John Mason
2006-Aug-07 18:06 UTC
[Samba] samba 3.0.23a + ldap as PDC - should work, but why?
I've got an issue with roaming profiles with samba 3.0.23a and an LDAP
backend. I can use the ldap to authenticate an NT and a local user, and I know
alot about PAM, NSS, and general linux. BUT, I can't get ANY roaming
profiles to work.
Other than my domain name changed for security purposes, the following is my
smb.conf file. (I first used SWAT, then did more customization)
smb.conf=====>
============================================================[global]
workgroup = DOMAIN.COM
netbios name = PDC
server string = PDC
interfaces = eth0
bind interfaces only = Yes
update encrypted = Yes
private dir = /data/samba/private
passdb backend = ldapsam:ldap://127.0.0.1/
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log level = 10
syslog = 0
password server = PDC
log file = /data/samba/logs/sambalog
#max log size = 50
enable core files = No
smb ports = 139
name resolve order = wins bcast hosts
time server = Yes
deadtime = 10
socket options = TCP_NODELAY SO_RCVBUF=8192
printcap name = CUPS
show add printer wizard = No
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
#shutdown script = /var/lib/samba/scripts/shutdown.sh
#abort shutdown script = /sbin/shutdown -c
logon script = logon.bat
logon path = \\%L\%U\.msprofile
logon drive = h:
logon home = \\%L\%U
server schannel = auto
client schannel = auto
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = uid=root,dc=domain,dc=com
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=domain,dc=com
ldap ssl = no
ldap user suffix = ou=Users
#utmp = Yes
profile acls = Yes
map acl inherit = Yes
printing = cups
case sensitive = Yes
hide unreadable = Yes
hide files = /desktop.ini/
veto oplock files = /*.doc/*.xls/*.mdb/
admin users=root Administrator
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0644
directory mask = 0775
hide files = /desktop.ini/
browseable = No
[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /data/samba/print/drivers
guest ok = Yes
[netlogon]
comment = Network Logon Service
path = /data/samba/netlogon
browseable = No
locking = No
[profiles]
# chmod 1777 /home/%U/.msprofile
path = /home/%U/.msprofile
read only = no
profile acls = yes
create mask = 0600
directory mask = 0700
browseable = No
nt acl support = Yes
force user = %U
valid users = %U @"Domain Admins"
[profdata]
comment = Profile Data Share
path = /data/samba/profdata
read only = No
create mask = 0644
directory mask = 0755
browseable = No
hide files = /desktop.ini/
csc policy = disable
[shared]
comment = Network Shares
path = /data/samba/shared
read only = No
guest ok = Yes
============================================================<======== end
smb.conf
Also, here's a few "ls"'s so you can see about my permissions.
# > ls -al /data/samba/profdata
total 24K
drwxr-xr-x 6 root root 4.0K Aug 3 14:41 .
drwxr-xr-x 9 root root 4.0K Aug 3 14:28 ..
drwxr-xr-x 11 Administrator Domain Admins 4.0K Aug 3 15:42 Administrator
drwxr-xr-x 12 user1 Domain Users 4.0K Aug 4 08:22 user1
drwxr-xr-x 10 root Domain Admins 4.0K Aug 3 14:30 root
drwxr-xr-x 2 user2 Domain Users 4.0K Aug 3 13:04 user2
and user1's .msprofile:
# > ls -al /home/user1/.msprofile
total 820K
drwxrwxrwt 9 user1 Domain Users 4.0K Aug 7 12:02 .
drwxr-xr-x 43 user1 Domain Users 4.0K Aug 7 08:44 ..
drwxrwxr-x 6 user1 Domain Users 4.0K Aug 7 07:40 Application Data
drwxrwxr-x 2 user1 Domain Users 4.0K Aug 3 13:56 NetHood
-rw-r--r-- 1 user1 Domain Users 768K Aug 7 12:01 NTUSER.DAT
-rw-r--r-- 1 user1 Domain Users 1.0K Aug 7 12:01 ntuser.dat.LOG
-rw-r--r-- 1 user1 Domain Users 610 Aug 7 12:02 ntuser.ini
-r--r--r-- 1 user1 Domain Users 794 Aug 7 12:01 ntuser.pol
drwxrwxr-x 2 user1 Domain Users 4.0K Aug 3 13:56 PrintHood
drwxrwxr-x 2 user1 Domain Users 4.0K Aug 3 13:56 Recent
drwxrwxr-x 2 user1 Domain Users 4.0K Aug 3 13:56 SendTo
drwxrwxr-x 3 user1 Domain Users 4.0K Aug 3 13:56 Start Menu
drwxrwxr-x 2 user1 Domain Users 4.0K Aug 3 13:56 Templates
The second I log in as this user, the ntuser files all become owned by root....
AND the timestamp changes BUT when I re-login to this user, NONE of the changes
to the profile are still there!
I can also do this as Administrator.... but the same thing results!
I followed chapter 5 from
http://www.samba.org/samba/docs/man/Samba-Guide/happy.html for my setups.
Gerald (Jerry) Carter
2006-Aug-07 19:36 UTC
[Samba] samba 3.0.23a + ldap as PDC - should work, but why?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Mason wrote:> [profiles] > # chmod 1777 /home/%U/.msprofile > path = /home/%U/.msprofile > read only = no > profile acls = yes > create mask = 0600 > directory mask = 0700 > browseable = No > nt acl support = Yes > force user = %U > valid users = %U @"Domain Admins"The %U in force user and valid users has no affect. It says restrict connections to whoever is connecting and force them to be who they already are. I'd recommend dropping valid suers from [profiles] altogether. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE15YWIR7qMdg1EfYRAqzvAKDxCYtNZsha0VTPHhG+JYu5KQ/YdgCgqW9a +exNOTqTnnbKdZ9ZKAiErGE=rybR -----END PGP SIGNATURE-----
John Mason
2006-Aug-07 22:02 UTC
[Samba] samba 3.0.23a + ldap as PDC - should work, but why?
