I have been working on this problem for quite some time now and have not been able to find the solution. I have Samba running on Debian Linux 3.0 (Woody) as a primary domain controller. From my Windows 2000 desktop I am able to browse that Linux server with Windows Explorer. My biggest problem is trying to log in to that domain. Under Windows 2000 I am able to join the domain (sjmlinux) but after I restart the Windows desktop and attempt to log in to that domain, Windows gives me a message like, "cannot create profile directory \\servername\profiledirectory.pds". It then the proceeds to assign me a generic profile that cannot be updated. The profile directory has fairly liberal write access so the Windows machine should have sufficient rights to create or delete any files or directories it deems necessary. One, of many, things I do not understand is where the .pds suffix that the message indicates is coming from. It certainly is not what I have defined for the profile directory in smb.conf is and it is not something that I have seen before. I have seen some documents that referred to creating a policy file (*.pol) with the Windows server policy editor tool. However, I understand profiles to be much more than a single file and that actually a directory structure that contain everything desktop colors to your recent files list. Under Windows 2000 this is essentially what you see in your subdirectory of the Documents and Settings folder. I am sure that somebody must have seen this issue before as I have seen reference to it in the archives; I had just never seen what the solution is. Below is a snippet of my smb.conf file that I believe would contain the pertinent information. [global] # Change this for the workgroup/NT-domain name your Samba server will part of workgroup = sjmlinux netbios name = sjmpdc # server string is the equivalent of the NT Description field server string = %h server (Samba %v) guest account = nobody invalid users = root # This tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 1000 # We want Samba to log a minimum amount of information to syslog. Everything # should go to /var/log/samba/log.{smb,nmb} instead. If you want to log # through syslog you should set the following parameter to something higher. syslog = 0 # "security = user" is always a good idea. This will require a Unix account # in this server for every user accessing the server. See # security_level.txt for details. security = user # You may wish to use password encryption. Please read ENCRYPTION.txt, # Win95.txt and WinNT.txt in the Samba documentation. Do not enable this # option unless you have read those documents encrypt passwords = true # Support Domain logins domain logons = true # Admin group (temp solution) domain admin group = @staff # User profile path logon path = \\%N\home\%u\ntprofile # Where is the user's home directory and what is the drive logon drive = H: logon home = \\%N\home\%u\pchome # Specify a generic logon script for all users # this is a relative **DOS** path to the [netlogon] share logon script = logon.bat # Most people will find that this option gives better performance. # See speed.txt and the manual pages for details # You may want to add the following on a Linux system: # SO_RCVBUF=8192 SO_SNDBUF=8192 socket options = TCP_NODELAY # set local master to no if you don't want Samba to become a master # browser on your network. Otherwise the normal election rules apply local master = yes # OS Level determines the precedence of this server in master browser # elections. The default value should be reasonable os level = 64 domain master = yes preferred master = yes wins support = yes # This will prevent nmbd to search for NetBIOS names through DNS. dns proxy = no # Name mangling options preserve case = yes unix password sync = true # Some defaults for winbind (make sure you're not using the ranges # for something else.) winbind uid = 10000-20000 winbind gid = 10000-20000 template shell = /bin/bash #======================= Share Definitions ====================== [homes] comment = Home Directories browseable = yes # By default, the home directories are exported read-only. Change next # parameter to 'yes' if you want to be able to write to them. writable = yes # File creation mask is set to 0700 for security reasons. If you want to # create files with group=rw permissions, set next parameter to 0775. create mask = 0775 # Directory creation mask is set to 0700 for security reasons. If you want to # create dirs. with group=rw permissions, set next parameter to 0775. directory mask = 0775 valid users = %u guest ok = no path = /home/%u/pchome # Un-comment the following and create the netlogon directory for Domain Logons # (you need to configure Samba to act as a domain controller too.) [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = yes writable = no share modes = no write list = @staff # Share for User's profiles [profiles] path = /home/%u/ntprofile writable = yes directory mode = 0700 create mode = 0600 ---------------- Sincerely, Scott Millhisler SJM Computer Consulting
