Konstantin Kletschke
2010-Sep-24 14:19 UTC
[Samba] Storing Profile remote on Samba PDC only works for one user
Hello,
actually I am trying to implement a samba PDC server with a LDAP backend
where user are authenticated with. Additionally the users' profiles
should be stored on it, whicht only works for one user, not the 3
other. The point is, I don't see the difference between them so it
should work for all or none.
This is what I have in my smb.conf regarding this:
[global]
logon script = logon.cmd
logon path = \\%L\profiles\%U\%a
logon drive = H:
domain logons = Yes
[profiles]
# Provide a specific roving profile share
# the default is to use the user's home directory
# The permissions on the profiles directory should be
# chmod 1757 /exports/home/samba/profiles
# drwxr-xrwt 5 root root 4096 May 1 08:43 profiles
[profiles]
comment = Users profile
path = /exports/home/samba/profiles
valid users = "@Domain Admins" "@Domain Users"
"@Domain Guests" "@smbusers"
read only = no
create mask = 0660
directory mask = 0770
nt acl support = yes
browseable = no
guest ok = yes
printable = no
hide files = /desktop.ini/outlook*.lnk/*Briefcase*/
guest ok = yes
profile acls = yes
locking = No
For one user, XXXXXXX_admin, this works fine. But the funny thing is,
its profile comes to /exports/home/samba/profiles/XXXXXXX_admin NOT
/exports/home/samba/profiles/XXXXXXX_admin/Win2K when accessed with
windows2000. Why is the %a ignored (debian samba package 3.5.5)? Despite
of that, it basically works.
This is an LDAP output for the working user:
ldapsearch -x -b "dc=XXXXXXXsystems,dc=de"
"(&(|(objectClass=sambaAccount)(objectClass=sambaSamAccount))(objectClass=posixAccount)(uid=XXXXXXX_admin))"
# extended LDIF
#
# LDAPv3
# base <dc=XXXXXXXsystems,dc=de> with scope subtree
# filter:
(&(|(objectClass=sambaAccount)(objectClass=sambaSamAccount))(objectClass=posixAccount)(uid=XXXXXXX_admin))
# requesting: ALL
#
# XXXXXXX_admin, Users, XXXXXXXsystems.de
dn: uid=XXXXXXX_admin,ou=Users,dc=XXXXXXXsystems,dc=de
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: XXXXXXX_admin
sn: XXXXXXX_admin
givenName: XXXXXXX_admin
uid: XXXXXXX_admin
uidNumber: 1007
gidNumber: 512
homeDirectory: /exports/home/XXXXXXX_admin
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: XXXXXXX_admin
sambaSID: S-1-5-21-3833919196-1227853012-1360384830-3014
sambaPrimaryGroupSID: S-1-5-21-3833919196-1227853012-1360384830-512
sambaProfilePath: \\pferdekopfnebel\profiles\XXXXXXX_admin
sambaHomePath: \\pferdekopfnebel\XXXXXXX_admin
sambaHomeDrive: H:
sambaAcctFlags: [U]
sambaPwdLastSet: 1281971080
sambaPwdMustChange: 1285859080
shadowMax: 45
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
For all other users, when they log in the profile directory is
successfully created /exports/home/samba/profiles/XXXXXXX_user, but
there never one file is put to. Windows puts no errors out or claims
about not finding/accessing/exisiting profile. I can put files into the
samba share being the profile with no problem.