Fix for my own problem: Case Sensitivity
Looking at level 10 logs for a few hours, if finally hit me. It is looking for
ntuser.dat where as the Default User profile provided NTUSER.DAT and I have case
sensitivity on... took it off and it worked.
THanks.
-----Original Message-----
From: samba-bounces+jmason=lim.com@lists.samba.org on behalf of John Mason
Sent: Mon 8/7/2006 1:05 PM
To: samba@lists.samba.org
Subject: [Samba] samba 3.0.23a + ldap as PDC - should work, but why?
I've got an issue with roaming profiles with samba 3.0.23a and an LDAP
backend. I can use the ldap to authenticate an NT and a local user, and I know
alot about PAM, NSS, and general linux. BUT, I can't get ANY roaming
profiles to work.
Other than my domain name changed for security purposes, the following is my
smb.conf file. (I first used SWAT, then did more customization)
smb.conf=====>
============================================================[global]
workgroup = DOMAIN.COM
netbios name = PDC
server string = PDC
interfaces = eth0
bind interfaces only = Yes
update encrypted = Yes
private dir = /data/samba/private
passdb backend = ldapsam:ldap://127.0.0.1/
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log level = 10
syslog = 0
password server = PDC
log file = /data/samba/logs/sambalog
#max log size = 50
enable core files = No
smb ports = 139
name resolve order = wins bcast hosts
time server = Yes
deadtime = 10
socket options = TCP_NODELAY SO_RCVBUF=8192
printcap name = CUPS
show add printer wizard = No
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
#shutdown script = /var/lib/samba/scripts/shutdown.sh
#abort shutdown script = /sbin/shutdown -c
logon script = logon.bat
logon path = \\%L\%U\.msprofile
logon drive = h:
logon home = \\%L\%U
server schannel = auto
client schannel = auto
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = uid=root,dc=domain,dc=com
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=domain,dc=com
ldap ssl = no
ldap user suffix = ou=Users
#utmp = Yes
profile acls = Yes
map acl inherit = Yes
printing = cups
case sensitive = Yes
hide unreadable = Yes
hide files = /desktop.ini/
veto oplock files = /*.doc/*.xls/*.mdb/
admin users=root Administrator
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0644
directory mask = 0775
hide files = /desktop.ini/
browseable = No
[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /data/samba/print/drivers
guest ok = Yes
[netlogon]
comment = Network Logon Service
path = /data/samba/netlogon
browseable = No
locking = No
[profiles]
# chmod 1777 /home/%U/.msprofile
path = /home/%U/.msprofile
read only = no
profile acls = yes
create mask = 0600
directory mask = 0700
browseable = No
nt acl support = Yes
force user = %U
valid users = %U @"Domain Admins"
[profdata]
comment = Profile Data Share
path = /data/samba/profdata
read only = No
create mask = 0644
directory mask = 0755
browseable = No
hide files = /desktop.ini/
csc policy = disable
[shared]
comment = Network Shares
path = /data/samba/shared
read only = No
guest ok = Yes
============================================================<======== end
smb.conf
Also, here's a few "ls"'s so you can see about my permissions.
# > ls -al /data/samba/profdata
total 24K
drwxr-xr-x 6 root root 4.0K Aug 3 14:41 .
drwxr-xr-x 9 root root 4.0K Aug 3 14:28 ..
drwxr-xr-x 11 Administrator Domain Admins 4.0K Aug 3 15:42 Administrator
drwxr-xr-x 12 user1 Domain Users 4.0K Aug 4 08:22 user1
drwxr-xr-x 10 root Domain Admins 4.0K Aug 3 14:30 root
drwxr-xr-x 2 user2 Domain Users 4.0K Aug 3 13:04 user2
and user1's .msprofile:
# > ls -al /home/user1/.msprofile
total 820K
drwxrwxrwt 9 user1 Domain Users 4.0K Aug 7 12:02 .
drwxr-xr-x 43 user1 Domain Users 4.0K Aug 7 08:44 ..
drwxrwxr-x 6 user1 Domain Users 4.0K Aug 7 07:40 Application Data
drwxrwxr-x 2 user1 Domain Users 4.0K Aug 3 13:56 NetHood
-rw-r--r-- 1 user1 Domain Users 768K Aug 7 12:01 NTUSER.DAT
-rw-r--r-- 1 user1 Domain Users 1.0K Aug 7 12:01 ntuser.dat.LOG
-rw-r--r-- 1 user1 Domain Users 610 Aug 7 12:02 ntuser.ini
-r--r--r-- 1 user1 Domain Users 794 Aug 7 12:01 ntuser.pol
drwxrwxr-x 2 user1 Domain Users 4.0K Aug 3 13:56 PrintHood
drwxrwxr-x 2 user1 Domain Users 4.0K Aug 3 13:56 Recent
drwxrwxr-x 2 user1 Domain Users 4.0K Aug 3 13:56 SendTo
drwxrwxr-x 3 user1 Domain Users 4.0K Aug 3 13:56 Start Menu
drwxrwxr-x 2 user1 Domain Users 4.0K Aug 3 13:56 Templates
The second I log in as this user, the ntuser files all become owned by root....
AND the timestamp changes BUT when I re-login to this user, NONE of the changes
to the profile are still there!
I can also do this as Administrator.... but the same thing results!
I followed chapter 5 from
http://www.samba.org/samba/docs/man/Samba-Guide/happy.html for my setups.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba