samba - Sep 2002 - Profiles XP and Service Pack 1

Hi List, 
 
we have a 130+ PC network running windows XP on the clients, with win2000
and 
samba servers (SuSE 7.3 distribution rpm for samba 2.2.3 and SuSE 8.0 
selfcompiled samba 2.2.5).  
The windows servers just authenticate the users, and provide some additional

services (Terminal Server and some special software packages). Print- and
File- 
services are provided by the samba servers.  
We use roaming profiles that are stored on the samba servers. Up to now we
did 
not have any problems with that -  at least after I found out that you must
disable 
NT ACL support on the profile shares.  
Now we installed XP service pack 1 on one client - and the client can not
access 
the profile anymore. It complains about not owning the share or not being 
member of the Administrator group (even though we tried with an domain admin

account). 
 
Has anybody an idea whether this problem can be solved with the current
samba 
version (and how)? Or has anybody made the same / different experiences? 
 
Thanks for your help 
 
HW 
 
 
Here is a part of smb.conf 
 
# Samba config file created using SWAT 
# from XXXXXXXX (XXX.XXX.XX.XXX) 
# Date: 2002/09/10 12:51:06 
 
# Global parameters 
[global] 
        workgroup = XXX 
        netbios name = XXX 
        server string = Samba XX XX 
        security = DOMAIN 
        encrypt passwords = Yes 
        map to guest = Bad User 
        password server = xxx.xxx.xxx.xxx 
        passwd program =  
        passwd chat =  
        name resolve order = bcast lmhosts host wins 
        socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY 
        character set = ISO8859-15 
        os level = 2 
        preferred master = False 
        local master = No 
        domain master = False 
        kernel oplocks = No 
        host msdfs = Yes 
        winbind uid = 10000-20000 
        winbind gid = 20000-30000 
        printer admin = xxxx 
        printing = lprng 
 
 
[profiles] 
        path = /home/profiles 
        read only = No 
        create mask = 0700 
        directory mask = 0700 
        nt acl support = No 

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net

Two things come to mind.  Try re-apply the XP sign or seal patch, and delete
the relevant entries in /etc/passwd & shadow, /etc/samba/smbpasswd and
rejoin the domain.  See e-mail from me with subject:

Re:[Samba] Joining domain XP

It explains an easy approach to automate joining the domain.

Chow, Trevor.

----- Original Message -----
From: "Hans Wurst" <WasteBin@gmx.ch>
To: <samba@lists.samba.org>
Sent: Tuesday, September 10, 2002 1:00 PM
Subject: [Samba] Profiles XP and Service Pack 1

> Hi List,
>
> we have a 130+ PC network running windows XP on the clients, with win2000
> and
> samba servers (SuSE 7.3 distribution rpm for samba 2.2.3 and SuSE 8.0
> selfcompiled samba 2.2.5).
> The windows servers just authenticate the users, and provide some
additional
>
> services (Terminal Server and some special software packages). Print- and
> File-
> services are provided by the samba servers.
> We use roaming profiles that are stored on the samba servers. Up to now we
> did
> not have any problems with that -  at least after I found out that you
must
> disable
> NT ACL support on the profile shares.
> Now we installed XP service pack 1 on one client - and the client can not
> access
> the profile anymore. It complains about not owning the share or not being
> member of the Administrator group (even though we tried with an domain
admin
>
> account).
>
> Has anybody an idea whether this problem can be solved with the current
> samba
> version (and how)? Or has anybody made the same / different experiences?
>
> Thanks for your help
>
> HW
>
>
> Here is a part of smb.conf
>
> # Samba config file created using SWAT
> # from XXXXXXXX (XXX.XXX.XX.XXX)
> # Date: 2002/09/10 12:51:06
>
> # Global parameters
> [global]
>         workgroup = XXX
>         netbios name = XXX
>         server string = Samba XX XX
>         security = DOMAIN
>         encrypt passwords = Yes
>         map to guest = Bad User
>         password server = xxx.xxx.xxx.xxx
>         passwd program >         passwd chat >         name resolve
order = bcast lmhosts host wins
>         socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
>         character set = ISO8859-15
>         os level = 2
>         preferred master = False
>         local master = No
>         domain master = False
>         kernel oplocks = No
>         host msdfs = Yes
>         winbind uid = 10000-20000
>         winbind gid = 20000-30000
>         printer admin = xxxx
>         printing = lprng
>
>
> [profiles]
>         path = /home/profiles
>         read only = No
>         create mask = 0700
>         directory mask = 0700
>         nt acl support = No
>
> --
> GMX - Die Kommunikationsplattform im Internet.
> http://www.gmx.net
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

Hi Trevor, 
 
thanks for your fast response, but I think I was not clear enough: we do not
have 
a samba PDC but a Windows 2000 controlled Active Directory Installation,
where 
the samba servers act as standalone file-servers. They have successfully
joined 
the Win-Domain and use the win servers for password verfification.  Users
are 
created manually on the linux servers (without a valid shell) and group 
memberships are used to allow / deny access to certain shares - independent 
from the win domain.  
 
