Re: Samba PDC roaming profiles problem

[Alex de Kruijff]

Op 2-8-2010 21:26, David N schreef:
On 2 August 2010 21:32, Alex de Kruijff<al...@specialisterren.nl>  wrote:
   
Hi,
I've setup a LDAP backend Samba PDC. I can gain access to shares and

login with a user that is in LDAP, but have a prblem setting up the
roaming profile stuff. I've been trying to solve this problem for some
time now, and have tried everything I could think of, but without much
luck. I keep getting the following error messages:

"Windows cannot locate the server copy of your roaming profile and is
attempting to log you on with your local profile. Changes to the profile
will not be copied to the server when you logoff. Plausible causes of
this error include network problem or insufficient security rights. If
this problem persists, contact your network administrators. DETAILS -
The network path was not found."

Followed by:

"Windows cannot find the local profile and is logging on with a tempory
profiles. Changes to this profile will be lost when you logoff."

Here is my smb.conf:

     
[global]
     security = user
     name resolve order = wins lmhosts hosts bcast
     deadtime = 15
     map to guest = Never
     csc policy = disable
     hosts allow = 127. 192.168.
     server string =
     workgroup = Nieuwegein
     time server = yes
     wins support = yes
     domain master = yes
     domain logons = yes
    encrypt passwords = yes
     local master = yes
     logon drive = Z:
     logon path = \\%L\profiles\%U
     preferred master = yes
     os level = 255
     encrypt passwords = yes
     passdb backend = ldapsam:ldap://localhost/
     enable privileges = Yes
     pam password change = yes
     passwd program = /usr/local/sbin/smbldap-passwd %u
     passwd chat = *New*password* %n\n *Retype*new*password* %n\n
       
*all*authentication*tokens*updated*
     
     unix password sync = Yes
     ldap delete dn = Yes
     ldap ssl = Off
     ldap passwd sync = Yes
     ldap admin dn = cn=admin,dc=specialisterren,dc=nl
     ldap suffix = dc=specialisterren,dc=nl
     ldap group suffix = ou=Groups
     ldap idmap suffix = ou=Users
     ldap machine suffix = ou=Computers
     ldap user suffix = ou=Users
     idmap backend = ldap:ldap://localhost
     idmap uid = 10000-20000
     idmap gid = 10000-20000
     add user script = /usr/local/sbin/smbldap-useradd -a -m "%u"
     delete user script = /usr/local/sbin/smbldap-userdel "%u"
     add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
     delete group script = /usr/local/sbin/smbldap-groupdel "%g"
     add user to group script = /usr/local/sbin/smbldap-groupmod -m
       
"%u" "%g"
     
     delete user from group script = /usr/local/sbin/smbldap-groupmod
       
-x "%u" "%g"
     
    set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
       
"%u"
     
     add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
    template homedir = /home/%U
     template shell = /bin/csh
    getwd cache = yes
    socket options = SO_KEEPALIVE TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=819
    use sendfile = yes
    mangle prefix = 6 # How to mangle Long Filenames in to 8.3 DOS
    log level = 1
    log file = /var/log/samba/log.%m
    max log size = 50
     syslog = 0

  [template]
  # edited out, has no path

  [homes]
    comment = Home users
    inherit owner = yes
    dos filemode = yes
    writable = yes
    read list = @wheel @"Domain Admins"
    valid users = "%S"
     create mask = 0740
     directory mask = 0750
     aio read size = 16384

  [netlogon]
     comment = Network Logon Service
     path = /disk/netlogon
     browseable = no
     read only = yes
     aio read size = 16384

  [profiles]
     comment = Roaming Profiles Directory
     path = /disk/profiles
     administrative share = true
     browseable = no
    writable = yes
     create mask = 0600
     directory mask = 0700
     aio read size = 16384
     public = yes
     # The root preexec command performs:
    # mkdir -pm 750 /disk/profiles/%U-%a; chown %U /disk/profiles/%U-%a
     # I started off without this.
     root preexec = /root/sbin/profiles.sh %U %a

# edited out other shares
       
ldapsearch gives me:
     
  # tester, Users, specialisterren.nl
  dn: uid=tester,ou=Users,dc=specialisterren,dc=nl
  objectClass: top
  objectClass: person
  objectClass: organizationalPerson
  objectClass: inetOrgPerson
  objectClass: posixAccount
  objectClass: shadowAccount
  objectClass: sambaSamAccount
  cn: tester
  sn: tester
  givenName: tester
  uid: tester
  uidNumber: 10005
  gidNumber: 513
  homeDirectory: /home/tester
  loginShell: /bin/sh
  gecos: Tes ter
  sambaLogonTime: 0
       
(Edited out the other stuff)

I can acces \\Server\profiles, \\Server\netlogon using my tester
account. /etc/passwd contains no line with the user tester. And I can
login under SSH with the tester account.

ll -d /disk/{netlogon,profiles}gives me:
drwxr-xr-x  2 root  wheel  512 Mar 16 11:09 /disk/netlogon/
drwxrwxrwt  2 root  wheel  512 Aug  2 12:41 /disk/profiles/

Alex


_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

     
Have you installed /usr/ports/net/smbldap-tools/, although you dont
need it, it helps when creating users.

Do you have
sambaProfilePath in your ldap?

Regards
   

Hi David.

Yes, I've populated the LDAP with smbldap-populate -u 10000 -g 10000 -r 
0000. I did notice various entries with out of range uid and gid number. 
nobody (uid 999 gid 514), domain admins (gid 512), domain users (gid 
513), domain computers (gid 515), Administrator (gid 544), Account 
Operators (gid 548), Print Operators (gid 550), Backup Operators (gid 
551), Replicators (gid 552).

> # pkg_info | grep ldap
> nss_ldap-1.264_3    RFC 2307 NSS module
> openldap-client-2.4.18 Open source LDAP client implementation
> openldap-server-2.4.18_1 Open source LDAP server implementation
> p5-perl-ldap-0.39   A Client interface to LDAP (includes Net::LDAP)
> pam_ldap-1.8.4_1    A pam module for authenticating with LDAP
> php5-ldap-5.2.11    The ldap shared extension for php
> phpldapadmin-1.2.0.3,1 A set of PHP-scripts to administer LDAP over 
the web
> smbldap-tools-0.9.5 Samba-LDAP management and support tools

> # pkg_info | grep samba
> samba-3.3.8         A free SMB and CIFS client and server for UNIX
> samba-libsmbclient-3.0.37 Shared libs from the samba package

I see I left out half of the tester entry out ldap

> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> displayName: tester
> sambaSID: S-1-5-21-914212253-3526360373-1445599473-21010
> sambaPrimaryGroupSID: S-1-5-21-914212253-3526360373-1445599473-513
> sambaProfilePath: \\%L\profiles\tester
> sambaHomePath: \\%L\homes\%u
> sambaHomeDrive: Z:
> sambaNTPassword: 588FEB889288FB953B5F094D47D1565C
> sambaPwdMustChange: 1284288886
> shadowLastChange: 14819
> shadowMax: 45
> sambaPasswordHistory: 
0000000000000000000000000000000000000000000000000000000000000000
> sambaPwdLastSet: 1280752203
> sambaAcctFlags: [U          ]
> userPassword:: e1NTSEF9dUMzUFFUcFEzNE5CT0ZCb1hZVytXTHROUEpEU2FpeHc=

Also I'm getting these error messages:
> # cat /var/log/samba/log.wb-NIEUWEGEIN
> [2010/08/03 10:46:11,  1] 
rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(755)
>   cli_pipe_validate_current_pdu: RPC fault code 
DCERPC_FAULT_OP_RNG_ERROR received from host SERVER, pipe \lsarpc, fnum 
0x7779!

> # cat /var/log/samba/log.winbindd
> [2010/08/03 10:45:39,  0] winbindd/winbindd.c:main(1126)
>   winbindd version 3.3.8 started.
>   Copyright Andrew Tridgell and the Samba Team 1992-2009
> [2010/08/03 10:45:39,  0] 
winbindd/winbindd_cache.c:initialize_winbindd_cache(2577)
>   initialize_winbindd_cache: clearing cache and re-creating with 
version number 1
> [2010/08/03 10:46:11,  1] 
rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(755)
>   cli_pipe_validate_current_pdu: RPC fault code 
DCERPC_FAULT_OP_RNG_ERROR received from host SERVER, pipe \lsarpc, fnum 
0x777a!

> # cat /var/log/samba/log.winbindd-idmap
> [2010/08/03 10:45:39,  1] winbindd/idmap.c:idmap_init_passdb_domain(438)
>   Could not init passdb idmap domain
> [2010/08/03 10:45:39,  0] winbindd/idmap.c:smb_register_idmap_alloc(201)
>   idmap_alloc module ldap already registered!
> [2010/08/03 10:45:39,  0] winbindd/idmap.c:smb_register_idmap_alloc(201)
>   idmap_alloc module tdb already registered!
> [2010/08/03 10:45:39,  0] winbindd/idmap.c:smb_register_idmap(149)
>   Idmap module passdb already registered!
> [2010/08/03 10:45:39,  0] winbindd/idmap.c:smb_register_idmap(149)
>   Idmap module nss already registered!
> [2010/08/03 10:45:39,  0] 
winbindd/idmap_ldap.c:idmap_ldap_set_mapping(1449)
>   ldap_set_mapping_internals: Failed to add S-1-5-32-546 to 11109 
mapping [gidNumber]
> [2010/08/03 10:45:39,  0] 
winbindd/idmap_ldap.c:idmap_ldap_set_mapping(1451)
>   ldap_set_mapping_internals: Error was: (NULL) (Already exists)
> [2010/08/03 10:46:14,  1] 
rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(755)
>   cli_pipe_validate_current_pdu: RPC fault code 
DCERPC_FAULT_OP_RNG_ERROR received from host SERVER, pipe \lsarpc, fnum 
0x7779!

Alex
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"