Samba 3.0.22 Local Profiles Inconsistent with BDC

customseven · 11-30-2006, 03:14 PM

Hello,

This is my first post, apologies for any potential logic gaps.

I've recently deployed a Samba 3.0.22 BDC with LDAP. Our current PDC is running Samba 3.0.23d Tdbsam. (My future goal is to move to a completely LDAP system, this is an intermediate step)

We don't use roaming profiles.

The problem is: When a user logs on through the BDC instead of the PDC, they get a new local profile instead of the original local profile they've been for a while now. If the user authenticates via the PDC, they are logged on with their original profile. How do I get it so that the user gets the same profile regardless of logging onto the BDC or PDC.

It appears that re-joining the client to the domain solves this issue, but I don't have the time to go through to the 300+ machines by myself.

I suspect the problem might be a flawed migration between the PDC and BDC. My migration simply takes all the information given by 'pdbedit -Lv' and for each entry adds a new user by smbldap-useradd on the BDC machine. I've also hacked the smbldap-useradd script to allow me to copy over the NT and LM password hashes so users can log on to the BDC without having to rejoin the domain. I was also careful to preserve logon scripts, profile paths, but SID's are different for users.

Any ideas what the problem might be? How does the client XP machine even know it's logged onto a different server?

I've attached the smb.conf and smbldap.conf for the BDC below

Thanks in advance!
Jack C Yu
A Hungry Undergrad of UCB

---------------------------------------
BDC smb.conf:

[global]
unix charset = ISO8859-1
workgroup = CNR-DOM2
server string = G42-6 Samba PDC (with LDAP) [Gentoo Linux - Samba %v]
interfaces = eth0
bind interfaces only = Yes
passdb backend = ldapsam:ldap://localhost
enable privileges = Yes
log level = 2
log file = /var/log/samba/log.%m
max log size = 50
name resolve order = wins host lmhosts
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /etc/samba/scripts/addMachine.sh u a -m "%u"
delete user script = /etc/samba/scripts/addMachine.sh u d "%u"
add group script = /etc/samba/scripts/addMachine.sh g a -p "%g"
delete group script = /etc/samba/scripts/addMachine.sh g d "%g"
add user to group script = /etc/samba/scripts/addMachine.sh g m -m "%u" "%g"
delete user from group script = /etc/samba/scripts/addMachine.sh g m -x "%u" "%g"
set primary group script = /etc/samba/scripts/addMachine.sh u m -g "%g" "%u"
add machine script = /etc/samba/scripts/addMachine.sh u a -w "%u"
logon path =
logon home =
domain logons = Yes
os level = 65
preferred master = No
domain master = No
dns proxy = No
wins server = 128.32.253.219
ldap admin dn = cn=samba,ou=DSA,dc=cnr,dc=berkeley,dc=edu
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap suffix = dc=cnr,dc=berkeley,dc=edu
ldap ssl = start tls
ldap timeout = 30
ldap user suffix = ou=People
passdb expand explicit = No
idmap backend = ldap://localhost
idmap uid = 10000-30000
idmap gid = 10000-30000
hosts allow = 128.32.175.0/255.255.255.0, 128.32.251.0/255.255.255.0, 128.32.253.192/255.255.255.192, 128.32.179.0/255.255.255.0, 128.32.113.0/255.255.255.128, 128.32.76.0/255.255.255.224, 128.32.85.0/255.255.255.0, 128.32.27.0/255.255.255.0, 128.32.222.128/255.255.255.128, 128.32.127.0/255.255.255.0, 128.32.88.0/255.255.255.0, 128.32.128.0/255.255.255.0, 128.32.236.0/255.255.255.0, 128.32.140.0/255.255.255.128, 128.32.129.192/255.255.255.192, 128.32.110.0/255.255.255.0, 199.133.139.0/255.255.255.0, 136.152.0.0/255.255.0.0, 128.48.164.0/255.255.255.0, 128.32.218.128/255.255.255.128, 128.32.8.0/255.255.255.0, 169.229.13.0/255.255.255.192, 169.229.61.0/255.255.255.128, 169.229.159.0/255.255.255.192, 169.229.136.192/255.255.255.192, 169.229.197.128/255.255.255.192, 128.32.188.0/255.255.255.128, 128.32.54.64/255.255.255.192, 127.0.0.0/255.255.0.0
hide unreadable = Yes

[netlogon]
path = /var/lib/samba/netlogon
browseable = No

--------------------------------------------------------
BDC smbldap.conf

SID="S-1-5-21-1668661-2091613485-1446904402"
sambaDomain="CNR-DOM2"
slaveLDAP="128.32.175.76"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="1"
verify="require"
cafile="/etc/openldap/ssl/certs/ca.pem"
clientcert="/etc/openldap/ssl/certs/smb-ldap.pem"
clientkey="/etc/openldap/ssl/keys/smb-ldap.key"
suffix="dc=cnr,dc=berkeley,dc=edu"
usersdn="ou=People,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=CNR-DOM2,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format=""
userLoginShell="/bin/false"
userHome=""
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="3650"
userSmbHome=""
userProfile=""
userHomeDrive=""
userScript=""
mailDomain=""
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

eendoe · 12-01-2006, 02:15 AM

both servers need identical

profile path = ......

directives (point to same resource (not same path on different systems)

Good Luck

customseven · 12-01-2006, 02:52 PM

Thanks eendoe,

Wouldn't specifying a profile path = ... directive to some shared resource be implementing roaming profiles? Or is there no way to avoid roaming profiles when one wants to have a BDC and PDC together?

eendoe · 12-01-2006, 03:14 PM

sorry, i misread your question, i thought that you wanted identical roaming profiles from both DC's.

Have a look in documents and settings on your windows hosts.

1.
You will most likey see profile names starting with different servers/netbios domains. This will give you an indication of what is happening.

2. I'm not sure if you can override these with a client path?
profile path = C:\Document and Settings\%U (probrably won't work.

3. I suspect the root of your issues caused by this;

"but SID's are different for users"

Try implementing a fully centralised user authentication (point your PDC to the LDAP database)

Good luck

customseven · 12-18-2006, 03:18 PM

Ok, problem fixed =]

Turns out I was running two different versions of Samba on the servers. Updated both servers to run Samba 3.0.23d and all works well.

Also, I made sure that I had the same SID's for all users on both machines.

I made a note that it is much easier to use pdbedit -e tdbsam:filename from the source machine and then do pdbedit -i tdbsam:filename on the machine I'm migrating to.

Thanks again eendoe,
Jack

eendoe · 12-19-2006, 04:43 AM

You deserve all the kudos here my friend. Bliss.