samba - Mar 2003 - XP "logon failure" but still logs on -- no roaming profile

I'm having a problem with roaming domains on Samba v3.0-alpha21.  I've
connected the machine (watertown) to the domain (precidia) via the
server (griffon).  I've logged on with my userid (bcwhite) and seen
my roaming profile get created on the server upon logoff.  Future logons
grab the roaming profile and everything is fine.

However, _sometimes_ I get a window with the message:

  Windows cannot locate the server copy of your roaming profile and is
  attempting to log you on with your local profile.

  Changes to the profile will not be copied to the server when you logoff. 
  Possible causeses of this error include network probelms or insufficient
  security rights.  If this problem persists, contact your network
  administrator.

  DETAIL - logon failure: unknown user name or bad password

However, the system continues to log me on (presumably with the local copy
of my profile).  Upon logoff, the copy of my profile on the samba server
is not updated.


I know I'm using the correct password.  If I try the wrong password, I get
a different window and no logon:

  The system could not log you on.  Make sure your User name and domain are
  correct, then type your password again.  Letters in passwords must be typed
  using he correct case.


What I don't understand is why this only happens sometimes.  I rebooted
and then was able to log in fine.  Log out, log in fine.  Log out, log
in fails.  Reboot.  Log in fine, log out, log in fails every time until I
reboot again.  I don't understand.

I had logging set to level 200 and captured the following logs.

	start samba
	login (fail)	http://bcwhite.dhs.org/~bcwhite/log.smbd-err.gz
	reboot
	login (okay)	http://bcwhite.dhs.org/~bcwhite/log.smbd-ok.gz
	logout
	login (okay)
	logout
	login (fail)
	logout
	login (fail)
	[...]
	reboot
	login (okay)
	logout
	login (fail)
	stop samba	http://bcwhite.dhs.org/~bcwhite/log.smbd-full.gz

Note, the log files are 72kB, 121kB, and 4.3MB (compressed), respectively.

All help very much appreciated!

                                          Brian
                                 ( bcwhite@precidia.com )

-------------------------------------------------------------------------------
        DEFN: Computer - A device designed to speed and automate errors.

Are you auth-ing to your Pdc via a routed link? and do you have
effectively a Bdc on your local lan with a "profile" share enabled?
This had me stuffed for ages, disable profile share on Bdc "fixed" my
intermittant xp-pro domain logon problem. hope this helps.
regards
Richard Coates.

On Wed, 2003-03-05 at 09:07, Brian White wrote:
> I'm having a problem with roaming domains on Samba v3.0-alpha21. 
I've
> connected the machine (watertown) to the domain (precidia) via the
> server (griffon).  I've logged on with my userid (bcwhite) and seen
> my roaming profile get created on the server upon logoff.  Future logons
> grab the roaming profile and everything is fine.
> 
> However, _sometimes_ I get a window with the message:
> 
>   Windows cannot locate the server copy of your roaming profile and is
>   attempting to log you on with your local profile.
> 
>   Changes to the profile will not be copied to the server when you logoff. 
>   Possible causeses of this error include network probelms or insufficient
>   security rights.  If this problem persists, contact your network
>   administrator.
> 
>   DETAIL - logon failure: unknown user name or bad password
> 
> However, the system continues to log me on (presumably with the local copy
> of my profile).  Upon logoff, the copy of my profile on the samba server
> is not updated.
> 
> 
> I know I'm using the correct password.  If I try the wrong password, I
get
> a different window and no logon:
> 
>   The system could not log you on.  Make sure your User name and domain are
>   correct, then type your password again.  Letters in passwords must be
typed
>   using he correct case.
> 
> 
> What I don't understand is why this only happens sometimes.  I rebooted
> and then was able to log in fine.  Log out, log in fine.  Log out, log
> in fails.  Reboot.  Log in fine, log out, log in fails every time until I
> reboot again.  I don't understand.
> 
> I had logging set to level 200 and captured the following logs.
> 
> 	start samba
> 	login (fail)	http://bcwhite.dhs.org/~bcwhite/log.smbd-err.gz
> 	reboot
> 	login (okay)	http://bcwhite.dhs.org/~bcwhite/log.smbd-ok.gz
> 	logout
> 	login (okay)
> 	logout
> 	login (fail)
> 	logout
> 	login (fail)
> 	[...]
> 	reboot
> 	login (okay)
> 	logout
> 	login (fail)
> 	stop samba	http://bcwhite.dhs.org/~bcwhite/log.smbd-full.gz
> 
> Note, the log files are 72kB, 121kB, and 4.3MB (compressed), respectively.
> 
> All help very much appreciated!
> 
>                                           Brian
>                                  ( bcwhite@precidia.com )
> 
>
-------------------------------------------------------------------------------
>         DEFN: Computer - A device designed to speed and automate errors.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

> maybe running tcpdump will reveal something?
Not a sausage.  There wasn't a single packet from the XP machine or the
samba server that went to the other server during either a successful
login or a problematic one.

