Hi people. Im in need of help as far as roaming profiles are concerned.
Allow me as I know this issue has been discussed timelessly but let me just
ask it because I have been unable to get it to work.
My Samba + Ldap setup is fine and XP users can authenticate alright. Im
using samba 3.0.28. However when logging in for the first time, they get the
message;
Windows cannot locate a server copy.... -Access is denied
When logging off,
Windows cannot update your roaming profile... -Access is denied
I copied the profiles across from another server, so the first error does
not come up except for new users and the old profiles are mapped onto the
users machines just fine.
I think I've done everything for roaming profiles to work including
mkdir -p /var/lib/samba/profiles
chown root:users /var/lib/samba/profiles
chmod 2775 /var/lib/samba/profiles
chown -R user /var/lib/samba/profiles/user/
The samba logs don't show any errors.
Below is my smb.conf file
[global]
workgroup = EXAMPLE
netbios name = EXAMPLE_SERVER
server string = Samba Server Version %v
passdb backend = ldapsam:ldap://example.org/
log file = /var/log/samba/%m.log
max log size = 50
add user script = /usr/sbin/adduser -m "%u"
add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s
/bin/false -M %u
logon script = %u.bat
logon path = \\EXAMPLE_SERVER\profiles\%U
logon home = \\EXAMPLE_SERVER\%U
domain logons = Yes
domain master = Yes
ldap admin dn = "cn=config"
ldap group suffix = ou=groups
ldap machine suffix = ou=machines
ldap passwd sync = Yes
ldap suffix = dc=example,dc=org
ldap user suffix = ou=people
cups options = raw
[homes]
comment = Home Directories
validusers = %S
read only = No
browseable = No
writable = Yes
create mask= 0700
directory mask = 0700
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
share modes = No
guest ok = Yes
[profiles]
path = /var/lib/samba/profiles
read only = No
writable = Yes
profile acls = Yes
comment = User profiles
create mask = 0600
browsable = no
directory mask = 0700
My searches on the web have not helped much. I am running on a Red Hat like
system (CentOS 5).
Someone please help. I will be eternally grateful.
Hi Remove the profile acls =yes and add: browseable = Yes csc policy = disable force user = %U valid users = %U @"Domain Admins" Louis>-----Oorspronkelijk bericht----- >Van: samba-bounces+belle=bazuin.nl@lists.samba.org >[mailto:samba-bounces+belle=bazuin.nl@lists.samba.org] Namens >Mugo Martin >Verzonden: dinsdag 19 augustus 2008 14:19 >Aan: samba@lists.samba.org >Onderwerp: [Samba] Roaming profiles > >Hi people. Im in need of help as far as roaming profiles are concerned. >Allow me as I know this issue has been discussed timelessly >but let me just >ask it because I have been unable to get it to work. > >My Samba + Ldap setup is fine and XP users can authenticate alright. Im >using samba 3.0.28. However when logging in for the first >time, they get the >message; > >Windows cannot locate a server copy.... -Access is denied > >When logging off, > >Windows cannot update your roaming profile... -Access is denied > >I copied the profiles across from another server, so the first >error does >not come up except for new users and the old profiles are >mapped onto the >users machines just fine. > >I think I've done everything for roaming profiles to work including > >mkdir -p /var/lib/samba/profiles >chown root:users /var/lib/samba/profiles >chmod 2775 /var/lib/samba/profiles > >chown -R user /var/lib/samba/profiles/user/ > >The samba logs don't show any errors. > >Below is my smb.conf file >[global] > workgroup = EXAMPLE > netbios name = EXAMPLE_SERVER > server string = Samba Server Version %v > passdb backend = ldapsam:ldap://example.org/ > log file = /var/log/samba/%m.log > max log size = 50 > add user script = /usr/sbin/adduser -m "%u" > add machine script = /usr/sbin/useradd -d >/var/lib/nobody -g 100 -s >/bin/false -M %u > logon script = %u.bat > logon path = \\EXAMPLE_SERVER\profiles\%U > logon home = \\EXAMPLE_SERVER\%U > domain logons = Yes > domain master = Yes > ldap admin dn = "cn=config" > ldap group suffix = ou=groups > ldap machine suffix = ou=machines > ldap passwd sync = Yes > ldap suffix = dc=example,dc=org > ldap user suffix = ou=people > cups options = raw >[homes] > comment = Home Directories > validusers = %S > read only = No > browseable = No > writable = Yes > create mask= 0700 > directory mask = 0700 >[netlogon] > comment = Network Logon Service > path = /var/lib/samba/netlogon > share modes = No > guest ok = Yes >[profiles] > path = /var/lib/samba/profiles > read only = No > writable = Yes > profile acls = Yes > comment = User profiles > create mask = 0600 > browsable = no > directory mask = 0700 > >My searches on the web have not helped much. I am running on a >Red Hat like >system (CentOS 5). > >Someone please help. I will be eternally grateful. >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/listinfo/samba >
On Tuesday 19 August 2008 07:18:56 Mugo Martin wrote:> Hi people. Im in need of help as far as roaming profiles are concerned. > Allow me as I know this issue has been discussed timelessly but let me just > ask it because I have been unable to get it to work. > > My Samba + Ldap setup is fine and XP users can authenticate alright. Im > using samba 3.0.28. However when logging in for the first time, they get > the message; > > Windows cannot locate a server copy.... -Access is denied > > When logging off, > > Windows cannot update your roaming profile... -Access is denied > > I copied the profiles across from another server, so the first error does > not come up except for new users and the old profiles are mapped onto the > users machines just fine.Did you copy the domain SID from the old server to the new one? - John T.> I think I've done everything for roaming profiles to work including > > mkdir -p /var/lib/samba/profiles > chown root:users /var/lib/samba/profiles > chmod 2775 /var/lib/samba/profiles > > chown -R user /var/lib/samba/profiles/user/ > > The samba logs don't show any errors. > > Below is my smb.conf file > [global] > workgroup = EXAMPLE > netbios name = EXAMPLE_SERVER > server string = Samba Server Version %v > passdb backend = ldapsam:ldap://example.org/ > log file = /var/log/samba/%m.log > max log size = 50 > add user script = /usr/sbin/adduser -m "%u" > add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s > /bin/false -M %u > logon script = %u.bat > logon path = \\EXAMPLE_SERVER\profiles\%U > logon home = \\EXAMPLE_SERVER\%U > domain logons = Yes > domain master = Yes > ldap admin dn = "cn=config" > ldap group suffix = ou=groups > ldap machine suffix = ou=machines > ldap passwd sync = Yes > ldap suffix = dc=example,dc=org > ldap user suffix = ou=people > cups options = raw > [homes] > comment = Home Directories > validusers = %S > read only = No > browseable = No > writable = Yes > create mask= 0700 > directory mask = 0700 > [netlogon] > comment = Network Logon Service > path = /var/lib/samba/netlogon > share modes = No > guest ok = Yes > [profiles] > path = /var/lib/samba/profiles > read only = No > writable = Yes > profile acls = Yes > comment = User profiles > create mask = 0600 > browsable = no > directory mask = 0700 > > My searches on the web have not helped much. I am running on a Red Hat like > system (CentOS 5). > > Someone please help. I will be eternally grateful.-- John H Terpstra "Don't do as I do; Show me better!" - Anonymous.
