samba - Jan 2003 - Problems with migrating from local to roaming profiles

Hello everyone!  I have had a lot of luck with mailing lists in the past, so 
I'm hoping this one works out well also.  I've recently helped my
company move
from an NT4 PDC to a Samba 2.2.7a PDC and everything has gone smoothly until 
this point.  We made the decision to migrate to roaming profiles so our users 
could move around and use whichever computer they wanted to unlike before, but 
hit a snag in the process.

I followed someone's instructions by logging into the local machine as the 
administrator and opening up "User Profiles" and copying the profiles
to our
network share on the Samba machine.  I then recursively chown-ed their profiles 
so that they had ownership over their stuff and I believe the ACL's were set
up
properly using setfacl.  I then joined the machine into the new domain, logged 
out, and then attempted to log back in.  This is where we found the problem.  
The file NTUSER.DAT which contains that user's HKEY_CURRENT_USER information
was not being copied into the registry properly, so the machine was acting as 
if the person had never logged in before.  It would try and install things on 
demand again like Microsoft Outlook but complain about the installation files.  
The little Internet Connection Wizard would appear on the desktop again.  Also, 
users settings were not being saved on logout.

I found that if I put these users in the administrator's group on the Samba 
machine everything acted just fine, but this isn't a proper solution. 
I've
also found that if I don't give this person a profile to start with at all,
it
creates their entire profile in their /home/username/profile directory without 
a hitch and any changes they make to their desktop from there out saves just 
fine.

I am apparently missing something in one of two places; my smb.conf file, or my 
process of moving each user's profile from the local machine to the Samba 
server.

With that said, here is a copy of my smb.conf file so hopefully you can pick 
out something in there that is set wrong or missing entirely:

[global]
        ; basic settings
        netbios name = SGI-FILE
        workgroup = SGILLC
        server string = File and Authentication Server

        ; act as domain and local master browser
        os level = 65
        preferred master = yes
        domain master = yes
        local master = yes

        ; server security settings
        hosts allow = 65.242.179.0/255.255.255.128

        ; user security settings
        security = user
        encrypt passwords = yes
        min password length = 7

        ; password synchronization
        unix password sync = yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %
n\n*passwd:*all*authentication*tokens*updated*successfully*
        obey pam restrictions = yes

        ; support domain logons
        domain logons = yes

        ; script to automatically add machine truct accounts
        add user script = /usr/sbin/useradd -d /dev/null -g winwkst -
s /bin/false %u

        ; home directory settings
        logon path = \\%L\%U\profile
        logon home = \\%L\%U
        logon drive = H:

        ; logon script
        ;logon script = logon.bat

        ; map users and groups
        domain admin group = @winadmin
        username map = /etc/samba/smbusers

        nt acl support = no

        ; load all cups printers
        printcap name = cups
        load printers = yes
        printing = cups

        ; activate time server
        time server = yes

        ; activate wins server
        wins support = yes

        ; log settings
        log file = /var/log/samba/log.%m
        log level = 3
        max log size = 1024

        ; tcp socket setting optimizations
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        ; misc options
        ;hide local users = yes

[profile]
        create mode = 0600
        directory mode = 0700
        ;path = /home/profile
        read only = no
        writeable = yes
        browseable = no

[netlogon]
        comment = Domain logon service
        path = /usr/home/_netlogon
        writeable = no

[homes]
        Comment = Home directory
        browseable = no
        writeable = yes

[printers]
        Comment = All Printers
        path = /var/spool/samba
        browseable = no
        public = yes
        guest ok = yes
        writable = no
        printable = yes
        printer admin = root @winadmin

[print$]
        comment = Printer Drivers
        path = /etc/samba/drivers
        browseable = yes
        guest ok = no
        read only = yes
        write list = root @winadmin

[install]
        Comment = Software Repository
        path = /usr/home/_export/install
        browseable = yes
        writeable = no
        write list = @winadmin

[data]
        Comment = Network File Store
        path = /usr/home/_export/data
        browseable = yes
        writeable = yes


Thank you in advance for any help you all can give on the matter.

Regards,

Gabriel Preston

-- 
Gabriel D. Preston            Network Administrator

SGI, LLC           111 Broadway        NY, NY 10006

"Networking is when you can not get any work done 
 because of the failure of a machine you have never 
 even heard of."

