Rich McClellan
2007-Jun-14 20:21 UTC
[Samba] Windows host profile problem (write access denied)
Greetings, Some users on a Windows XP Professional host are (lately) unable to use their roaming profile. A Windows error message states that due to a security problem or a corrupt profile, that it is unusable. A second error message immediately following the first states that a temporary profile will be used and that any changes will not be saved. Other users are able to log on with their profile, but they are unable to save changes to it when logging off (the Windows error message suggests it is bad hardware or a network problem that prevents the write). The PDC is running Samba version 3.0.23c-2.el5.2.0.2 on CentOS 5.0 x86_64 with kernel 2.6.18-8.1.4.5.el5xen. OpenLDAP is the backend (v 2.3.27-5). There are no obvious error messages on the Samba server. The following error message shows up only when the computer with problems is online: smbd[11981]: [2007/06/14 12:34:01.108071, 0] lib/smbldap.c:smbldap_open(1009) smbd[11981]: smbldap_open: cannot access LDAP when not root.. Typing `smbstatus` on the PDC shows that the user logging on is being denied write access to the files in their profile. The output of smbstatus looks something like this: 11981 510 DENY_WRITE 0x20089 RDONLY NONE <home dir> <profile item> <date> The unix permissions are "correct". No problems with other permissions from the Windows side (i.e., writing to H:) have appeared. Interestingly, Windows error messages regarding "unable to write file foo to .../USER_A/windows/profile/..." appear when USER_B logs in. Here's the Samba configuration file from the PDC (aka Asterix/ldap (and there's a BDC named Obelix/bdc/ldap2)): -------------------------------------------------------- # Samba config file created using SWAT # from 127.0.0.1 (127.0.0.1) # Date: 2007/05/15 15:24:29 [global] workgroup = FOO server string = Primary Domain Controller password server = * passdb backend = ldapsam:"ldap://ldap.foo.com ldap://ldap2.foo.com" # log level = 0 # log level = 50 passdb:50 auth:20 winbind:20 log file = /var/log/samba/%m.log max log size = 50 debug hires timestamp = Yes smb ports = 139 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon script = %U.bat # logon path = \\%N\%U\windows\profile logon path = \\asterix\%U\windows\profile logon home = \\asterix\%U logon drive = H: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes local master = Yes security = User dns proxy = No wins support = Yes ldap admin dn = cn=ldapadmin,dc=foo,dc=com ldap group suffix = ou=Group ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=foo,dc=com ldap ssl = no idmap backend = ldap:ldap://ldap.foo.com idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 interfaces = eth0 192.168.10.13 lo 127.0.0.1 bind interfaces only = yes passwd chat debug = Yes template shell = /bin/false winbind use default domain = false [netlogon] path = /var/lib/samba/netlogon browseable = No [homes] comment = Home Directories read only = No browseable = No [common] comment = stuff for everybody path = /export/common read only = No [papers] comment = Literature repository path = /export/papers read only = No [software] comment = useful programs path = /export/src read only = No [admin] comment = Administrative stuff path = /export/admin invalid users = user1 valid users = user2, user3 write list = user2, user3 read only = No create mask = 0740 security mask = 0770 directory mask = 0750 directory security mask = 0700 browseable = No [exec] comment = executive storage path = /export/exec invalid users = user1, user2 valid users = user3 read only = No create mask = 0740 security mask = 0770 directory mask = 0750 directory security mask = 0770 browseable = No [1815dn] comment = Dell 1815dn laser printer path = /var/spool/samba guest ok = Yes printable = Yes cups options = "raw" -------------------------------------------------------- Thanks for your time+help! Rich