samba - Sep 2004 - Roaming Profiles:Samba PDC:WinXP:User must be local admin

I'm having a problem with Roaming profiles in Windows XP with Samba as PDC.
I've googled and trolled the mailing lists and read the Samba documentation.

Problem:
User logs onto domain from WinXP client and profile is downloaded (you can 
tell because it takes a long time and lights on hub are lit up).  However, 
unless that user is in the admin group locally, all/some of the profile 
isn't loaded.  eg, Desktop wallpaper, WinXP theme,  start menu settings, 
etc. are not loaded.  No error is given.  No cached or default profile is 
loaded.   If user is added to local admin group before-hand. everything is 
O.K.  If user is subsequently removed from admin group, problem happens 
again at next login.

What I've tried:
Upgrade Samba from 2.2 to 3 (currently 3.0.7).
Set the "Check ownership of profile" option to "disabled" on
WinXP client
local policy (grpedit.msc)
Check ownership and permissisions on the samba server (though these still 
might not be set properly).

System configuration:
Server:
RH9 (all packages updated)
Samba 3.0.7 (from rpm) (problem happened with 2.2 as well)
I would post smb.conf, but I don't have it right now.  I can post it later, 
though.

Clients:
WinXP Pro SP2 (problem happened with pre sp1, & sp1a as well).

I'm not sure if this is an issue with on the samba/linux end or the win xp 
client end.  The same problem happens on both of my win xp clients.  If it 
is on the samba end, I'm wondering if it's related to
ownership/permissions
not being quite right.   It is as if being admin on the local box allows you 
to override whatever the problem is.

Any help is appreciated.  I'll post more info along with smb.conf if anyone 
wants to see it.

_________________________________________________________________
Check out Election 2004 for up-to-date election news, plus voter tools and 
more! http://special.msn.com/msn/election2004.armx

sith lord wrote:
> I'm having a problem with Roaming profiles in Windows XP with Samba as 
> PDC.  I've googled and trolled the mailing lists and read the Samba 
> documentation.
>
> Problem:
> User logs onto domain from WinXP client and profile is downloaded (you 
> can tell because it takes a long time and lights on hub are lit up).  
> However, unless that user is in the admin group locally, all/some of 
> the profile isn't loaded.  eg, Desktop wallpaper, WinXP theme,  start 
> menu settings, etc. are not loaded.  No error is given.  No cached or 
> default profile is loaded.   If user is added to local admin group 
> before-hand. everything is O.K.  If user is subsequently removed from 
> admin group, problem happens again at next login. 
I have EXACTLY the same problem!!!!

TMS III
>
>
> What I've tried:
> Upgrade Samba from 2.2 to 3 (currently 3.0.7).
> Set the "Check ownership of profile" option to
"disabled" on WinXP
> client local policy (grpedit.msc)
> Check ownership and permissisions on the samba server (though these 
> still might not be set properly).
>
> System configuration:
> Server:
> RH9 (all packages updated)
> Samba 3.0.7 (from rpm) (problem happened with 2.2 as well)
> I would post smb.conf, but I don't have it right now.  I can post it 
> later, though.
>
> Clients:
> WinXP Pro SP2 (problem happened with pre sp1, & sp1a as well).
>
> I'm not sure if this is an issue with on the samba/linux end or the 
> win xp client end.  The same problem happens on both of my win xp 
> clients.  If it is on the samba end, I'm wondering if it's related
to
> ownership/permissions not being quite right.   It is as if being admin 
> on the local box allows you to override whatever the problem is.
>
> Any help is appreciated.  I'll post more info along with smb.conf if 
> anyone wants to see it.
>
> _________________________________________________________________
> Check out Election 2004 for up-to-date election news, plus voter tools 
> and more! http://special.msn.com/msn/election2004.armx
>

This worked for me:

