On Tuesday 10 June 2008 20:33:21 Jon Doran wrote: > I've been at this for a few weeks, and have read quite a bit on the > subject. I try to follow "Samba-3 by Example" as much as I can. I'll > apologize in advance > if my problems should be discussed elsewhere. Samba's involvement is > integral, > but I have no reason to suspect Samba is at fault.
Jon, Email me you phone number ([EMAIL PROTECTED]) so I can work with you to resolve this. Cheers, John T. > I'll start by describing what is working. DHCP and DNS look fine. Samba > is sharing folders without incident. LDAP is authenticating users, and I > can log into an XP workstation once (!) before being kicked to the curb. > Subsequent logons are met with > "The system cannot log you on because your profile cannot be loaded". > > I also note that supplying an incorrect user/password from the XP box > gives the > appropriate response. So there is some degree of LDAP goodness. > > Roaming profiles are written to the proper share, and all files in a > profile have the user's uid/gid. The profile directory is owned by root. > > Machines are able to join the domain without trouble. Their trust > accounts are > setup, and as I mentioned a user gets one logon. > > I started out today looking into why profiles could be written but not > read. I ended up moving /var/lib/ldap aside and building a new database. I > mention this so that it is clear the database has been recently wiped, and > that the client machines are in God knows what state. > > A local group policy is on each of my test machines, which has turned off > the ownership check and should be deleting profiles. In addition to this > at one point I have gone in as the local administrator and "cleaned" out > stored profiles, using both the "User Profiles" off of the computer > properties dialog, > and by deleting files stored in "Documents and Settings". > > When I was logged on, folder redirection appeared to be working correctly. > > Rather than start out by sharing pages of config files, I wonder if it > would be > possible to narrow things down a bit. (Although I'll be happy to share the > files). My gut feeling is that this is a local machine configuration > problem, as the LDAP log shows a correct uid/gid match and the system _did_ > log me on. > > Therefore I wonder why the profile could not be read (we are back to > this), and > are back in Samba terratory. (As an aside, the local machine group > policy says > not to log a user out if there is a profile problem, but it happens > anyways. I am guessing that the rest of the policy is preventing the system > from creating > a default profile. > > I'll append my smb.conf since I feel that it has a lot of relevance: > > Any help would be greatly appreciated. > Jon Doran > > #======================= Global Settings > ===================================== > > [global] > workgroup = larc > security = user > passdb backend = ldapsam:ldap://wintermute.larc.local > obey pam restrictions = no > smb ports = 139 > > ldap admin dn = cn=manager,dc=larc,dc=local > ldap suffix = dc=larc,dc=local > ldap user suffix = ou=People > ldap machine suffix = ou=Computers > ldap group suffix = ou=Groups > ldap idmap suffix = ou=People > ldap passwd sync = yes > # log level = 10 > > passwd program = /usr/sbin/smbldap-passwd %u > passwd chat = *New*password* %n\n *Retype*new*password %n\n > *all*authentication*tokens*updated* > > machine password timeout = 86400 > > add user script = /usr/sbin/smbldap-useradd -m %u > ldap delete dn = yes > delete user script = /usr/sbin/smbldap-userdel %u > add machine script = /usr/sbin/smbldap-useradd -w %u > add group script = /usr/sbin/smbldap-groupadd -p %g > add user to group script = /usr/sbin/smbldap-groupmod -m %u %g > delete user from group script = /usr/sbin/smbldap-groupmod -x %u > %g set primary group script = /usr/sbin/smbldap -g %g %u > # end 5/28 mods > > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > idmap uid = 500-10000000 > idmap gid = 500-10000000 > winbind use default domain = no > winbind offline logon = false > winbind enum users = no > winbind enum groups = no > client use spnego = true > > #from previous config > #passdb backend=tdbsam > > # ----------------------- Network Related Options ------------------------- > # > # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH > # > # server string is the equivalent of the NT Description field > # > # netbios name can be used to specify a server name not tied to the > hostname # > # Interfaces lets you configure Samba to use multiple interfaces > # If you have multiple network interfaces then you can list the ones > # you want to listen on (never omit localhost) > # > # Hosts Allow/Hosts Deny lets you restrict who can connect, and you can > # specifiy it as a per share option as well > # > server string = Samba Server Version %v > # netbios name = WINTERMUTE > > ; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 > ; hosts allow = 127. 192.168.12. 192.168.13. > > # --------------------------- Logging Options ----------------------------- > # > # Log File let you specify where to put logs and how to split them up. > # > # Max Log Size let you specify the max size log files should reach > > # logs split per machine > log file = /var/log/samba/log.