This is an LDAP output for such a user:
~/ > ldapsearch -x -b "dc=XXXXXXXsystems,dc=de"
"(&(|(objectClass=sambaAccount)(objectClass=sambaSamAccount))(objectClass=posixAccount)(uid=XXXXXXX_user))"
# extended LDIF
#
# LDAPv3
# base <dc=XXXXXXXsystems,dc=de> with scope subtree
# filter:
(&(|(objectClass=sambaAccount)(objectClass=sambaSamAccount))(objectClass=posixAccount)(uid=XXXXXXX_user))
# requesting: ALL
#
# XXXXXXX_user, Users, XXXXXXXsystems.de
dn: uid=XXXXXXX_user,ou=Users,dc=XXXXXXXsystems,dc=de
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: XXXXXXX_user
sn: XXXXXXX_user
givenName: XXXXXXX_user
uid: XXXXXXX_user
uidNumber: 1008
gidNumber: 513
homeDirectory: /exports/home/XXXXXXX_user
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: XXXXXXX_user
sambaSID: S-1-5-21-3833919196-1227853012-1360384830-3016
sambaPrimaryGroupSID: S-1-5-21-3833919196-1227853012-1360384830-513
sambaProfilePath: \\pferdekopfnebel\profiles\XXXXXXX_user
sambaHomePath: \\pferdekopfnebel\XXXXXXX_user
sambaHomeDrive: H:
sambaAcctFlags: [U]
sambaPwdLastSet: 1281972169
sambaPwdMustChange: 1285860169
shadowMax: 45
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Well, what at any chance could yield to such an error, where should I
start to search further? ATM I have no clue what to debug next.
Kind regards, Konsti
Konstantin Kletschke
2010-Sep-28 09:03 UTC
[Samba] Storing Profile remote on Samba PDC only works for one user
Hello :-) Meanwhile I found out why the %a in my "logon path" was not respected, there was an entry in my LDAP user entries overriding this. I removed it and now the %a ist respected, /exports/home/samba/profiles/XXXXXXX_admin/Win2K is created _and_ populated only for XXXXXXX_admin, only created and _not_ populated for the other users (works also from WinXP with %a becoming WinXP). I have this issue on WinXP clients _and_ Win2k clients. I found out to enable userenv.log on the windows clients: This is the user logging in: USERENV(b8.a0) 17:11:29:781 ========================================================USERENV(b8.a0) 17:11:29:781 LoadUserProfile: Entering, hToken = <0x50>, lpProfileInfo = 0x6f648 USERENV(b8.a0) 17:11:29:781 LoadUserProfile: Entering, hToken = <0x50>, lpProfileInfo = 0x6f648 USERENV(b8.a0) 17:11:29:781 LoadUserProfile: lpProfileInfo->dwFlags = <0x0> USERENV(b8.a0) 17:11:29:781 LoadUserProfile: lpProfileInfo->lpUserName = <XXXXXXX_user> USERENV(b8.a0) 17:11:29:781 LoadUserProfile: lpProfileInfo->lpProfilePath = <\\pferdekopfnebel\profiles\XXXXXXX_user\Win2K> USERENV(b8.a0) 17:11:29:781 LoadUserProfile: lpProfileInfo->lpDefaultPath = <\\PFERDEKOPFNEBEL\netlogon\Default User> USERENV(b8.a0) 17:11:29:781 LoadUserProfile: NULL server name USERENV(b8.a0) 17:11:29:781 GetUserMutex: entering USERENV(b8.a0) 17:11:29:781 GetUserMutex: Waiting... USERENV(b8.a0) 17:11:29:781 GetUserMutex: Wait succeeded. Mutex currently held. USERENV(b8.a0) 17:11:29:781 GetUserGuid: Failed to get user guid with 1355. USERENV(b8.a0) 17:11:29:781 GetProfileSid: No Guid -> Sid Mapping available USERENV(b8.a0) 17:11:29:781 GetUserGuid: Failed to get user guid with 1355. USERENV(b8.a0) 17:11:29:781 GetProfileSid: No Guid -> Sid