On Mon, 10 Mar 2003, Scott Millhisler wrote:> I have been working on this problem for quite some time now and have not > been able to find the solution.Please see comments below. - John T.> > I have Samba running on Debian Linux 3.0 (Woody) as a primary domain > controller. From my Windows 2000 desktop I am able to browse that Linux > server with Windows Explorer. > > My biggest problem is trying to log in to that domain. Under Windows > 2000 I am able to join the domain (sjmlinux) but after I restart the > Windows desktop and attempt to log in to that domain, Windows gives me a > message like, "cannot create profile directory > \\servername\profiledirectory.pds". It then the proceeds to assign me a > generic profile that cannot be updated. > > The profile directory has fairly liberal write access so the Windows > machine should have sufficient rights to create or delete any files or > directories it deems necessary. One, of many, things I do not > understand is where the .pds suffix that the message indicates is coming > from. It certainly is not what I have defined for the profile directory > in smb.conf is and it is not something that I have seen before. > > I have seen some documents that referred to creating a policy file > (*.pol) with the Windows server policy editor tool. However, I > understand profiles to be much more than a single file and that actually > a directory structure that contain everything desktop colors to your > recent files list. Under Windows 2000 this is essentially what you see > in your subdirectory of the Documents and Settings folder. > > I am sure that somebody must have seen this issue before as I have seen > reference to it in the archives; I had just never seen what the solution > is. Below is a snippet of my smb.conf file that I believe would contain > the pertinent information. > > [global] > > # Change this for the workgroup/NT-domain name your Samba server will part of > workgroup = sjmlinux > netbios name = sjmpdc > > # server string is the equivalent of the NT Description field > server string = %h server (Samba %v) > > guest account = nobody > invalid users = root > > # This tells Samba to use a separate log file for each machine > # that connects > log file = /var/log/samba/log.%m > > # Put a capping on the size of the log files (in Kb). > max log size = 1000 > > # We want Samba to log a minimum amount of information to syslog. Everything > # should go to /var/log/samba/log.{smb,nmb} instead. If you want to log > # through syslog you should set the following parameter to something higher. > syslog = 0 > > # "security = user" is always a good idea. This will require a Unix account > # in this server for every user accessing the server. See > # security_level.txt for details. > security = user > > # You may wish to use password encryption. Please read ENCRYPTION.txt, > # Win95.txt and WinNT.txt in the Samba documentation. Do not enable this > # option unless you have read those documents > encrypt passwords = true > > # Support Domain logins > domain logons = true > > # Admin group (temp solution) > domain admin group = @staff > > # User profile path > logon path = \\%N\home\%u\ntprofileSuggest you try: logon path = \\%L\home\%U\ntprofile Make absolutely sure that the directory 'ntprofile' exists (and is writable) - BEFORE - the uyser logs on. A MUCH better suggestion is to put profiles in a 'profiles' share, that is the way it is done in MS Windows land. It allows you to set more suitable smb.conf parameters for profile handling for the shared resource for which it may be needed. In this case you would have a share like: [Profiles] comment = Roaming Profile Share path = /var/lib/samba/profiles read only = No profile acls = Yes and the following to match it: logon path = \\%L\Profiles\%U> > # Where is the user's home directory and what is the drive > logon drive = H: > logon home = \\%N\home\%u\pchomeSuggest you se this to: logon home = \\%L\home\%U\pchome Again making sure that the directory 'pchome' exits and is writable.> > # Specify a generic logon script for all users > # this is a relative **DOS** path to the [netlogon] share > logon script = logon.bat > > # Most people will find that this option gives better performance. > # See speed.txt and the manual pages for details > # You may want to add the following on a Linux system: > # SO_RCVBUF=8192 SO_SNDBUF=8192 > socket options = TCP_NODELAY > > # set local master to no if you don't want Samba to become a master > # browser on your network. Otherwise the normal election rules apply > local master = yes > > # OS Level determines the precedence of this server in master browser > # elections. The default value should be reasonable > os level = 64 > > domain master = yes > preferred master = yes > > wins support = yes > > # This will prevent nmbd to search for NetBIOS names through DNS. > dns proxy = no > > # Name mangling options > preserve case = yes > > unix password sync = true > > # Some defaults for winbind (make sure you're not using the ranges > # for something else.) > winbind uid = 10000-20000 > winbind gid = 10000-20000 > template shell = /bin/bash > > #======================= Share Definitions ======================> > [homes] > comment = Home Directories > browseable = yes > > # By default, the home directories are exported read-only. Change next > # parameter to 'yes' if you want to be able to write to them. > writable = yes > > # File creation mask is set to 0700 for security reasons. If you want to > # create files with group=rw permissions, set next parameter to 0775. > create mask = 0775 > > # Directory creation mask is set to 0700 for security reasons. If you want to > # create dirs. with group=rw permissions, set next parameter to 0775. > directory mask = 0775 > > valid users = %u > guest ok = no > path = /home/%u/pchome > > # Un-comment the following and create the netlogon directory for Domain Logons > # (you need to configure Samba to act as a domain controller too.) > [netlogon] > comment = Network Logon Service > path = /home/samba/netlogon > guest ok = yes > writable = no > share modes = no > write list = @staff > > # Share for User's profiles > [profiles] > path = /home/%u/ntprofile > writable = yes > directory mode = 0700 > create mode = 0600 > > ---------------- > Sincerely, > > Scott Millhisler > SJM Computer Consulting > >-- John H Terpstra Email: jht@samba.org
First of all, I would like to thank you for your prompt reply. Unfortunately you lost me on a couple of issues and I am hoping that you can clarify them. We exchanged:>> # User profile path >> logon path = \\%N\home\%u\ntprofile > >Suggest you try: > > logon path = \\%L\home\%U\ntprofile > >Make absolutely sure that the directory 'ntprofile' exists (and is >writable) - BEFORE - the uyser logs on. > >A MUCH better suggestion is to put profiles in a 'profiles' share, that is >the way it is done in MS Windows land. It allows you to set more suitable >smb.conf parameters for profile handling for the shared resource for which >it may be needed. > >In this case you would have a share like: > >[Profiles] > comment = Roaming Profile Share > path = /var/lib/samba/profiles > read only = No > profile acls = Yes > >and the following to match it: > > logon path = \\%L\Profiles\%UIn this exchange you indicate that it would be better to have a 'profiles' share, contrasting it to my global definition of logon path. I am not sure if you saw it or not, but in my original message it was a profiles share defined at the end. It did differ from yours in that the path pointed to the science have used in the global area. I created a profiles directory under the samba directory as indicated above. Do I need to create subdirectories in that profiles directory for all of the users before they logon or will Windows create the subdirectories as needed during a user's first logon? Also, you wrote to set my logon path to \\%L\Profiles\%U to match 'it'. What 'it' are you referring to? Should this logon path the set in the profiles share definitions or the global, thus replacing the one I have there now? I currently do not have a profiles directory off of root, which is where I assume that would be referring to, but I can certainly create one. Either that, or do I totally misunderstand the usage of %L? ---------- Original Message ---------------------------------- From: John H Terpstra <jht@samba.org> Date: Mon, 10 Mar 2003 18:36:31 +0000 (GMT)>On Mon, 10 Mar 2003, Scott Millhisler wrote: > >> I have been working on this problem for quite some time now and have not >> been able to find the solution. > >Please see comments below. > >- John T. > >> >> I have Samba running on Debian Linux 3.0 (Woody) as a primary domain >> controller. From my Windows 2000 desktop I am able to browse that Linux >> server with Windows Explorer. >> >> My biggest problem is trying to log in to that domain. Under Windows >> 2000 I am able to join the domain (sjmlinux) but after I restart the >> Windows desktop and attempt to log in to that domain, Windows gives me a >> message like, "cannot create profile directory >> \\servername\profiledirectory.pds". It then the proceeds to assign me a >> generic profile that cannot be updated. >> >> The profile directory has fairly liberal write access so the Windows >> machine should have sufficient rights to create or delete any files or >> directories it deems necessary. One, of many, things I do not >> understand is where the .pds suffix that the message indicates is coming >> from. It certainly is not what I have defined for the profile directory >> in smb.conf is and it is not something that I have seen before. >> >> I have seen some documents that referred to creating a policy file >> (*.pol) with the Windows server policy editor tool. However, I >> understand profiles to be much more than a single file and that actually >> a directory structure that contain