Any other ideas?  I'm fresh out.  Did you look at the log files I provided
in the original message?  I'm afraid I don't know them well enough to
notice if something is missing.

-- Brian

> On Sat, 2003-03-08 at 01:12, Brian White wrote:
> > > Are you auth-ing to your Pdc via a routed link? and do you have
> > > effectively a Bdc on your local lan with a "profile"
share enabled?
> > > This had me stuffed for ages, disable profile share on Bdc
"fixed" my
> > > intermittant xp-pro domain logon problem. hope this helps.
> > > regards
> >
> > The two machines are directly connected on an Ethernet subnet.  In
fact,
> > there is nothing on that ethernet segment other than those two
machines.
> > The server has another ethernet that talks with the internet firewall
and
> > another server managing a different workgroup (not domain) of Win98
hosts.
> > I'll take a look to see if the XP host is trying to contact that
other
> > server at all.  It certainly doesn't have a "profile"
share, though.
> >
> > There is no BDC yet.  My plan is to make each subnet server similar
enough
> > that if one fails I can just move its subnets to other server which
would
> > allow people to work uninterrupted until a replacement can be brought
on-line.
> >
> > -- Brian
                                          Brian
                                 ( bcwhite@precidia.com )

-------------------------------------------------------------------------------
                  Lottery: a tax on people who are bad at math

> sorry I've deleted your original message... ahh maybe we need to start
> again. Could I suggest you follow the diagnostic procedure in the docs.
> From memory its diagnosis.txt ..its very logical and explains things as
> you go. Then we'll have something to go on.
Attached is the original message I posted (including the links to the log
file captures I made).

>From the Diagnosis File  (everything looks good to me)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Test1:	no errors (one warning about some share names being longer than 8
	characters)

Test2:	Both machines can ping the other (time=0.5ms).

Test3:	Anonymous login successful (no password).  All shares are shown.
	The client can map and access all drives.

Test4:	Primary IP address of server is returned.  The client sits on a
	second ethernet card and thus different subnet that the primary
	address, but this doesn't seem to make any difference.  The server
	has no firewall rules and forwards all packets between interfaces.

Test5:	The client IP address is returned correctly.

Test6:	This did a broadcast test on the primary ethernet interface and
	thus received responses from the two servers (the local machine
	and one other) instead of a response from the client on the second
	ethernet subnet.  I added a "-B 10.0.3.63" (6 bit subnet) and then
	received a response from the client XP machine.

Test7:	Connection to "tmp" works with both anonymous (guest) login and
for
	a real userid.

Test8:	The "net view" works when logged in to the XP client as me, but
not
	when logged in as Administrator.  It also worked when telnetting in
	to cygwin as root.

Test9:	Connection to \\BIGSERVER\TMP worked fine though I was not prompted
	for a password.  I was able to create and delete a file from the
	mapped directory.

Test10:	The server was found as the master browser.  Again, I had to add
	"-B 10.0.3.63" to get it to look on the secondary ethernet.

Test11:	The XP client can browse the server and see shares.  It sees it under
	"My Network Places/Entire Network/Microsoft Windows Network/precidia"
	but I assmue this is correct.  Also at the same level as the
	"precidia" domain is "workgroup" which is the workgroup
(not
	domain) managed by the other server.  Clicking on that shows
	no machines under that workgroup even though the other server
	knows about many.

                                          Brian
                                 ( bcwhite@precidia.com )

-------------------------------------------------------------------------------
   Tired of spam?  See what you can do to fight it at: http://www.cauce.org/

> so if you reboot you get a successful logon? xp -pre sp1 ?
Usually, yes.  I did get one case where it did not but the computer had been
on for a while before I tried to log on.

SP1 was installed.  I just did another update of all critical updates but
it made no difference.  After I reboot, I could logon, logoff, logon, logoff,
but the third time I tried to logon, I got the error.