(1) Log in as a local administrator on one of the XP clients
(2) Create a temporary user, eg test_user1
(3) System Properties->Advanced->User Profiles:Settings button
(4) Choose the profile you're trying to migrate and click Copy To
(5)  Pick some temporary directory, eg c:\test
(6)  Under "Permitted to use, click change, and add your temporary user
(7)  Click ok and ok again, and wait while the profile is copied to
c:\test.  Windows has now added test_user1's SID to NTUSER.DAT in
c:\test
(8)  log out and log back in as test_user1, to allow test_user1's
profile to be set up.
(9)  log out and log back in as a local administrator
(10) manually copy the contents of c:\test over top of test_1's
profile in c:\Documents &...\test_user1\, or the directory where
test_user1's profile was created.
(11) log out and log back in as test_user1 to verify the profile loads properly
(12) log out and log back in as a local admin and repeat steps 3
through 6, except instead of adding test_user1 under "Permitted to
use", add your domain user.  Allow the profile to be copied to
c:\test.  Windows has now added the sid for your domain user to
NTUSER.DAT (I don't know if the other SIDs are there as well or not).
(13)  At this point it is vital to make sure the domain user is not
logged in on any machine otherwise NTUSER.DAT will be overwritten when
they log out.  Backup the server copy of NTUSER.DAT
(14) copy c:\test\NTUSER.DAT to your server under the appropriate
user's profile.
(15) log out and log back in as the domain user.  It should work.

This way worked for me and preserved all of the profile's
custmizations.  I didn't try the profiles program (see man profiles)
because I couldn't find that binary on my system.  However this seems
to work perfectly.  Admittedly if you have more than a few users to
migrate, this could be cumbersome.  Paul Geinger's suggestion is much
fewer steps.  Your mileage may vary.

Thanks for everyone's help
----- Original Message -----
From: Thomas M. Skeren III <tms3@fskklaw.com>
Date: Wed, 29 Sep 2004 13:17:16 -0700
Subject: Re: [Samba] Roaming Profiles:Samba PDC:WinXP:User must be local admin
To: Zach <uid000@gmail.com>

 See Paul Geingers email on this subject.  That method works perfectly.  WooHoo!


 
 Zach wrote:
 
 Tom, Can't wait to find out what you learn. In the mean time, a quick
google search turned up this:
http://www.samba.org/samba/docs/man/profiles.1.html Unfortunately I
don't have this package installed on this system, so I don't have the
man page or the profiles command right now. On Wed, 29 Sep 2004
10:46:14 -0700, Tom Skeren <tms3@fskklaw.com> wrote:
 Zach wrote: 
 We just experimented with this here at work. As administrator we
manually deleted the profile of a user at replaced it with a manual
copy of another user's profile, and the problem was reproduced
exactly. When we subsquently deleted NTUSER.DAT and logged in again,
NTUSER.DAT was rebuilt using the default profile and the profile
loaded properly. Evidently the SID recorded in NTUSER.DAT has to match
the user's sid or it won't load properly. Good news Zach. I'm off to
the office to give it a go myself. Should give a preliminary response
by noon PST. Cheers, TMS III

yeah it was long, but I didn't have the profiles command, plus I
didn't know how to figure out the old sid to tell it to replace.  for
only two users, it really wasn't too bad.

if all you want to do is physically get the profile onto the server
then run profiles on it to head off any problems, then do what I did
to begin with and just manually copy the entire directory over the
network.  I believe the reason this is considered "bad" is because of
the problems presented by ntuser.dat not matching up against the user,
but it seems that's what profiles is for.

I just don't know how to find out what the old sid is you're looking
for.  I've heard there's a tool on sysinternals.com to do just that
though, so maybe there's good luck there.


On Wed, 29 Sep 2004 17:27:46 -0500, Misty Stanley-Jones
<misty@borkholder.com> wrote:
> Wow, this does seem long.  Mainly all I want to know is why I can't
change my
> user's profile type from local to roaming, or copy it, or anything. 
This is
> when I'm logged in as administrator or a domain administrator or
anyone.  I
> know that it's a problem with Windows, not with Samba.  But I can't
even get
> the NTUSER.DAT into an appropriate place to run the really cool looking
> 'profiles' command on it.
> 
> Misty
>