Maybe you could provide a level 10 log of when the first error happens (for a new user). Are all your users member of the group "users" ? Are all the underlying directories (/var /var/lib /var/lib/samba ...) set with at least the o+x permission on the file system ? Fran?ois> Hi people. Im in need of help as far as roaming profiles are concerned. > Allow me as I know this issue has been discussed timelessly but let me > just > ask it because I have been unable to get it to work. > > My Samba + Ldap setup is fine and XP users can authenticate alright. Im > using samba 3.0.28. However when logging in for the first time, they get > the > message; > > Windows cannot locate a server copy.... -Access is denied > > When logging off, > > Windows cannot update your roaming profile... -Access is denied > > I copied the profiles across from another server, so the first error does > not come up except for new users and the old profiles are mapped onto the > users machines just fine. > > I think I've done everything for roaming profiles to work including > > mkdir -p /var/lib/samba/profiles > chown root:users /var/lib/samba/profiles > chmod 2775 /var/lib/samba/profiles > > chown -R user /var/lib/samba/profiles/user/ > > The samba logs don't show any errors. > > Below is my smb.conf file > [global] > workgroup = EXAMPLE > netbios name = EXAMPLE_SERVER > server string = Samba Server Version %v > passdb backend = ldapsam:ldap://example.org/ > log file = /var/log/samba/%m.log > max log size = 50 > add user script = /usr/sbin/adduser -m "%u" > add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 > -s > /bin/false -M %u > logon script = %u.bat > logon path = \\EXAMPLE_SERVER\profiles\%U > logon home = \\EXAMPLE_SERVER\%U > domain logons = Yes > domain master = Yes > ldap admin dn = "cn=config" > ldap group suffix = ou=groups > ldap machine suffix = ou=machines > ldap passwd sync = Yes > ldap suffix = dc=example,dc=org > ldap user suffix = ou=people > cups options = raw > [homes] > comment = Home Directories > validusers = %S > read only = No > browseable = No > writable = Yes > create mask= 0700 > directory mask = 0700 > [netlogon] > comment = Network Logon Service > path = /var/lib/samba/netlogon > share modes = No > guest ok = Yes > [profiles] > path = /var/lib/samba/profiles > read only = No > writable = Yes > profile acls = Yes > comment = User profiles > create mask = 0600 > browsable = no > directory mask = 0700 > > My searches on the web have not helped much. I am running on a Red Hat > like > system (CentOS 5). > > Someone please help. I will be eternally grateful. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >--
First, read the man smb.conf
there you will see DEFAULT profile acls = no
second if you setup your rights correctly, like
for example how i have it.
/home/samba/profiles ( 777)
and remember to set /home/samba at least 755 ( the last 5 is needed !! )
autocreated bij user at logoff /home/samba/profiles/USERNAME (700)
if a profile exist in test enviroment, logon, set everything in windows.
delete the profile from the server and logoff the profile is new
created again with correct rights.
when used force user = %U
its always the user.
but dont forget !!
create mask = 0600
directory mask = 0700
when profiles are setup this way its just how xp sp1 and higher
checks its rights. with this setup you dont have to change
any thing in xp policies for the profiles.
this is how i have my profles in smb.conf
[profiles]
path = /home/samba/profiles
comment = Profile enviroment.
read only = no
create mask = 0600
directory mask = 0700
browseable = Yes
guest ok = Yes
csc policy = disable
force user = %U
valid users = %U @"Domain Admins"
Sorry if i didnt reply your message, i didnt see that.
Louis
>-----Oorspronkelijk bericht-----
>Van: Charles Marcus [mailto:CMarcus@media-brokers.com]
>Verzonden: vrijdag 22 augustus 2008 16:53
>Aan: L.P.H. van Belle
>CC: samba@lists.samba.org
>Onderwerp: Re: [Samba] Roaming profiles
>
>On 8/22/2008, L.P.H. van Belle (belle@bazuin.nl) wrote:
>> yes, turn off Pofile acls,
>
>This is the second time you have said this, but never answered my
>request for WHY would you suggest this, when the samba devs say it is
>REQUIRED?
>
>Please, either provide an answer/rationale for why you are telling
>someone to try something non-standard, or stop pulling things
>out of the
>air.
>
>--
>
>Best regards,
>
>Charles
>