Hi, In my case, profile directory was already owned by a domain user who has a local account for Samba. I can see the profile directory can be successfully opened and accessed from the log file. The problem seems Samba handled security descriptor request in different way with Windows. For example: 1) security_desc response is different with Windows. Flags:Canonicalized pathnames bit is not set. But Windows did. Flags2: unicode string bit, Error code type bit, Security Signatures, Extended Attributes are not set in Samba. But Windows did. In Secruity Descriptor, Samba responsed owner ACL and group ACL as well as NT User ACL. But Windows only simply responsed a ACL only for owner.
2) incoming requests after NT_QUERY_SECERITY_DESC request are different with Windows. If profiles are stored in a Windows domain member, incoming requests are close/NT_Create_AndXs/ReadAndXs for loading a profile. If profiles are stored to Samba. I only can see Close/Logoff/TreeDisconnect Requests. No loading profiles requests occurred from Windows client. So my case doesn't looks like profile owner issue. Could I ask you if you successfully use roaming profiles in Samba domain level? Is it 2.2 or 3.0? Thanks for your response. -Ying > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 28, 2005 10:50 PM > To: Li, Ying (ESG); [email protected] > Subject: RE: [Samba] Roaming profiles in domain level > > Hi, > > Windows checks the security acl of a profile. > The user must be owner! > > Mit freundlichem Gru�, > > > > Dirk Laurenz > Systems Engineer > > Fujitsu Siemens Computers > S CE DE SE PS N/O > Sales Central Europe Deutschland > Professional Service Nord / Ost > > Hildesheimer Strasse 25 > 30880 Laatzen > Germany > > Telephone: +49 (511) 84 89 - 18 08 > Telefax: +49 (511) 84 89 - 25 18 08 > Mobile: +49 (170) 22 10 781 > Email: mailto:[EMAIL PROTECTED] > Internet: http://www.fujitsu-siemens.com > http://www.fujitsu-siemens.de/services/index.html > ************************************************************** > ***************************************************** > > > -| -----Original Message----- > -| From: > -| [EMAIL PROTECTED] > -| rg > -| [mailto:[EMAIL PROTECTED] > -| .samba.org] On Behalf Of Li, Ying (ESG) > -| Sent: Friday, April 29, 2005 12:27 AM > -| To: [email protected] > -| Subject: [Samba] Roaming profiles in domain level > -| > -| Hi Everyone, > -| > -| Does anybody use roaming profiles in domain level? > -| > -| I'm looking for helps for setting up Samba as a NT4 > domain member to > -| support roaming profiles for sharing during domain logon > of Windows > -| clients. I ran into the problems. log files couldn't show > specified > -| messages, except for BUFFER_TOO_SMALL. > -| > -| If a profile share directory is mounted on a Windows NT DC or a > -| Windows domain member, all Windows clients can successfully use > -| roaming profiles in that share during domain logon. If > the profile > -| share is mounted on a Samba server that is a NT4 domain > member, and > -| successfully joined to the domain, then all Windows > client can save > -| profiles to the share. But only Windows NT clients can > load roaming > -| profiles from Samba. > -| WinXP(SP1/SP2 > -| and Win2K(SP4) couldn't download roaming profiles from Samba > -| profiles share. > -| > -| I captured network traffics of domain logon for profiles > stored on > -| both Windows and Samba domain members. By comparing > behaviors, it > -| looks Samba couldn't handle the case well. I've tried both > -| Samba2.2.12 and samba3.0.7. All have the same problem. So I'm > -| looking for others' experiences, and see if Samba has > capability to > -| provide roaming profiles in domain level. > -| > -| I have all log files or ethereal log files. If needed, I > can send > -| to you as reference. Any hints or helps, it would be greatly > -| appreciated. > -| > -| Thanks in advance. > -| -Ying Li > -| > -| smb.conf > -| [global] > -| server string = Samba Serves as Roaming profiles > -| security = DOMAIN > -| workgroup = NT4_DOMAIN_NAME > -| password server = * > -| encrypt passwords = yes > -| log level = 10 > -| log file = /var/opt/samba/log.%m # followings for > Samba3.0 only > -| idmap uid = 10000-20000 > -| idmap gid = 10000-20000 > -| winbind use default domain = yes > -| winbind enum users = yes > -| winbind enum groups = yes > -| winbind separator = ; > -| [profiles] > -| path = /profiles > -| browseable = no > -| guest ok = yes > -| > -| The directory /profiles is owned by root with 777 > permission, and > -| includes all directories for a profile saved by Windows. > On Windows > -| DC, setup profile path to \\sambaserver\profiles\username for all > -| domain users. > -| -- > -| To unsubscribe from this list go to the following URL and read the > -| instructions: https://lists.samba.org/mailman/listinfo/samba > -| > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
