Hi all,
I'm trying to configure samba as PDC, I have a problem when windows
client log in this is the error:
Windows cannot load the profile and is logging you on with a temporary
profile. Changes you make to this profile will be lost when you log off
I have samba-3.0.11 and smbldap-tools-0.8.8. I tryed also samba-3.0.14
and smbldap-tools-0-9.1, I have the same problem on Gentoo and on Fedora
Core4
my configuration file
smb.conf:
[global]
workgroup = THEOREMATICA
netbios name = FERRARI
enable privileges = yes
interfaces = 10.88.77.201
bind interfaces only = yes
username map = /etc/samba/smbusers
server string = Samba PDC Server
hosts allow = 10.88.77.0/24 127.0.0.0/8
security = user
encrypt passwords = Yes
min passwd length = 3
obey pam restrictions = No
#unix password sync = Yes
#passwd program = /usr/sbin/smbldap-passwd -u %u
#passwd chat = "Changing password for*\nNew password*" %n\n
"*Retype new password*" %n\n"
ldap passwd sync = Yes
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
logon script = STARTUP.BAT
#logon script #logon drive = H:
logon drive #logon home = \\%L\%U
logon home #logon path = \\%L\profiles\%U
logon path
domain logons = Yes
#os level = 65
os level = 200
preferred master = Yes
domain master = Yes
wins support = Yes
name resolve order = wins lmhosts hosts bcast
dns proxy = no
passdb backend = ldapsam:ldap://127.0.0.1/
# passdb backend = ldapsam:"ldap://127.0.0.1/
ldap://slave.idealx.com"
# ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
ldap admin dn = cn=Manager,dc=theorematica,dc=it
ldap suffix = dc=theorematica,dc=it
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
#ldap ssl = start tls
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
#delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
#delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
# printers configuration
printer admin = @"Print Operators"
load printers = Yes
create mask = 0640
directory mask = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the profile folders:
preserve case = yes
short preserve case = yes
case sensitive = no
[homes]
comment = Directory personale di %U, %u
read only = No
create mask = 0644
directory mask = 0775
browseable = No
[netlogon]
path = /var/lib/samba/netlogon
browseable = No
read only = yes
[doc]
path=/usr/share/doc
public=yes
writable=no
read only=no
create mask = 0750
guest ok = Yes
[profiles]
path = /var/lib/samba/profiles
writable = yes
create mask = 0600
directory mask = 0700
# browseable = no
# default case = lower
# preserve case = no
# short preserve case = no
# case sensitive = no
# hide files = /desktop.ini/ntuser.ini/NTUSER.*/
# guest ok = no
#profile acls = Yes
# profile acls = No
# csc policy = disable
# next line is a great way to secure the profiles
# force user = %U
# next line allows administrator to access all profiles
#valid users = %U @"Domain Admins"
#valid users = %U
#root preexec = PROFILE=/var/lib/samba/profiles/%u; if [ ! -e
$PROFILE ]; then mkdir -pm700 $PROFILE; chown %u:%g $PROFILE;fi
I tryed most combinations of the commented options in profiles section
ls -la /var/lib/samba/profiles/
total 0
drwxr-x--- 4 root root 96 Jul 11 18:51 .
drwxr-xr-x 6 root root 144 Jun 23 21:16 ..
drwx------ 2 nicola Domain Users 48 Jul 11 18:20 nicola
drwx------ 2 test Domain Users 48 Jul 11 17:54 test
please some suggestions,
thanks
Nicola
My clients are windows xp sp2, however there is the same function: Start->Run->gpedit.msc LocalComputerPolicy -> ComputerConfiguration AdministrativeTemplates -> System -> User Profile -> Do not check for user ownership of Roaming profiles set to enable now a basic PDC works :-), thanks Nicola P.S. If this is a common problem (I have this issue with different samba versions on different distributions) maybe would be a good idea insert this issue in samba faq or in documentation such as samba by example or other samba official doc (excuse me if it is already inserted) ?????????? ?????? ?????????? ha scritto:>Hello Nicola, > >Monday, July 11, 2005, 8:16:16 PM, you wrote: > >if client = windows 2000 >try to Start -> Run -> gpedit.msc >LocalComputerPolicy -> ComputerConfiguration -> >AdministrativeTemplates -> System -> Logon -> Do not check for user >ownership of Roaming profiles >set to Enable > >NM> Hi all, > >NM> I'm trying to configure samba as PDC, I have a problem when windows >NM> client log in this is the error: > >NM> Windows cannot load the profile and is logging you on with a temporary >NM> profile. Changes you make to this profile will be lost