samba - Mar 2002 - Roaming Profile, LDAP, samba PDC/(pseudo)BDC, and nt acl support

We too have experienced problems with loading Roaming profiles, but we
have a purely samba server environment a PDC and multiple local masters
(BDCs).
	- This has only happened since we switched to using LDAP for
authentication
	- Only a problem if the server copy of the profile is newer than the
local copy, (otherwise it doesn't even try to copy)
	- if you kill off the smbd process before the user logs off, then get
them to log back on again, then the next login works properly, but this
only seems to happen if the login script is run, not having a login
script just causes you to always have a problem.

However setting nt acl support = no for the profile share fixes the
profile loading problems.

In addition to the profile loading problem, since we have switched to
LDAP we are having an issue where the first attempt to log off doesn't
work unless you go ctrl-alt-del, log off.  ie Alt-F4 logoff and logoff
from the start menu partly log you off (no icons on the desk, no start
bar) you have to go ctrl-alt-del, log off to log off properly.  This
also seems to apply to shutdown/restart.

We have not tested this with anything other than Win2KSP2.

Is anyone else experiencing/not experiencing these problems for the same
type of environment?

Thanks
Adam
:->

> In addition to the profile loading problem, since we have switched to
> LDAP we are having an issue where the first attempt to log off doesn't
> work unless you go ctrl-alt-del, log off.  ie Alt-F4 logoff and logoff
> from the start menu partly log you off (no icons on the desk, no start
> bar) you have to go ctrl-alt-del, log off to log off properly.  This
> also seems to apply to shutdown/restart.
Turns out it doesn't matter which log off method you use.  The first
time you hit ctrl-alt-del nothing seems to happen, but you can then log
off however you want or hit ctrl-alt-del again to get up the regular
win2k windows security dialogue box. I was putting this down to not
striking the keys properly.

Thanks 
Adam
:->

I've done some further testing cutting down the smb.conf file to the
bare minimum and now only have a single pdc.  With ldap it is still
necessary to ctrl-alt-del before you can logout, shutdown, etc
properly.  If you don't you end up with a blank screen and have to hit
ctrl-alt-del and use the Windows Security Settings popup to logout,
shutdown or reboot.  

The first time you hit ctrl-alt-del nothing seems to happen, the popup
doesn't appear.  This particular problem doesn't appear to be related at
all to profiles.

If I switch to using a non ldap compiled samba (and remove the ldap
lines from the smb.conf file) everything starts working smoothly.  I
took the log level up to 256 in both ldap and nonldap versions and have
the logs available, but since they're 1.5MB and 0.9MB respectively
(compressed) I'll offer to forward them on to individuals rather than
post them to the list.

In addition if you have ldap configured and 'map hidden' & 'map
system'
set to 'yes', you have the same problem and work around as appears in
the README.Win2kSP2 file. ie you need to set 'nt acl support = no' for
the profile share.  As soon as you stop using ldap it no longer matters.

As far as environment goes the only things left that I could see
affecting this are the versions we are using.

Samba 2.2.3a
Kernel 2.2.19 (debian potato)
OpenLDAP 2.0.18

the simplified smb.conf (with a couple of substitutions)

[global]
        workgroup = OPUS.CO.NZ
        netbios name = <hostname>
        encrypt passwords = Yes
        log level = 1
        log file = /var/samba/log.%m
        load printers = No
        domain admin group = root, @onv7
        logon path = \\%N\profile\%U
        logon drive = z:
        domain logons = Yes
        preferred master = True
        domain master = True
        wins support = Yes
        ldap server = <ldapserver>
        ldap port = 389
        ldap suffix = <base dn>
        ldap admin dn = <root dn>
        ldap ssl = no
        lock dir = /var/samba/locks
        NIS homedir = Yes
        read only = No

[homes]
        comment = homedrive of %U
        browseable = No

[profile]
        comment = User Profiles
        path = /var/samba/profile
        create mask = 0770
        directory mask = 0770
        nt acl support = No
        browseable = No


and just in case from the slapd.conf file
#######################################################################
# access control
#######################################################################
defaultaccess           read
access to attrs=lmPassword,ntPassword
        by dn=<root dn> write
        by * none
access to filter=(mailentry=no)
        by * none
access to attr=userpasswd
        by * compare
access to dn=<base dn>
        by self         write
        by *            read

Thanks

Adam
:->