The problem seems to be that the  "NT ACL SUPPORT = no" option is not
tolerated 
anymore by XP after upgrade to service pack one. We, however, depend on that

option to get the profile shares working (because we do not use winbind to
create 
users). 
 
We will try whether the registry patch make a difference, and I will let you
know. 
Cheers 
 
HW 
 
 
> Two things come to mind.  Try re-apply the XP sign or seal patch, and 
> delete 
> the relevant entries in /etc/passwd & shadow, /etc/samba/smbpasswd and 
> rejoin the domain.  See e-mail from me with subject: 
>  
> Re:[Samba] Joining domain XP 
>  
> It explains an easy approach to automate joining the domain. 
>  
> Chow, Trevor. 
>  
> ----- Original Message ----- 
> From: "Hans Wurst" <WasteBin@gmx.ch> 
> To: <samba@lists.samba.org> 
> Sent: Tuesday, September 10, 2002 1:00 PM 
> Subject: [Samba] Profiles XP and Service Pack 1 
>  
>  
> > Hi List, 
> > 
> > we have a 130+ PC network running windows XP on the clients, with 
> win2000 
> > and 
> > samba servers (SuSE 7.3 distribution rpm for samba 2.2.3 and SuSE 8.0 
> > selfcompiled samba 2.2.5). 
> > The windows servers just authenticate the users, and provide some 
> additional 
> > 
> > services (Terminal Server and some special software packages). Print- 
> and 
> > File- 
> > services are provided by the samba servers. 
> > We use roaming profiles that are stored on the samba servers. Up to
now
> we 
> > did 
> > not have any problems with that -  at least after I found out that you
> must 
> > disable 
> > NT ACL support on the profile shares. 
> > Now we installed XP service pack 1 on one client - and the client can 
> not 
> > access 
> > the profile anymore. It complains about not owning the share or not 
> being 
> > member of the Administrator group (even though we tried with an domain
> admin 
> > 
> > account). 
> > 
> > Has anybody an idea whether this problem can be solved with the
current
> > samba 
> > version (and how)? Or has anybody made the same / different
experiences?
> > 
> > Thanks for your help 
> > 
> > HW 
> > 
> > 
> > Here is a part of smb.conf 
> > 
> > # Samba config file created using SWAT 
> > # from XXXXXXXX (XXX.XXX.XX.XXX) 
> > # Date: 2002/09/10 12:51:06 
> > 
> > # Global parameters 
> > [global] 
> >         workgroup = XXX 
> >         netbios name = XXX 
> >         server string = Samba XX XX 
> >         security = DOMAIN 
> >         encrypt passwords = Yes 
> >         map to guest = Bad User 
> >         password server = xxx.xxx.xxx.xxx 
> >         passwd program = 
> >         passwd chat = 
> >         name resolve order = bcast lmhosts host wins 
> >         socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY 
> >         character set = ISO8859-15 
> >         os level = 2 
> >         preferred master = False 
> >         local master = No 
> >         domain master = False 
> >         kernel oplocks = No 
> >         host msdfs = Yes 
> >         winbind uid = 10000-20000 
> >         winbind gid = 20000-30000 
> >         printer admin = xxxx 
> >         printing = lprng 
> > 
> > 
> > [profiles] 
> >         path = /home/profiles 
> >         read only = No 
> >         create mask = 0700 
> >         directory mask = 0700 
> >         nt acl support = No 
> > 
> > -- 
> > GMX - Die Kommunikationsplattform im Internet. 
> > http://www.gmx.net 
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the 
> > instructions:  http://lists.samba.org/mailman/listinfo/samba 
>  
-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net

Hi Trevor, Hi list 
 
the registry patch did not have an influence - neither did changing the
shares 
ownership from root to a domain admin. Perhaps sombodey can help me with the

comment in the Win2kSP2 readme - Why is  "NT ACL support = no" not
neccessary  
when winbind is used to create users? And again, any further feedback is
greatly 
appreciated. 
 