On a hunch, I tried removing everything from the logon.bat script.  It
didn't help, though.  After a reboot, I could logon/off three times and
then I started getting the error.  Continuing logon/logoff sequences shows
no discernable pattern, though it only fails about 1/2 to 1/3 of the tries.

After restoring the content of the logon.bat file, the logon process fails
much more often but not every time.  I began to wonder if it had something
to do with network activity/idle periods since when I was typing results
in to this message, it seemed that the next logon attempt would work.

Taking a more patient approach to this, I've discovered that the problem is
at least somewhat related to how long I stay logged in.  With the full
login.bat content (because it makes the problem more obvious) I've
discovered
that:

 - Logout immediately after logon (waiting for logon.bat to complete first)
   causes a logon failure every time.

 - Waiting 20 seconds after a logon failure before logout will ensure that
   the next logon attempt is successful.  Waiting only 10 seconds is not
   enough.  The next logon  attempt(after one that was successful) will fail
   even if I again wait over 30 _minutes_ before logout.

 - Waiting at the "press CTRL-ALT-DELETE to logon" prompt, even up to
60
   seconds, does not help; it fails every time.

Attached is the "logon.bat" file renamed to "logon.txt" so
it doesn't get
stripped by any virus scanners.  In addition to mapping a number of network
drives, it also tries to map H: to /home/userid (if it exists) or to the
users home computer on the network if they're logging in to a different
machine (sort of like a unix automounter would do for home directories on
different machines).

                                          Brian
                                 ( bcwhite@precidia.com )

-------------------------------------------------------------------------------
   Tired of spam?  See what you can do to fight it at: http://www.cauce.org/
-------------- next part --------------
:-net accounts /forcelogoff:no /minpwlen:4 /minpwage:0 /maxpwage:unlimited
/uniquepw:5

:-
:- Mount the home directory
:-
net use h: /d
subst h: /d

if exist C:\Home\%USERNAME%\nul.x goto localhome

:nethome
call "%USERPROFILE%\Network\homedir.bat"
goto donehome

:localhome
subst h: C:\Home\%USERNAME%
mkdir "%USERPROFILE%\Network"
echo net use h: \\%COMPUTERNAME%\home\%USERNAME% /persistent:no /yes
>"%USERPROFILE%\Network\homedir.bat"
goto donehome

:donehome


:-
:- Mount network drives
:-
net use o: \\share\office2000p /persistent:no /yes
net use p: \\share\precidia /persistent:no /yes
net use s: \\share\win32 /persistent:no /yes
net use t: \\ftp\ftp /persistent:no /yes
net use x: \\share\tmp /persistent:no /yes


:-
:- Set some environment variables
:-
mkdir C:\tmp\%USERNAME%
s:\bin\setx TEMP C:\tmp\%USERNAME%
s:\bin\setx TMP C:\tmp\%USERNAME%
:- s:\bin\setx HOMEDRIVE H:


:-
:- Update the computers clock
:-
net time \\share /set /yes

Brian,

Did you try a plain and simple logon.bat first, like
-------------------------------------
@ECHO OFF
NET USE X: \\share\tmp /persistent:no
-------------------------------------
just to make sure your logon.bat isn't faulty ? You could even use a
"logoff.bat" (net use * /delete ...) if you suspect the mapped drives
to
cause the errors.
> net use o: \\share\office2000p /persistent:no /yes
Wonder what's the /yes switch for, doesn't seem to be documented in the
XP
net use "manual page" (?)
> net time \\share /set /yes
At least on Win2k workstations your users need power user privileges to
change or set time service settings. As local administrator do the
following:
- net stop w32time (in case the service is running)
- net time /setsntp:192.168.x.x
- net start w32time (and/or change service start type)


Any errors or warnings in your workstations logs?

The XP/Win2k profile issue has been discussed in recent threads, so we added
"nt acl support = No" to stop local caching of roaming profiles in our
Win2k
only domain:

[netlogon]
  comment = ...
  path = /usr/local/samba/netlogon
  root preexec = /usr/local/samba/scripts/genlogon.pl %u %g %m
  root postexec = /usr/local/samba/scripts/genlogoff.pl %u
  read only = No 
  browseable = No 
  guest ok = Yes
  locking = No

[profile]
  comment = ...
  path = /profile/NT5
  read only = No
  guest ok = No
  browseable = No
  # fix for Win2k >= SP2:
  nt acl support = No
  # fix for XP >= SP1:
  #csc policy = disable
  #share modes = No

Good luck,
Uli