On Tue, 14 Jan 2003, Gabriel Preston wrote:
> Hello everyone!  I have had a lot of luck with mailing lists in the past,
so
> I'm hoping this one works out well also.  I've recently helped my
company move
> from an NT4 PDC to a Samba 2.2.7a PDC and everything has gone smoothly
until
> this point.  We made the decision to migrate to roaming profiles so our
users
> could move around and use whichever computer they wanted to unlike before,
but
> hit a snag in the process.
That happens when one is learning. :)
> I followed someone's instructions by logging into the local machine as
the
> administrator and opening up "User Profiles" and copying the
profiles to our
> network share on the Samba machine.  I then recursively chown-ed their
profiles
> so that they had ownership over their stuff and I believe the ACL's
were set up
> properly using setfacl.  I then joined the machine into the new domain,
logged
> out, and then attempted to log back in.  This is where we found the
problem.
> The file NTUSER.DAT which contains that user's HKEY_CURRENT_USER
information
> was not being copied into the registry properly, so the machine was acting
as
> if the person had never logged in before.
Well, the reason is that you did NOT migrate the profiles according to the
procedures Microsoft document in the MS WIndows NT4 and 2000 resource
kits.

You see the NTUser.DAT file is keyed to the user's SID and the Domain SID
of the NT4 environment in which they were created. You need to either use
the NT4 procedure as documented in the resource kit for migrating the
profile, something that Microsoft only supports within the one domain
anyhow, or else use the profile editting tool that Richard Sharpe has
provided and that is part of samba-3.0.0 that will appear in the next
alpha. Meanwhile you could download the source from the CVS tree and
compile it yourself. It is called profiles.c. It would be best to build
samba-3.0.0 from the CVS tree as this tool is build automatically when you
do it this way.
> It would try and install things on demand again like Microsoft Outlook
> but complain about the installation files.
> The little Internet Connection Wizard would appear on the desktop again. 
Also,
> users settings were not being saved on logout.
All of this is fixed by correct profile migration procedures as per the
resource kit instructions.
> I found that if I put these users in the administrator's group on the
Samba
> machine everything acted just fine, but this isn't a proper solution. 
I've
> also found that if I don't give this person a profile to start with at
all, it
> creates their entire profile in their /home/username/profile directory
without
> a hitch and any changes they make to their desktop from there out saves
just
> fine.
>
> I am apparently missing something in one of two places; my smb.conf file,
or my
> process of moving each user's profile from the local machine to the
Samba
> server.
See above.
>
> With that said, here is a copy of my smb.conf file so hopefully you can
pick
> out something in there that is set wrong or missing entirely:
The problem is not your smb.conf.

- John T.
>
> [global]
>         ; basic settings
>         netbios name = SGI-FILE
>         workgroup = SGILLC
>         server string = File and Authentication Server
>
>         ; act as domain and local master browser
>         os level = 65
>         preferred master = yes
>         domain master = yes
>         local master = yes
>
>         ; server security settings
>         hosts allow = 65.242.179.0/255.255.255.128
>
>         ; user security settings
>         security = user
>         encrypt passwords = yes
>         min password length = 7
>
>         ; password synchronization
>         unix password sync = yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %
> n\n*passwd:*all*authentication*tokens*updated*successfully*
>         obey pam restrictions = yes
>
>         ; support domain logons
>         domain logons = yes
>
>         ; script to automatically add machine truct accounts
>         add user script = /usr/sbin/useradd -d /dev/null -g winwkst -
> s /bin/false %u
>
>         ; home directory settings
>         logon path = \\%L\%U\profile
>         logon home = \\%L\%U
>         logon drive = H:
>
>         ; logon script
>         ;logon script = logon.bat
>
>         ; map users and groups
>         domain admin group = @winadmin
>         username map = /etc/samba/smbusers
>
>         nt acl support = no
>
>         ; load all cups printers
>         printcap name = cups
>         load printers = yes
>         printing = cups
>
>         ; activate time server
>         time server = yes
>
>         ; activate wins server
>         wins support = yes
>
>         ; log settings
>         log file = /var/log/samba/log.%m
>         log level = 3
>         max log size = 1024
>
>         ; tcp socket setting optimizations
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
>         ; misc options
>         ;hide local users = yes
>
> [profile]
>         create mode = 0600
>         directory mode = 0700
>         ;path = /home/profile
>         read only = no
>         writeable = yes
>         browseable = no
>
> [netlogon]
>         comment = Domain logon service
>         path = /usr/home/_netlogon
>         writeable = no
>
> [homes]
>         Comment = Home directory
>         browseable = no
>         writeable = yes
>
> [printers]
>         Comment = All Printers
>         path = /var/spool/samba
>         browseable = no
>         public = yes
>         guest ok = yes
>         writable = no
>         printable = yes
>         printer admin = root @winadmin
>
> [print$]
>         comment = Printer Drivers
>         path = /etc/samba/drivers
>         browseable = yes
>         guest ok = no
>         read only = yes
>         write list = root @winadmin
>
> [install]
>         Comment = Software Repository
>         path = /usr/home/_export/install
>         browseable = yes
>         writeable = no
>         write list = @winadmin
>
> [data]
>         Comment = Network File Store
>         path = /usr/home/_export/data
>         browseable = yes
>         writeable = yes
>
>
> Thank you in advance for any help you all can give on the matter.
>
> Regards,
>
> Gabriel Preston
>
>
-- 
John H Terpstra
Email: jht@samba.org