Hi all,
I have a BDC which uses the LDAP backend of my PDC. Unfortunately all the users
who log-in in the morning and who are processed by this BDC, do not get their
logon script executed. The BDC logs this error message:
[2013/05/24 07:28:11.946577, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [foobar] -> [foobar] ->
[foobar] succeeded
[2013/05/24 07:28:11.948108, 0] param/loadparm.c:8686(process_usershare_file)
process_usershare_file: stat of /var/lib/samba/usershares/netlogon failed.
File or directory not found
[2013/05/24 07:28:12.976867, 0] param/loadparm.c:8686(process_usershare_file)
process_usershare_file: stat of /var/lib/samba/usershares/netlogon failed.
Access denied
[2013/05/24 07:28:12.979372, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: foobar
I did not understand, why the BDC looks for the netlogon at
/var/lib/samba/usershares/netlogon so I double-checked my smb.conf, on both PDC
and BDC. Here are the relevant option in smb.conf:
***PDC***smb.conf:
[global]
...
security = user
passdb backend = ldapsam:ldap://172.16.0.1
logon script = %U.bat
logon path = \\pdc\profiles\%U
logon drive = U:
domain logons = Yes
preferred master = Yes
local master = Yes
domain master = Yes
os level = 254
wins support = Yes
...
[netlogon]
comment = Logon batch
path = /file01/netlogon
write list = "@Domain Admins"
[profiles]
comment = Centralized Roaming Profiles
path = /file01/profile
read only = No
browseable = No
***BDC***smb.conf:
[global]
...
security = user
passdb backend = ldapsam:ldap://172.16.0.1/
logon script = \\pdc\netlogon\%U.bat
logon path = \\pdc\profiles\%U
logon drive = U:
domain logons = Yes
preferred master = No
local master = No
domain master = No
os level = 20
password server = *
; wins server = 172.16.0.1
I realized that no [netlogon] and [profiles] share exist on the BDC. But there
are no problems with profiles known for users who were handled by the BDC. Only
logon scripts don't work? Is it possible that the option "logon script = " DOES
NOT ALLOW the use of UNC path like I am using it? So this is the problem and
samba falls back to the default path /var/lib/samba/usershares/netlogon and
tries there to look for the logon script ???
If so, how should my [netlogon] share on the BDC look like? Do I have to
rsync/copy the content of pdc://file01/netlogon to bdc:/somedir/netlogon and
use following line on BDC's smb.conf?
logon script = %U.bat
[netlogon]
comment = BDC Logon batch
path = /somedir/netlogon
write list = "@Domain Admins"
Will that be enough or am I wrong? I would also like to know if I could use "os
level = 0" on the BDC, because I don't need/want that the BDC handles domain
logon procedures,that would be the easiest way in my case. Now you ask why the
heck I need it to run as BDC :-) It's because I don't can use winbind on the
BDC and I need the correct mappings for user/groups. And that's only possible
either by using winbind on BDC and idmapping, or you run as BDC and it uses the
locally managed database of the PDC. In my case it was really much more easy to
use the BDC method, because if I would use winbind it will result in different
ids (these of winbind idmapping ranges) and access would be denied to lots of
my existing shares. So in result I would have to chmod all of my used
dirs/paths which is a lot of work. That's why I choosed the much more easy way
as a BDC. But that's not very important, I'd just like to know if "os level =
0" would be ok or cause some other troubles ?
Any help and feedback really appreciated. Thanks to all
Lucas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