%m > # max 50KB per log file, then rotate > max log size = 50 > > # ----------------------- Standalone Server Options > ------------------------ # > # Scurity can be set to user, share(deprecated) or server(deprecated) > # > # Backend to store user information in. New installations should > # use either tdbsam or ldapsam. smbpasswd is available for backwards > # compatibility. tdbsam requires no further configuration. > > > > # ----------------------- Domain Members Options ------------------------ > # > # Security must be set to domain or ads > # > # Use the realm option only with security = ads > # Specifies the Active Directory realm the host is part of > # > # Backend to store user information in. New installations should > # use either tdbsam or ldapsam. smbpasswd is available for backwards > # compatibility. tdbsam requires no further configuration. > # > # Use password server option only with security = server or if you can't > # use the DNS to locate Domain Controllers > # The argument list may include: > # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] > # or to auto-locate the domain controller/s > # password server = * > > # realm = LARC.LOCAL > # password server = larcserver.larc.local > > # ----------------------- Domain Controller Options > ------------------------ # > # Security must be set to user for domain controllers > # > # Backend to store user information in. New installations should > # use either tdbsam or ldapsam. smbpasswd is available for backwards > # compatibility. tdbsam requires no further configuration. > # > # Domain Master specifies Samba to be the Domain Master Browser. This > # allows Samba to collate browse lists between subnets. Don't use this > # if you already have a Windows NT domain controller doing this job > # > # Domain Logons let Samba be a domain logon server for Windows > workstations. # > # Logon Scrpit let yuou specify a script to be run at login time on the > client # You need to provide it in a share called NETLOGON > # > # Logon Path let you specify where user profiles are stored (UNC path) > # > # Various scripts can be used on a domain controller or stand-alone > # machine to add or delete corresponding unix accounts > # > > domain master = yes > domain logons = yes > > logon path = \\%L\profiles\%U > logon drive = H: > > # logon home is for Win9X clients > logon home = \\wintermute\home\%U > > > # ----------------------- Browser Control Options > ---------------------------- # > # set local master to no if you don't want Samba to become a master > # browser on your network. Otherwise the normal election rules apply > # > # OS Level determines the precedence of this server in master browser > # elections. The default value should be reasonable > # > # Preferred Master causes Samba to force a local browser election on > startup # and gives it a slightly higher chance of winning the election > local master = yes > os level = 65 > preferred master = yes > > #----------------------------- Name Resolution > ------------------------------- # Windows Internet Name Serving Support > Section: > # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both > # > # - WINS Support: Tells the NMBD component of Samba to enable it's WINS > Server # > # - WINS Server: Tells the NMBD components of Samba to be a WINS Client > # > # - WINS Proxy: Tells Samba to answer name resolution queries on > # behalf of a non WINS capable client, for this to work there must be > # at least one WINS Server on the network. The default is NO. > # > # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names > # via DNS nslookups. > > wins support = yes > # wins server = w.x.y.z; # register with another > wins server > ; wins proxy = yes > > dns proxy = yes > > # --------------------------- Printing Options > ----------------------------- # > # Load Printers let you load automatically the list of printers rather > # than setting them up individually > # > # Cups Options let you pass the cups libs custom options, setting it to raw > # for example will let you use drivers on your Windows clients > # > # Printcap Name let you specify an alternative printcap file > # > # You can choose a non default printing system using the Printing option > > ; load printers = yes > cups options = raw > > ; printcap name = /etc/printcap > #obtain list of printers automatically on SystemV > ; printcap name = lpstat > ; printing = cups > > # --------------------------- Filesystem Options > --------------------------- # > # The following options can be uncommented if the filesystem supports > # Extended Attributes and they are enabled (usually by the mount option > # user_xattr). Thess options will let the admin store the DOS attributes > # in an EA and make samba not mess with the permission bits. > # > # Note: these options can also be set just per share, setting them in > global # makes them the default for all shares > > ; map archive = no > ; map hidden = no > ; map read only = no > ; map system = no > ; encrypt passwords = yes > ; guest ok = no > guest account = nobody > username map = /etc/samba/smbusers > ; store dos attributes = yes > > > #============================ Share Definitions > ============================== > > [homes] > comment = Home Directories > path=/home > browseable = no > writable = yes > > [printers] > comment = All Printers > path = /var/spool/samba > browseable = no > ; guest ok = no > ; writable = no > printable = yes > > [netlogon] > comment = Network Logon Service > path = /var/lib/samba/netlogon > guest ok = yes > locking = no > writable = no > browsable = yes > read only = yes > share modes = no > > [profiles] > comment = Profile Share > path = /var/lib/samba/profiles > writable = yes > create mode = 0700 > directory mode = 0700 > public = yes > guest ok = yes > browsable = yes > > # profile acls = yes > # read only = no > # create mask = 0600 > # directory mask = 0700 > # store dos attributes = yes > # short preserve case = no > # case sensitive = no > # guest ok = no > # printable = no > # browsable = no > # # turn off client-side caching > # csc policy = disabled > # hide files = > /desktop.ini/outlook.*lnk/*Briefcase*/ntuser.ini/NTUSER.*/ > > [profdata] > comment = Profile Data Share > path = /var/lib/samba/profdata > read only = no > profile acls = yes -- John H Terpstra Samba-Team Member Phone: +1 (512) 970-0256 Author: The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228 Samba-3 by Example, 2 Ed., ISBN: 0131882221X Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
