Roaming profile permissions..

Ateo · 12-23-2004, 06:45 PM

I'm trying to set up my samba server as PDC. So far, I'm able to login. The issue is the workstation cannot load either the roaming profile nor the local profile when I log into the domain.

So let's talk about making sure permissions are correct on the [profile] directory. Well, I'd love to chat about it but I have yet to find any examples that discusses the correct permissions of this directory. So, I've tried different combinations of owner, groups and permissions but non seem to work.

There is much inconsistancy in all of the examples I've run across so I'm weary of which example to follow and there isn't a single thread that has actually suggested that anyone has successfully got roaming profiles to work with samba. Sure, I've seen people claim it works but when I try some of their smb.conf parameters and nothing works, I'm lead to think... Can samba even perform the task of PDC?

I've been working on this for almost a week. I'm getting tired of diddling with it. I'd like someone to explain how samba is even remotely an alternative if it can't be made to work.

Anyways, I'm rambling on. I'm determined to get this working. Here's my conf

Code:

[global]
  ##
  ## Server Naming Options
  ##
  netbios name = shadow
  workgroup = XDRACCO
  server string = xDracco PDC [on Gentoo :: Samba server %v]

  ##
  ## Security and Domain Membership Options
  ##
  hosts allow = 192.168.4.0/24 127.0.0.0/8
  security = domain
  encrypt passwords = yes
  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
  interfaces = lo eth0
  bind interfaces only = yes
  local master = yes
  os level = 65
  domain master = yes
  preferred master = yes
  null passwords = no
  hide unreadable = yes
  hide dot files = yes

  ##
  ## Domain Control Options
  ##
  domain logons = yes
  logon script = login.bat
  logon path = \\%L\profiles\%U
  logon drive = H:
  logon home = \\%L\%U\.9xprofile

  ##
  ## Name Resolution Options
  ##
  wins support = yes
  name resolve order = wins lmhosts hosts bcast
  dns proxy = no

  ##
  ## Misc Options
  ##
  time server = yes
  log file = /var/log/samba3/log.%m
  max log size = 50
  smb passwd file = /etc/samba/private/smbpasswd

  add user script = /usr/sbin/useradd -m %u
  delete user script = /usr/sbin/userdel =r %u
  add group script = /usr/sbin/groupadd %g
  delete group script = /usr/sbin/groupdel %g
  add user to group script = /usr/sbin/usermod -G %g %u
  add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u

  unix charset = ISO8859-1

  ;;net groupmap modify ntgroup="Domain Admins"  unixgroup=root
  ;;net groupmap modify ntgroup="Domain Users"   unixgroup=smbusers
  ;;net groupmap modify ntgroup="Domain Guests"  unixgroup=nobody
  ;; THESE DO NOT WORK, ANYONE KNOW WHY???

[netlogon]
  path = /var/lib/samba/netlogon
  public = no
  writeable = no
  browseable = no

[profiles]
  path = /var/lib/samba/profiles
  nt acl support = no
  csc policy = disable
  profile acls = no
  browseable = no
  read only = no
  default case = lower
  preserve case = no
  short preserve case = no
  case sensitive = no
  hide files = /desktop.ini/ntuser.ini/NTUSER.*/
  write list = @smbusers @root
  create mask = 0600
  directory mask = 0700

[homes]
  path = /home/%U
  browseable = no
  valid users = %S
  writable = yes
  guest ok = no
  inherit permissions = yes

Here are my permissions on relevant directories:

Code:

shadow samba # ls -l
total 0
drwxr-xr-x  3 root root 136 Dec 23 14:44 netlogon
drwxr-xr-x  7 root root 168 Dec 14 17:10 printers
drwx------  2 root root 136 Dec 23 10:26 private
drwxr-xr-x  4 root root 120 Dec 23 15:29 profiles

And my user profile (chmod 1757):

Code:

shadow profiles # ls -l
total 0
drwxr-xrwt  3 dracco users 72 Dec 23 15:15 dracco

The directories above are located in /var/lib/samba.

