Due to hardware failure we had a rushed migration from a Samba v3.0.9 on
FreeBSD 4, to v3.0.10 on Mandrake Linux 10.1. Since then I have had
problems getting roaming profiles to work for new users. Things works
fine for existing users, but things are broken for new ones. The setup
is a fairly standard Samba PDC with Windows XP clients.
When users added since the upgrade log in, they then do not get proper
use of roaming profiles. They get the following error and a temporary
local profile.
"Windows cannot locate the server copy of your roaming profile and is
attempting to log you on with your local profile. Changes to the profile
will not be copied to the server when you logoff. Possible causes of
this error include network problems or insufficient security rights. If
this problem persists, contact your network administrator. DETAIL - The
filename, directory name, or volume label syntax is incorrect."
I'm not sure if there has been change in some defaults, or something
related to the change in OS, or if there is a less than obvious config
change that I have made accidentally. I've turned up debugging to 10,
but there doesnt seem to be any error in the samba logs that I can
relate to the windows error.
Previously, new users seemed to get a default profile (from the local
machine, I guess) and a profiles directory on the server would get
created on logout. I don't need to do anything with mandatory profiles;
all I want is user settings to be synced to the server.
smb.conf extract follows. I can post other diagnostic information as
required.
==================================
[global]
netbios name = samba.uk
netbios aliases = samba
workgroup = DOMAIN-NAME
server string = Samba file server
hosts allow = 10.3. 127.0.0.1
bind interfaces only = yes
load printers = no
log file = /var/log/samba/%m.log
max log size = 50000
log level = 10
syslog = 0
security = user
encrypt passwords = yes
update encrypted = Yes
passdb backend = tdbsam
private dir = /etc/samba/private
socket options = TCP_NODELAY
local master = yes
os level = 99
domain master = yes
preferred master = yes
wins support = yes
dns proxy = yes
domain logons = yes
logon script = logon.bat
admin users = administrator
logon path = "\\samba.uk\profiles\%U"
create mask = 0670
directory mask = 0770
inherit permissions = Yes
time server = yes
[profiles]
path = /home/samba/profiles
browseable = yes
directory mode = 0700
create mode = 0600
writable = yes
profile acls = yes
csc policy = disable
Jon Wilson wrote:> I'm not sure if there has been change in some defaults, or something > related to the change in OS, or if there is a less than obvious config > change that I have made accidentally. I've turned up debugging to 10, > but there doesnt seem to be any error in the samba logs that I can > relate to the windows error.Supplementary: The following error looks like it might be relevant, but I'm not sure how to fix it: [2005/05/05 10:45:06, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2005/05/05 10:45:06, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2005/05/05 10:45:06, 3] rpc_server/srv_util.c:get_domain_user_groups(296) get_user_groups: failed to convert gid 5004 to a domain group! [2005/05/05 10:45:06, 1] rpc_server/srv_util.c:get_domain_user_groups(298) get_domain_user_groups: primary gid of user [tnafxm] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that [2005/05/05 10:45:06, 3] rpc_server/srv_util.c:get_domain_user_groups(296) get_user_groups: failed to convert gid 8097 to a domain group! [2005/05/05 10:45:06, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (10078, 10078) - sec_ctx_stack_ndx = 0 Jon
Further supplementary:
I now have a test machine set up, with pretty much the defualt Mandrake
config (see below). My WinXP SP2 PC joins the TEST domain happily, and
has no profiles for this domain on it yet.
I can authenticate fine as a normal user, but I cannot do anything sane
related to profiles. I just get "Cannot locate server copy of roaming
profile" followed by "Access Denied" and a temporary profile. If
I have
a "Default User" profile under the netlogon share, this gets loaded
into
the temporary profile, which is something I guess, but not really very
useful in terms of saving settings on exit.
Does ANYONE have roaming profiles working under Samba 3.0.10, preferably
on Mandrake Linux with WinXP SP2 clients? I'm tearing my hair out here!
How can I find out what the "Access Denied" error is referring to?
"TEST" PDC config follows:
#======================= Global Settings
[global]
workgroup = TEST
# netbios name = <name_of_this_server>
server string = Samba Server %v
load printers = no
log file = /var/log/samba/log.%m
max log size = 5000
log level = 5
guest account = nobody
map to guest = never
security = user
encrypt passwords = yes
passdb backend = tdbsam
private dir = /etc/samba/private
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain master = yes
preferred master = yes
domain logons = yes
logon script = logon.bat
logon path = \\%L\profiles\%u
logon drive = H:
wins support = yes
dns proxy = yes
#============================ Share Definitions
[homes]
comment = Home Directories
browseable = no
writable = yes
# Un-comment the following and create the netlogon directory for Domain
Logons
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
[profiles]
path = /var/lib/samba/profiles
browseable = no
guest ok = yes
writable = yes
root preexec = PROFILE='/var/lib/samba/profiles/%u'; if [ ! -e
$PROFILE ]; \
then mkdir -pm700 $PROFILE; chown '%u':'%g'
$PROFILE;fi
# This one is useful for people to share files
[tmp]
comment = Temporary file space
path = /tmp
read only = no
public = yes
Jon Wilson wrote:> logon path = "\\samba.uk\profiles\%U"This should have been unquoted (which is what the docs say). Strangely, this worked fine quoted on our old server. Jon Wilson also wrote: > logon path = \\%L\profiles\%u This should have been uppercase U. Doh! All sorted now. Jon