Thanks 
 
HW 
 
 
<snip> 
>The problem seems to be that the  "NT ACL SUPPORT = no" option is
not
> tolerated  
>anymore by XP after upgrade to service pack one. We, however, depend on
that 
>  
>option to get the profile shares working (because we do not use winbind to 
> create  
>users).  
>  
> We will try whether the registry patch make a difference, and I will let
you 
> know.  
>Cheers  
>  
> HW  
  
   
 >> Two things come to mind.  Try re-apply the XP sign or seal patch, and 
>> delete  
>> the relevant entries in /etc/passwd & shadow, /etc/samba/smbpasswd
and
>> rejoin the domain.  See e-mail from me with subject:  
> >  
 >> Re:[Samba] Joining domain XP  
 
 
>> It explains an easy approach to automate joining the domain. 
>>  
>> Chow, Trevor. 
>>  
>> ----- Original Message ----- 
>> From: "Hans Wurst" <WasteBin@gmx.ch> 
>> To: <samba@lists.samba.org> 
>> Sent: Tuesday, September 10, 2002 1:00 PM 
>> Subject: [Samba] Profiles XP and Service Pack 1 
>>  
>>  
>> > Hi List, 
>> > 
>> > we have a 130+ PC network running windows XP on the clients, with 
>> win2000 
>> > and 
>> > samba servers (SuSE 7.3 distribution rpm for samba 2.2.3 and SuSE
8.0
>> > selfcompiled samba 2.2.5). 
>> > The windows servers just authenticate the users, and provide some 
>> additional 
>> > 
>> > services (Terminal Server and some special software packages).
Print-
>> and 
>> > File- 
>> > services are provided by the samba servers. 
>> > We use roaming profiles that are stored on the samba servers. Up
to now
>> we 
>> > did 
>> > not have any problems with that -  at least after I found out that
you
>>>must 
> >> disable 
> >> NT ACL support on the profile shares. 
> >> Now we installed XP service pack 1 on one client - and the client
can
> >not 
> >> access 
> >> the profile anymore. It complains about not owning the share or
not
> >being 
> >> member of the Administrator group (even though we tried with an
domain
> >admin 
> >> 
> >> account). 
> >> 
> >> Has anybody an idea whether this problem can be solved with the
current
> >> samba 
> >> version (and how)? Or has anybody made the same / different
experiences? 
> >> 
> > Thanks for your help 
> >> 
> >> HW 
> >> 
> >> 
<snip>  

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net

Hi Andrew, Hi list 
 
thank you very much for your comment, after changing the ownership of the 
profile files on the server to an domain admin everything works fine again.
So, the 
quick solution is working smoothly.  
 
It leaves the following questions: 
Either we give every user his/her own private group and set the file
ownership for 
the profile to  admin.privategroup, or everybody can modify other people's 
profiles. Or we change the setup to winbind, which possibly results in the
same 
user having different userids on different samba servers - not a solution
for us, 
because we mirror all servers to a backup server and expect the userids to
be 
consistent. 
Is there a solution for this (i.e. a fancy way to ensure consistent unix
uids on 
different serves even when running winbind)? What happens if /etc/passwd 
/etc/shadow /etc/group are copied from a server running  winbind to other
samba 
servers (not running winbind)? 
Maybe the private unix groups is the way to go for the moment.   
Again, thanks a lot 
 
HW 
 
 
>Hans Wurst wrote: 
>> 
>> Hi Trevor, Hi list 
>> 
>> the registry patch did not have an influence - neither did changing 
>> the shares ownership from root to a domain admin. Perhaps sombodey can 
>> help me with the 
>> 
>> comment in the Win2kSP2 readme - Why is  "NT ACL support =
no" not
>> neccessary when winbind is used to create users? And again, any 
>> further feedback is greatly 
>> appreciated. 
> 
>The only reason to ever set 'nt acl support = no' is if the SIDs
that Samba
>returns as owning the files is invalid (to the client).  This occurs on
standalone 
>Samba servers, and Samba servers that are members of a domain but not 
>running Winbind. 
> 
>So, this setting is not necessary on a Winbind-based installation. 
> 
>The reason we need this setting at all is because Win2k/WinXP make
additional 
>checks on the files.  Furthermore, it appears that WinXP SP1 no longer
allows 'no 
>acl support' as a valid option (As win2k SP2 did) on a profile share -
the
files 
>*must* be owned by either an administrator or the user themselves. 
> 
>Andrew Bartlett 
 

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net