> Date: Mon, 19 Oct 2009 13:25:48 -0600 > Subject: [Samba] local copy microsoft/credentials directory profile > redirection > hello, > > i've set up a domain controller to replace a production server. > both servers use profile redirection for all user environment directories. > > my problem is that when logging onto the new domain and server, windows > will > create in the %userprofile% local directory an Application Directory > containing Microsoft/Credentials/*SID*, although a copy exists on the > server. > > this directory is used to store the user's network passwords. > > because a blank credential directory is created stored network passwords > (explorer only) are not used. all other applications use the network copy > of > the directory (as they should). > > redirection is done through adm here are the pertinent settings: > [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User > Shell Folders] > "AppData"="%logonserver%\profiles\%username%\Application Data" > "Cookies"="%logonserver%\profiles\%username%\Cookies" > "Desktop"="%logonserver%\%username%\Desktop" > "Personal"="%logonserver%\%username%\My Documents" > "Local AppData"="%logonserver%\profiles\%username%\Local > Settings\Application Data" > "Cache"="c:\temp\users\%username%\Local Settings\Temporary Internet Files" > "History"="c:\temp\users\%username%\Local Settings\History" > "Local Settings"="c:\temp\users\%username%\Local Settings" > > the same client joined to current domain (with the same adm settings) will > not reproduce un-desired behavior. > > does anyone have any suggestions, guesses, etc? > > > clients: windows xp sp3 (offline files disabled; set to delete local copies > of profiles at log off) > > os: ubuntu 9.04 server > > samba: 3.3.2-1ubuntu3.2 > > config: > > Server role: > ROLE_DOMAIN_PDC > [global] > workgroup = domain-name > server string = server-name > passdb backend = ldapsam:ldap://127.0.0.1 > passwd program = /usr/sbin/smbldap-passwd -u "%u" > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > *all*authentication*tokens*updated* > log level = 5 vfs:0 smb:0 > syslog = 0 > log file = /var/log/samba/log.%h > max log size = 10000000 > max xmit = 65535 > socket options = TCP_NODELAY SO_SNDBUF=1638400 SO_RCVBUF=1638400 > SO_KEEPALIVE > printcap name = cups > show add printer wizard = No > max stat cache size = 1024 > add user script = /usr/sbin/smbldap-useradd -m "%u" > delete user script = /usr/sbin/smbldap-userdel "%u" > add group script = /usr/sbin/smbldap-groupadd -p "%g" > add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" > "%g" > set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" > add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u" > logon script = logon.bat > logon path = \\%N\hives\%U > logon drive = " " > domain logons = Yes > os level = 65 > preferred master = Yes > domain master = Yes > kernel oplocks = No > ldap admin dn = cn=admin,dc=domain-name,dc=bz > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > ldap machine suffix = ou=Computers > ldap suffix = dc=domain-name,dc=bz > ldap ssl = no > ldap user suffix = ou=Users > utmp = Yes > panic action = /usr/share/samba/panic-action %d > cups options = raw > case sensitive = No > hide files = /desktop.ini/ > > [netlogon] > path = /usershare/netlogon > write list = jorge > guest ok = Yes > > [hives] > comment = Profile Hive Directory > path = /userdata/hives/%a > read only = No > create mask = 0600 > directory mask = 0700 > browseable = No > csc policy = disable > oplocks = No > level2 oplocks = No > vfs objects = full_audit, recycle > full_audit:priority = notice > full_audit:facility = local5 > full_audit:failure = connect mkdir rename unlink rmdir pwrite > full_audit:success = connect disconnect mkdir rename unlink rmdir > pwrite > full_audit:prefix = %u|%S - %m|%I > recycle:maxsize = 0 > recycle:versions = yes > recycle:touch = yes > recycle:keeptree = yes > recycle:repository = /userdata/user_trash/%U > > [profiles] > comment = Profile Data Directory > path = /userdata/profiles/%a > read only = No > create mask = 0600 > directory mask = 0700 > browseable = No > csc policy = disable > oplocks = No > level2 oplocks = No > > [printers] > comment = Printers > path = /var/spool/samba > admin users = @lpadmin > write list = @lpadmin, root > guest ok = Yes > printable = Yes > browseable = No > > [print$] > comment = Printer Drivers > path = /etc/samba/drivers > admin users = @lpadmin > write list = @lpadmin, root > -- > Charles > > Belmopan, Belize > > "... we just love cars and we love driving them!" > > http://www.cardomain.com/ride/2400106 > > > > solved.
the problem was the use of the %logonserver% variable in my policy file. it appears that the variable is not yet resolvable at the time the logon process checks for the existence of a credential file. using the actual server-name for the AppData environment remedied the problem. good luck. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