everything desktop colors to your >> recent files list. Under Windows 2000 this is essentially what you see >> in your subdirectory of the Documents and Settings folder. >> >> I am sure that somebody must have seen this issue before as I have seen >> reference to it in the archives; I had just never seen what the solution >> is. Below is a snippet of my smb.conf file that I believe would contain >> the pertinent information. >> >> [global] >> >> # Change this for the workgroup/NT-domain name your Samba server will part of >> workgroup = sjmlinux >> netbios name = sjmpdc >> >> # server string is the equivalent of the NT Description field >> server string = %h server (Samba %v) >> >> guest account = nobody >> invalid users = root >> >> # This tells Samba to use a separate log file for each machine >> # that connects >> log file = /var/log/samba/log.%m >> >> # Put a capping on the size of the log files (in Kb). >> max log size = 1000 >> >> # We want Samba to log a minimum amount of information to syslog. Everything >> # should go to /var/log/samba/log.{smb,nmb} instead. If you want to log >> # through syslog you should set the following parameter to something higher. >> syslog = 0 >> >> # "security = user" is always a good idea. This will require a Unix account >> # in this server for every user accessing the server. See >> # security_level.txt for details. >> security = user >> >> # You may wish to use password encryption. Please read ENCRYPTION.txt, >> # Win95.txt and WinNT.txt in the Samba documentation. Do not enable this >> # option unless you have read those documents >> encrypt passwords = true >> >> # Support Domain logins >> domain logons = true >> >> # Admin group (temp solution) >> domain admin group = @staff >> >> >> # Where is the user's home directory and what is the drive >> logon drive = H: >> logon home = \\%N\home\%u\pchome > >Suggest you se this to: > > logon home = \\%L\home\%U\pchome > >Again making sure that the directory 'pchome' exits and is writable. > >> # User profile path >> logon path = \\%N\home\%u\ntprofile > >Suggest you try: > > logon path = \\%L\home\%U\ntprofile > >Make absolutely sure that the directory 'ntprofile' exists (and is >writable) - BEFORE - the uyser logs on. > >A MUCH better suggestion is to put profiles in a 'profiles' share, that is >the way it is done in MS Windows land. It allows you to set more suitable >smb.conf parameters for profile handling for the shared resource for which >it may be needed. > >In this case you would have a share like: > >[Profiles] > comment = Roaming Profile Share > path = /var/lib/samba/profiles > read only = No > profile acls = Yes > >and the following to match it: > > logon path = \\%L\Profiles\%U >> >> # Specify a generic logon script for all users >> # this is a relative **DOS** path to the [netlogon] share >> logon script = logon.bat >> >> # Most people will find that this option gives better performance. >> # See speed.txt and the manual pages for details >> # You may want to add the following on a Linux system: >> # SO_RCVBUF=8192 SO_SNDBUF=8192 >> socket options = TCP_NODELAY >> >> # set local master to no if you don't want Samba to become a master >> # browser on your network. Otherwise the normal election rules apply >> local master = yes >> >> # OS Level determines the precedence of this server in master browser >> # elections. The default value should be reasonable >> os level = 64 >> >> domain master = yes >> preferred master = yes >> >> wins support = yes >> >> # This will prevent nmbd to search for NetBIOS names through DNS. >> dns proxy = no >> >> # Name mangling options >> preserve case = yes >> >> unix password sync = true >> >> # Some defaults for winbind (make sure you're not using the ranges >> # for something else.) >> winbind uid = 10000-20000 >> winbind gid = 10000-20000 >> template shell = /bin/bash >> >> #======================= Share Definitions ======================>> >> [homes] >> comment = Home Directories >> browseable = yes >> >> # By default, the home directories are exported read-only. Change next >> # parameter to 'yes' if you want to be able to write to them. >> writable = yes >> >> # File creation mask is set to 0700 for security reasons. If you want to >> # create files with group=rw permissions, set next parameter to 0775. >> create mask = 0775 >> >> # Directory creation mask is set to 0700 for security reasons. If you want to >> # create dirs. with group=rw permissions, set next parameter to 0775. >> directory mask = 0775 >> >> valid users = %u >> guest ok = no >> path = /home/%u/pchome >> >> # Un-comment the following and create the netlogon directory for Domain Logons >> # (you need to configure Samba to act as a domain controller too.) >> [netlogon] >> comment = Network Logon Service >> path = /home/samba/netlogon >> guest ok = yes >> writable = no >> share modes = no >> write list = @staff >> >> # Share for User's profiles >> [profiles] >> path = /home/%u/ntprofile >> writable = yes >> directory mode = 0700 >> create mode = 0600 >> >> ---------------- >> Sincerely, >> >> Scott Millhisler >> SJM Computer Consulting >> >> > >-- >John H Terpstra >Email: jht@samba.org >