Mapping available USERENV(b8.a0) 17:11:29:781 ParseProfilePath: Entering, lpProfilePath = <\\pferdekopfnebel\profiles\XXXXXXX_user\Win2K> USERENV(b8.a0) 17:11:29:781 CheckXForestLogon: checking x-forest logon, user handle = 80 USERENV(b8.a0) 17:11:29:796 MyGetDomainDNSName: MyGetUserName failed for dns domain name with 1355 USERENV(b8.a0) 17:11:29:796 CheckUserInMachineForest: MyGetDomainName failed with 1355. USERENV(b8.a0) 17:11:29:796 CheckXForestLogon : CheckUserInMachineForest failed with 1355 USERENV(b8.a0) 17:11:29:796 ParseProfilePath: CheckXForestLogon failed, hr = 8007054B USERENV(b8.a0) 17:11:29:906 ParseProfilePath: Tick Count = 16 USERENV(b8.a0) 17:11:29:906 PingComputer: PingBufferSize set as 2048 USERENV(b8.a0) 17:11:29:906 PingComputer: First time: 0 USERENV(b8.a0) 17:11:29:906 PingComputer: Fast link. Exiting. USERENV(b8.a0) 17:11:29:906 ParseProfilePath: FindFirstFile found something with attributes <0x10> USERENV(b8.a0) 17:11:29:906 ParseProfilePath: Found a directory USERENV(b8.a0) 17:11:29:906 LoadUserProfile: ParseProfilePath returned a directory of <\\pferdekopfnebel\profiles\XXXXXXX_user\Win2K> USERENV(b8.a0) 17:11:29:906 RestoreUserProfile: Entering USERENV(b8.a0) 17:11:29:906 RestoreUserProfile: User is a Guest USERENV(b8.a0) 17:11:29:906 IsCentralProfileReachable: Entering USERENV(b8.a0) 17:11:29:906 CheckRoamingShareOwnership: checking ownership for \\pferdekopfnebel\profiles\XXXXXXX_user\Win2K USERENV(b8.a0) 17:11:29:906 CheckRoamingShareOwnership: policy set to disable ownership check USERENV(b8.a0) 17:11:29:906 IsCentralProfileReachable: Testing <\\pferdekopfnebel\profiles\XXXXXXX_user\Win2K\ntuser.man> USERENV(b8.a0) 17:11:29:906 IsCentralProfileReachable: Profile is not reachable, error = 2 USERENV(b8.a0) 17:11:29:906 IsCentralProfileReachable: Testing <\\pferdekopfnebel\profiles\XXXXXXX_user\Win2K\ntuser.dat> USERENV(b8.a0) 17:11:29:906 IsCentralProfileReachable: Profile is not reachable, error = 2 USERENV(b8.a0) 17:11:29:906 IsCentralProfileReachable: Ok to create a user profile. USERENV(b8.a0) 17:11:29:906 RestoreUserProfile: Central Profile is reachable USERENV(b8.a0) 17:11:29:906 RestoreUserProfile: Central Profile is roaming USERENV(b8.a0) 17:11:29:906 RestoreUserProfile: Profile path = <\\pferdekopfnebel\profiles\XXXXXXX_user\Win2K> This is the admin logging in: USERENV(b8.a0) 17:11:55:421 ========================================================USERENV(b8.a0) 17:11:55:421 LoadUserProfile: Entering, hToken = <0x1f0>, lpProfileInfo = 0x6f648 USERENV(b8.a0) 17:11:55:421 LoadUserProfile: Entering, hToken = <0x1f0>, lpProfileInfo = 0x6f648 USERENV(b8.a0) 17:11:55:421 LoadUserProfile: lpProfileInfo->dwFlags = <0x0> USERENV(b8.a0) 17:11:55:421 LoadUserProfile: lpProfileInfo->lpUserName = <XXXXXXX_admin> USERENV(b8.a0) 17:11:55:421 LoadUserProfile: lpProfileInfo->lpProfilePath = <\\pferdekopfnebel\profiles\XXXXXXX_admin\Win2K> USERENV(b8.a0) 17:11:55:421 LoadUserProfile: lpProfileInfo->lpDefaultPath = <\\PFERDEKOPFNEBEL\netlogon\Default User> USERENV(b8.a0) 17:11:55:421 LoadUserProfile: NULL server name USERENV(b8.a0) 17:11:55:421 GetUserMutex: entering USERENV(b8.a0) 17:11:55:421 GetUserMutex: Waiting... USERENV(b8.a0) 17:11:55:421 GetUserMutex: Wait succeeded. Mutex currently held. USERENV(b8.a0) 17:11:55:437 GetUserGuid: Failed to get user guid with 1355. USERENV(b8.a0) 17:11:55:437 GetProfileSid: No Guid -> Sid Mapping available USERENV(b8.a0) 17:11:55:437 GetUserGuid: Failed to get user guid with 1355. USERENV(b8.a0) 17:11:55:437 GetProfileSid: No Guid -> Sid Mapping available USERENV(b8.a0) 17:11:55:437 ParseProfilePath: Entering, lpProfilePath = <\\pferdekopfnebel\profiles\XXXXXXX_admin\Win2K> USERENV(b8.a0) 17:11:55:437 CheckXForestLogon: checking x-forest logon, user handle = 496 USERENV(b8.a0) 17:11:55:437 MyGetDomainDNSName: MyGetUserName failed for dns domain name with 1355 USERENV(b8.a0) 17:11:55:437 CheckUserInMachineForest: MyGetDomainName failed with 1355. USERENV(b8.a0) 17:11:55:437 CheckXForestLogon : CheckUserInMachineForest failed with 1355 USERENV(b8.a0) 17:11:55:437 ParseProfilePath: CheckXForestLogon failed, hr = 8007054B USERENV(b8.a0) 17:11:55:546 ParseProfilePath: Tick Count = 16 USERENV(b8.a0) 17:11:55:546 PingComputer: PingBufferSize set as 2048 USERENV(b8.a0) 17:11:55:546 PingComputer: First time: 0 USERENV(b8.a0) 17:11:55:546 PingComputer: Fast link. Exiting. USERENV(b8.a0) 17:11:55:546 ParseProfilePath: FindFirstFile found something with attributes <0x10> USERENV(b8.a0) 17:11:55:546 ParseProfilePath: Found a directory USERENV(b8.a0) 17:11:55:546 LoadUserProfile: ParseProfilePath returned a directory of <\\pferdekopfnebel\profiles\XXXXXXX_admin\Win2K> USERENV(b8.a0) 17:11:55:546 RestoreUserProfile: Entering USERENV(b8.a0) 17:11:55:546 RestoreUserProfile: User is a Guest USERENV(b8.a0) 17:11:55:546 RestoreUserProfile: User is a Admin USERENV(b8.a0) 17:11:55:546 IsCentralProfileReachable: Entering USERENV(b8.a0) 17:11:55:546 CheckRoamingShareOwnership: checking ownership for \\pferdekopfnebel\profiles\XXXXXXX_admin\Win2K USERENV(b8.a0) 17:11:55:546 CheckRoamingShareOwnership: policy set to disable ownership check USERENV(b8.a0) 17:11:55:546 IsCentralProfileReachable: Testing <\\pferdekopfnebel\profiles\XXXXXXX_admin\Win2K\ntuser.man> USERENV(b8.a0) 17:11:55:546 IsCentralProfileReachable: Profile is not reachable, error = 2 USERENV(b8.a0) 17:11:55:546 IsCentralProfileReachable: Testing <\\pferdekopfnebel\profiles\XXXXXXX_admin\Win2K\ntuser.dat> USERENV(b8.a0) 17:11:55:562 IsCentralProfileReachable: Found a user profile. USERENV(b8.a0) 17:11:55:562 RestoreUserProfile: Central Profile is reachable USERENV(b8.a0) 17:11:55:562 RestoreUserProfile: Central Profile is roaming USERENV(b8.a0) 17:11:55:562 RestoreUserProfile: Profile path = <\\pferdekopfnebel\profiles\XXXXXXX_admin\Win2K> I see the user is only reated as a guest and the admin as an admin. Because both of them being treated as a guest I suppose both also should be treated as a user and as this windows should do save the remote profile (this is not done for guests only). But my LDAP structure is intedend to handle both as users also. Where can the error be? Can there be an error in Group Mapping or group memberships or some sort of that? Both user are members of Domain Users in my LDAP entries though... Kind Regards, Konsti