Hi Everyone,
Does anybody use roaming profiles in domain level?
I'm looking for helps for setting up Samba as a NT4 domain member to
support roaming profiles for sharing during domain logon of Windows
clients. I ran into the problems. log files couldn't show specified
messages, except for BUFFER_TOO_SMALL.
If a profile share directory is mounted on a Windows NT DC or a Windows
domain member, all Windows clients can successfully use roaming profiles
in that share during domain logon. If the profile share is mounted on a
Samba server that is a NT4 domain member, and successfully joined to the
domain, then all Windows client can save profiles to the share. But only
Windows NT clients can load roaming profiles from Samba. WinXP(SP1/SP2
and Win2K(SP4) couldn't download roaming profiles from Samba profiles
share.
I captured network traffics of domain logon for profiles stored on both
Windows and Samba domain members. By comparing behaviors, it looks Samba
couldn't handle the case well. I've tried both Samba2.2.12 and
samba3.0.7. All have the same problem. So
I'm looking for others' experiences, and see if Samba has capability to
provide roaming profiles in domain level.
I have all log files or ethereal log files. If needed, I can send to you
as reference. Any hints or helps, it would be greatly appreciated.
Thanks in advance.
-Ying Li
smb.conf
[global]
server string = Samba Serves as Roaming profiles
security = DOMAIN
workgroup = NT4_DOMAIN_NAME
password server = *
encrypt passwords = yes
log level = 10
log file = /var/opt/samba/log.%m
# followings for Samba3.0 only
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind separator = ;
[profiles]
path = /profiles
browseable = no
guest ok = yes
The directory /profiles is owned by root with 777 permission, and
includes all directories for a profile saved by Windows. On Windows DC,
setup profile path to \\sambaserver\profiles\username for all domain
users.
Dirk.Laurenz@fujitsu-siemens.com
2005-Apr-29 05:51 UTC
[Samba] Roaming profiles in domain level
Hi,
Windows checks the security acl of a profile.
The user must be owner!
Mit freundlichem Gru?,
Dirk Laurenz
Systems Engineer
Fujitsu Siemens Computers
S CE DE SE PS N/O
Sales Central Europe Deutschland
Professional Service Nord / Ost
Hildesheimer Strasse 25
30880 Laatzen
Germany
Telephone: +49 (511) 84 89 - 18 08
Telefax: +49 (511) 84 89 - 25 18 08
Mobile: +49 (170) 22 10 781
Email: mailto:dirk.laurenz@fujitsu-siemens.com
Internet: http://www.fujitsu-siemens.com
http://www.fujitsu-siemens.de/services/index.html
*******************************************************************************************************************
-| -----Original Message-----
-| From:
-| samba-bounces+dirk.laurenz=fujitsu-siemens.com@lists.samba.o
-| rg
-| [mailto:samba-bounces+dirk.laurenz=fujitsu-siemens.com@lists
-| .samba.org] On Behalf Of Li, Ying (ESG)
-| Sent: Friday, April 29, 2005 12:27 AM
-| To: samba@lists.samba.org
-| Subject: [Samba] Roaming profiles in domain level
-|
-| Hi Everyone,
-|
-| Does anybody use roaming profiles in domain level?
-|
-| I'm looking for helps for setting up Samba as a NT4 domain member to
-| support roaming profiles for sharing during domain logon of Windows
-| clients. I ran into the problems. log files couldn't show specified
-| messages, except for BUFFER_TOO_SMALL.
-|
-| If a profile share directory is mounted on a Windows NT DC
-| or a Windows
-| domain member, all Windows clients can successfully use
-| roaming profiles
-| in that share during domain logon. If the profile share is
-| mounted on a
-| Samba server that is a NT4 domain member, and successfully
-| joined to the
-| domain, then all Windows client can save profiles to the
-| share. But only
-| Windows NT clients can load roaming profiles from Samba.
-| WinXP(SP1/SP2
-| and Win2K(SP4) couldn't download roaming profiles from
-| Samba profiles
-| share.
