Adam Fairhall
2002-Mar-25 17:49 UTC
[Samba] Roaming Profile, LDAP, samba PDC/(pseudo)BDC, and nt acl support
We too have experienced problems with loading Roaming profiles, but we have a purely samba server environment a PDC and multiple local masters (BDCs). - This has only happened since we switched to using LDAP for authentication - Only a problem if the server copy of the profile is newer than the local copy, (otherwise it doesn't even try to copy) - if you kill off the smbd process before the user logs off, then get them to log back on again, then the next login works properly, but this only seems to happen if the login script is run, not having a login script just causes you to always have a problem. However setting nt acl support = no for the profile share fixes the profile loading problems. In addition to the profile loading problem, since we have switched to LDAP we are having an issue where the first attempt to log off doesn't work unless you go ctrl-alt-del, log off. ie Alt-F4 logoff and logoff from the start menu partly log you off (no icons on the desk, no start bar) you have to go ctrl-alt-del, log off to log off properly. This also seems to apply to shutdown/restart. We have not tested this with anything other than Win2KSP2. Is anyone else experiencing/not experiencing these problems for the same type of environment? Thanks Adam :->
Adam Fairhall
2002-Mar-25 18:41 UTC
[Samba] RE: Roaming Profile, LDAP, samba PDC/(pseudo)BDC, and nt acl support
> In addition to the profile loading problem, since we have switched to > LDAP we are having an issue where the first attempt to log off doesn't > work unless you go ctrl-alt-del, log off. ie Alt-F4 logoff and logoff > from the start menu partly log you off (no icons on the desk, no start > bar) you have to go ctrl-alt-del, log off to log off properly. This > also seems to apply to shutdown/restart.Turns out it doesn't matter which log off method you use. The first time you hit ctrl-alt-del nothing seems to happen, but you can then log off however you want or hit ctrl-alt-del again to get up the regular win2k windows security dialogue box. I was putting this down to not striking the keys properly. Thanks Adam :->
Adam Fairhall
2002-Mar-27 16:44 UTC
[Samba] RE: Roaming Profile, LDAP, samba PDC/(pseudo)BDC, and nt acl support
I've done some further testing cutting down the smb.conf file to the bare minimum and now only have a single pdc. With ldap it is still necessary to ctrl-alt-del before you can logout, shutdown, etc properly. If you don't you end up with a blank screen and have to hit ctrl-alt-del and use the Windows Security Settings popup to logout, shutdown or reboot. The first time you hit ctrl-alt-del nothing seems to happen, the popup doesn't appear. This particular problem doesn't appear to be related at all to profiles. If I switch to using a non ldap compiled samba (and remove the ldap lines from the smb.conf file) everything starts working smoothly. I took the log level up to 256 in both ldap and nonldap versions and have the logs available, but since they're 1.5MB and 0.9MB respectively (compressed) I'll offer to forward them on to individuals rather than post them to the list. In addition if you have ldap configured and 'map hidden' & 'map system' set to 'yes', you have the same problem and work around as appears in the README.Win2kSP2 file. ie you need to set 'nt acl support = no' for the profile share. As soon as you stop using ldap it no longer matters. As far as environment goes the only things left that I could see affecting this are the versions we are using. Samba 2.2.3a Kernel 2.2.19 (debian potato) OpenLDAP 2.0.18 the simplified smb.conf (with a couple of substitutions) [global] workgroup = OPUS.CO.NZ netbios name = <hostname> encrypt passwords = Yes log level = 1 log file = /var/samba/log.%m load printers = No domain admin group = root, @onv7 logon path = \\%N\profile\%U logon drive = z: domain logons = Yes preferred master = True domain master = True wins support = Yes ldap server = <ldapserver> ldap port = 389 ldap suffix = <base dn> ldap admin dn = <root dn> ldap ssl = no lock dir = /var/samba/locks NIS homedir = Yes read only = No [homes] comment = homedrive of %U browseable = No [profile] comment = User Profiles path = /var/samba/profile create mask = 0770 directory mask = 0770 nt acl support = No browseable = No and just in case from the slapd.conf file ####################################################################### # access control ####################################################################### defaultaccess read access to attrs=lmPassword,ntPassword by dn=<root dn> write by * none access to filter=(mailentry=no) by * none access to attr=userpasswd by * compare access to dn=<base dn> by self write by * read Thanks Adam :->