Here's my smbpasswd file:

Code:

mrwhite$:1006:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:098D646BA14259AAA6E386A1CE61C4E0:[W          ]:LCT-41CB4761:
dracco:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:74A37A09BC6380B97B4825DE7FD1EF80:[U          ]:LCT-41CB32C2:
root:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:FFC8FEC9189DD3278203EC837D977A0F:[U          ]:LCT-41CB472F:
bigtom:1003:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:A4EE944C02878F8E95E8F824FA708A16:[U          ]:LCT-41CB48E1:

And finally, when I log in to the Win2k machine, I'm told that a copy of my profile exists on the server but cannot be loaded unless the directory is owned by the user or an Administrator. As you can see, I own my own folder.

I would also need to mention that the login.bat script is successfully executed on login. It successfully maps 3 of the shared drives (not listed in the conf above) and my home directory (/home/dracco).

Any help would be appreciated.

[edit]
This book is great help unfortunately, it's a little outdated. http://www.oreilly.com/catalog/samba...ook/index.html

Thanks

Ateo · 12-23-2004, 08:35 PM

So I figured it out. Apparently, the parameters under the scope [profiles] was too aggressive. I probably had some options listed not even available for/compiled into samba, I really don't know. But this is what did it for me.

I changed

Code:

[profiles]
  path = /var/lib/samba/profiles
  nt acl support = no
  csc policy = disable
  profile acls = yes
  browseable = yes
  create mode = 0700
  ;directory mode = 0700
  read only = no
  default case = lower
  preserve case = no
  short preserve case = no
  case sensitive = no
  hide files = /desktop.ini/ntuser.ini/NTUSER.*/
  write list = @smbusers @root

TO

Code:

[profiles]
  path = /var/lib/samba/profiles
  browseable = no
  writeable = yes
  default case = lower
  preserve case = no
  short preserve case = no
  case sensitive = no
  hide files = /desktop.ini/ntuser.ini/NTUSER.*/
  write list = @smbusers @root
  create mode = 0600
  directory mode = 0700

Also, these are the permissions set to my profiles share

Code:

shadow samba # ls -l /var/lib/samba
total 0
drwxr-xr-x  3 root root 136 Dec 23 14:44 netlogon
drwxr-xr-x  7 root root 168 Dec 14 17:10 printers
drwx------  2 root root 136 Dec 23 10:26 private
drwxr-xr-x  3 root root  96 Dec 23 15:42 profiles
shadow profiles # ls -l /var/lib/samba/profiles
total 0
drwxrwx---  13 dracco users 456 Dec 23 17:31 dracco

Hopefully this will help someone out as setting up samba as PDC with roaming profiles does really work.

Darin · 12-24-2004, 09:52 AM

Code:

# part of being a PDC is providing domain logons
    domain logons = yes
    logon path = \\%N\profiles\%u
    logon drive = K:

...

[homes]
    comment = Home Directories
    browseable = no
    writable = yes
    valid users = %S

## these are for acting like a PDC
[netlogon]
    comment = Network Logon Service
    path = /home/samba/netlogon
    browseable = no
    read only = no
    valid users = %S

[profiles]
    path = /home/samba/profiles
    read only = no
    create mask = 0600
    directory mask = 0700

Those are the relevant parts of mine, roaming profiles DO work, I know because my fresh install of windows on a new machine had my desktop with all the dead links for software I didn't have installed.

If you set it up right with, I think, the logon path command you should be able to get it to serve the profiles from the user's home directories and then you should be OK with default file permissions.

Ateo · 12-24-2004, 05:00 PM

I was able to successfully get my PDC up and running. As such, I created a HOWTO (geared towards Gentoo users but any intermediate linux admins should be able to figure it out).

http://forums.gentoo.org/viewtopic.php?t=270569