John: I thought it would be a good idea to follow up with how I came out with my problem of getting Samba configured correctly as a PDC. While I hate to admit it publicly, the main stumbling block in my attempts to get Samba working correctly was my lack of understanding on how Samba shares are handled. For whatever reason I read about them over and over but never looked at their usage correctly, especially when assigning a value to one of the path parameters. With that key piece of understanding missing I was not setting up the directory structure correctly. A good example of this is the Profiles share. Wherever the logon path pointed to the profiles share I would always want to create a directory to match how the logon path appeared. Therefore if the logon path appeared as: logon path = \\%L\profiles I would view that as needing to have a directory of the root of my server called "profiles", as opposed to that referring to the path of the profiles share. Of course I knew that there was a share defined as "profiles" but somehow I thought that either Windows or Samba was referring to that by some other means. It sound stupid now but it made sense that the time! :-) Anyway, I have it working now and it is all making perfect sense. Thank you for all of your help. Scott Millhisler SJM Computer Consulting -- Perry, Michigan ---------- Original Message ---------------------------------- From: John H Terpstra <jht@samba.org> Date: Tue, 11 Mar 2003 05:38:25 +0000 (GMT)>On Mon, 10 Mar 2003, Scott Millhisler wrote: > >> First of all, I would like to thank you for your prompt reply. >> >> Unfortunately you lost me on a couple of issues and I am hoping that you can clarify them. >> >> We exchanged: >> >> >> # User profile path >> >> logon path = \\%N\home\%u\ntprofile >> > >> >Suggest you try: >> > >> > logon path = \\%L\home\%U\ntprofile >> > >> >Make absolutely sure that the directory 'ntprofile' exists (and is >> >writable) - BEFORE - the uyser logs on. >> > >> >A MUCH better suggestion is to put profiles in a 'profiles' share, that is >> >the way it is done in MS Windows land. It allows you to set more suitable >> >smb.conf parameters for profile handling for the shared resource for which >> >it may be needed. >> > >> >In this case you would have a share like: >> > >> >[Profiles] >> > comment = Roaming Profile Share >> > path = /var/lib/samba/profiles >> > read only = No >> > profile acls = Yes >> > >> >and the following to match it: >> > >> > logon path = \\%L\Profiles\%U >> >> In this exchange you indicate that it would be better to have a >> 'profiles' share, contrasting it to my global definition of logon path. >> I am not sure if you saw it or not, but in my original message it was a >> profiles share defined at the end. It did differ from yours in that the >> path pointed to the science have used in the global area. > >Your logon path directs that profiles into the users' home directory into >a subdirectory called "ntprofile". > >Your original profiles share will thus not be used at all. > >> I created a profiles directory under the samba directory as indicated >> above. Do I need to create subdirectories in that profiles directory >> for all of the users before they logon or will Windows create the >> subdirectories as needed during a user's first logon? > >Yes. You need to create those directories so that Samba can store the >profiles. In the absence of the proper directory the profile will not be >written to your profiles share. > >> >> Also, you wrote to set my logon path to \\%L\Profiles\%U to match 'it'. >> What 'it' are you referring to? Should this logon path the set in the >> profiles share definitions or the global, thus replacing the one I have >> there now? I currently do not have a profiles directory off of root, >> which is where I assume that would be referring to, but I can certainly >> create one. Either that, or do I totally misunderstand the usage of %L? > >Your "logon path" settings need to match a storage are within your Samba >server file system. The 'it' refers to the "Profiles" share settings I >gave you. > >In my case I store profiles under /var/lib/samba/profiles/'username' > >The %U translates to the 'username'. > >The %L is a macro that translates to the name be which you refer to the >samba server. So if your samba server is called 'FRED" and "logon path >\\%L\Profiles\%U" and you access the Samba server by the name "FRED" then >it will map to \\FRED\Profiles\'username'. Thus if your username is >'jbloggs', the full profile path will be: \\FRED\Profiles\jbloggs. > >Given my path statement in the [Profiles] definition this will result in >the files being written to (or read from): > > /var/lib/samba/profiles/jbloggs > >Does that clear the air now? > >- John T. >-- >John H Terpstra >Email: jht@samba.org >