on the BDC look like? Do I have to rsync/copy the content of pdc://file01/netlogon to bdc:/somedir/netlogon and use following line on BDC's smb.conf?
logon script = %U.bat
[netlogon]
comment = BDC Logon batch
path = /somedir/netlogon
write list = "@Domain Admins"
Will that be enough or am I wrong? I would also like to know if I could use "os level = 0" on the BDC, because I don't need/want that the BDC handles domain logon procedures,that would be the easiest way in my case. Now you ask why the heck I need it to run as BDC :-) It's because I don't can use winbind on the BDC and I need the correct mappings for user/groups. And that's only possible either by using winbind on BDC and idmapping, or you run as BDC and it uses the locally managed database of the PDC. In my case it was really much more easy to use the BDC method, because if I would use winbind it will result in different ids (these of winbind idmapping ranges) and access would be denied to lots of my existing shares. So in result I would have to chmod all of my used dirs/paths which is a lot of work. That's why I choosed the much more easy way as a BDC. But that's not very important, I'd just like to know if "os level = 0" would be ok or cause some other troubles ?
Any help and feedback really appreciated. Thanks to all
Lucas
More information about the samba
mailing list