-|
-| I captured network traffics of domain logon for profiles
-| stored on both
-| Windows and Samba domain members. By comparing behaviors,
-| it looks Samba
-| couldn't handle the case well. I've tried both Samba2.2.12 and
-| samba3.0.7. All have the same problem. So
-| I'm looking for others' experiences, and see if Samba has
-| capability to
-| provide roaming profiles in domain level.
-|
-| I have all log files or ethereal log files. If needed, I
-| can send to you
-| as reference. Any hints or helps, it would be greatly appreciated.
-|
-| Thanks in advance.
-| -Ying Li
-|
-| smb.conf
-| [global]
-| server string = Samba Serves as Roaming profiles
-| security = DOMAIN
-| workgroup = NT4_DOMAIN_NAME
-| password server = *
-| encrypt passwords = yes
-| log level = 10
-| log file = /var/opt/samba/log.%m
-| # followings for Samba3.0 only
-| idmap uid = 10000-20000
-| idmap gid = 10000-20000
-| winbind use default domain = yes
-| winbind enum users = yes
-| winbind enum groups = yes
-| winbind separator = ;
-| [profiles]
-| path = /profiles
-| browseable = no
-| guest ok = yes
-|
-| The directory /profiles is owned by root with 777 permission, and
-| includes all directories for a profile saved by Windows. On
-| Windows DC,
-| setup profile path to \\sambaserver\profiles\username for all domain
-| users.
-| --
-| To unsubscribe from this list go to the following URL and read the
-| instructions: https://lists.samba.org/mailman/listinfo/samba
-|
Hi, In my case, profile directory was already owned by a domain user who has a local account for Samba. I can see the profile directory can be successfully opened and accessed from the log file. The problem seems Samba handled security descriptor request in different way with Windows. For example: 1) security_desc response is different with Windows. Flags:Canonicalized pathnames bit is not set. But Windows did. Flags2: unicode string bit, Error code type bit, Security Signatures, Extended Attributes are not set in Samba. But Windows did. In Secruity Descriptor, Samba responsed owner ACL and group ACL as well as NT User ACL. But Windows only simply responsed a ACL only for owner. 2) incoming requests after NT_QUERY_SECERITY_DESC request are different with Windows. If profiles are stored in a Windows domain member, incoming requests are close/NT_Create_AndXs/ReadAndXs for loading a profile. If profiles are stored to Samba. I only can see Close/Logoff/TreeDisconnect Requests. No loading profiles requests occurred from Windows client. So my case doesn't looks like profile owner issue. Could I ask you if you successfully use roaming profiles in Samba domain level? Is it 2.2 or 3.0? Thanks for your response. -Ying> -----Original Message----- > From: Dirk.Laurenz@fujitsu-siemens.com > [mailto:Dirk.Laurenz@fujitsu-siemens.com] > Sent: Thursday, April 28, 2005 10:50 PM > To: Li, Ying (ESG); samba@lists.samba.org > Subject: RE: [Samba] Roaming profiles in domain level > > Hi, > > Windows checks the security acl of a profile. > The user must be owner! > > Mit freundlichem Gru?, > > > > Dirk Laurenz > Systems Engineer > > Fujitsu Siemens Computers > S CE DE SE PS N/O > Sales Central Europe Deutschland > Professional Service Nord / Ost > > Hildesheimer Strasse 25 > 30880 Laatzen > Germany > > Telephone: +49 (511) 84 89 - 18 08 > Telefax: +49 (511) 84 89 - 25 18 08 > Mobile: +49 (170) 22 10 781 > Email: mailto:dirk.laurenz@fujitsu-siemens.com > Internet: http://www.fujitsu-siemens.com > http://www.fujitsu-siemens.de/services/index.html > ************************************************************** > ***************************************************** > > > -| -----Original Message----- > -| From: > -| samba-bounces+dirk.laurenz=fujitsu-siemens.com@lists.samba.o > -| rg > -| [mailto:samba-bounces+dirk.laurenz=fujitsu-siemens.com@lists > -| .samba.org] On Behalf Of Li, Ying (ESG) > -| Sent: Friday, April 29, 2005 12:27 AM > -| To: samba@lists.samba.org > -| Subject: [Samba] Roaming profiles in domain level > -| > -| Hi Everyone, > -| > -| Does anybody use roaming profiles in domain level? > -| > -| I'm looking for helps for setting up Samba as a NT4 > domain member to > -| support roaming profiles for sharing during domain logon > of Windows > -| clients. I ran into the problems. log files couldn't show > specified > -| messages, except for BUFFER_TOO_SMALL. > -| > -| If a profile share directory is mounted on a Windows NT DC or a > -| Windows domain member, all Windows clients can successfully use > -| roaming profiles in that share during domain logon. If > the profile > -| share is mounted on a Samba server that is a NT4 domain > member, and > -| successfully joined to the domain, then all Windows > client can save > -| profiles to the share. But only Windows NT clients can > load roaming > -| profiles from Samba. > -| WinXP(SP1/SP2 > -| and Win2K(SP4) couldn't download roaming profiles from Samba > -| profiles share. > -| > -| I captured network traffics of domain logon for profiles > stored on > -| both Windows and Samba domain members. By comparing > behaviors, it > -| looks Samba couldn't handle the case well. I've tried both > -| Samba2.2.12 and samba3.0.7. All have the same problem. So I'm > -| looking for others' experiences, and see if Samba has > capability to > -| provide roaming profiles in domain level. > -| > -| I have all log files or ethereal log files. If needed, I > can send > -| to you as reference. Any hints or helps, it would be greatly > -| appreciated. > -| > -| Thanks in advance. > -| -Ying Li > -| > -| smb.conf > -| [global] > -| server string = Samba Serves as Roaming profiles > -| security = DOMAIN > -| workgroup = NT4_DOMAIN_NAME > -| password server = * > -| encrypt passwords = yes > -| log level = 10 > -| log file = /var/opt/samba/log.%m # followings for > Samba3.0 only > -| idmap uid = 10000-20000 > -| idmap gid = 10000-20000 > -| winbind use default domain = yes > -| winbind enum users = yes > -| winbind enum groups = yes > -| winbind separator = ; > -| [profiles] > -| path = /profiles > -| browseable = no > -| guest ok = yes > -| > -| The directory /profiles is owned by root with 777 > permission, and > -| includes all directories for a profile saved by Windows. > On Windows > -| DC, setup profile path to \\sambaserver\profiles\username for all > -| domain users. > -| -- > -| To unsubscribe from this list go to the following URL and read the > -| instructions: https://lists.samba.org/mailman/listinfo/samba > -| >
I've finally found out how to use roaming profiles in domain level.
Samba2.2 and 3.0 always checks owner's ACL for profile directories. But
Samba returns correct owner ACL in a little bit different format with
Windows. For example:
Samba as profiles resource responses owner ACL for profile directory:
Owner: S-1-5-21-2951980089-3660375505-290094901-1224
Revision: 1
Num Auth: 5
Authority: 5
Sub-authorities: 21-2951980089-3660375505-290094901
RID: 1224
Windows as profiles resource responses owner ACL for profile directory:
Owner: S-1-5-21-2951980089
Revision: 1
Num Auth: 5
Authority: 5
Sub-authorities: 21-2951980089
Even profile's owner is a valid domain user with accessible permissions
on all files/directories in profile directory, Windows clients would
disallow to access to profiles, and terminate to send incoming requests
for loading profiles.
Since Windows 2K/XP clients have a registry value to control if to check
owner ACL for profile directories. I used it to not check ownership. Go
to Group policy/Local Computer Configuration/Administrative
templates/System/Logon for Windows 2K/XP, and enable "Do not Check for
User Ownership of Roaming Profiles Folders". The default value is "Not
configured". This works to me.
Thanks.
-Ying