when you log off > >NM> I have samba-3.0.11 and smbldap-tools-0.8.8. I tryed also samba-3.0.14 >NM> and smbldap-tools-0-9.1, I have the same problem on Gentoo and on Fedora >NM> Core4 > >NM> my configuration file > >NM> smb.conf: > >NM> [global] >NM> workgroup = THEOREMATICA >NM> netbios name = FERRARI >NM> enable privileges = yes >NM> interfaces = 10.88.77.201 >NM> bind interfaces only = yes >NM> username map = /etc/samba/smbusers >NM> server string = Samba PDC Server >NM> hosts allow = 10.88.77.0/24 127.0.0.0/8 >NM> security = user >NM> encrypt passwords = Yes >NM> min passwd length = 3 >NM> obey pam restrictions = No >NM> #unix password sync = Yes >NM> #passwd program = /usr/sbin/smbldap-passwd -u %u >NM> #passwd chat = "Changing password for*\nNew password*" %n\n >NM> "*Retype new password*" %n\n" >NM> ldap passwd sync = Yes >NM> log level = 0 >NM> syslog = 0 >NM> log file = /var/log/samba/log.%m >NM> max log size = 100000 >NM> time server = Yes >NM> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >NM> mangling method = hash2 >NM> Dos charset = 850 >NM> Unix charset = ISO8859-1 > >NM> logon script = STARTUP.BAT >NM> #logon script >NM> #logon drive = H: >NM> logon drive >NM> #logon home = \\%L\%U >NM> logon home >NM> #logon path = \\%L\profiles\%U >NM> logon path > >NM> domain logons = Yes >NM> #os level = 65 >NM> os level = 200 >NM> preferred master = Yes >NM> domain master = Yes >NM> wins support = Yes >NM> name resolve order = wins lmhosts hosts bcast >NM> dns proxy = no >NM> passdb backend = ldapsam:ldap://127.0.0.1/ >NM> # passdb backend = ldapsam:"ldap://127.0.0.1/ >NM> ldap://slave.idealx.com" >NM> # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u)) >NM> ldap admin dn = cn=Manager,dc=theorematica,dc=it >NM> ldap suffix = dc=theorematica,dc=it >NM> ldap group suffix = ou=Groups >NM> ldap user suffix = ou=Users >NM> ldap machine suffix = ou=Computers >NM> ldap idmap suffix = ou=Users >NM> #ldap ssl = start tls >NM> add user script = /usr/sbin/smbldap-useradd -m "%u" >NM> ldap delete dn = Yes >NM> #delete user script = /usr/sbin/smbldap-userdel "%u" >NM> add machine script = /usr/sbin/smbldap-useradd -w "%u" >NM> add group script = /usr/sbin/smbldap-groupadd -p "%g" >NM> #delete group script = /usr/sbin/smbldap-groupdel "%g" >NM> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" >NM> delete user from group script = /usr/sbin/smbldap-groupmod -x >NM> "%u" "%g" >NM> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" > >NM> # printers configuration >NM> printer admin = @"Print Operators" >NM> load printers = Yes >NM> create mask = 0640 >NM> directory mask = 0750 >NM> nt acl support = No >NM> printing = cups >NM> printcap name = cups >NM> deadtime = 10 >NM> guest account = nobody >NM> map to guest = Bad User >NM> dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd >NM> show add printer wizard = yes >NM> ; to maintain capital letters in shortcuts in any of the profile folders: >NM> preserve case = yes >NM> short preserve case = yes >NM> case sensitive = no > >NM> [homes] >NM> comment = Directory personale di %U, %u >NM> read only = No >NM> create mask = 0644 >NM> directory mask = 0775 >NM> browseable = No > >NM> [netlogon] >NM> path = /var/lib/samba/netlogon >NM> browseable = No >NM> read only = yes > >NM> [doc] >NM> path=/usr/share/doc >NM> public=yes >NM> writable=no >NM> read only=no >NM> create mask = 0750 >NM> guest ok = Yes > >NM> [profiles] >NM> path = /var/lib/samba/profiles >NM> writable = yes >NM> create mask = 0600 >NM> directory mask = 0700 >NM> # browseable = no >NM> # default case = lower >NM> # preserve case = no >NM> # short preserve case = no >NM> # case sensitive = no >NM> # hide files = /desktop.ini/ntuser.ini/NTUSER.*/ >NM> # guest ok = no >NM> #profile acls = Yes >NM> # profile acls = No >NM> # csc policy = disable >NM> # next line is a great way to secure the profiles >NM> # force user = %U >NM> # next line allows administrator to access all profiles >NM> #valid users = %U @"Domain Admins" >NM> #valid users = %U >NM> #root preexec = PROFILE=/var/lib/samba/profiles/%u; if [ ! -e >NM> $PROFILE ]; then mkdir -pm700 $PROFILE; chown %u:%g $PROFILE;fi > >NM> I tryed most combinations of the commented options in profiles section > >NM> ls -la /var/lib/samba/profiles/ >NM> total 0 >NM> drwxr-x--- 4 root root 96 Jul 11 18:51 . >NM> drwxr-xr-x 6 root root 144 Jun 23 21:16 .. >NM> drwx------ 2 nicola Domain Users 48 Jul 11 18:20 nicola >NM> drwx------ 2 test Domain Users 48 Jul 11 17:54 test > >NM> please some suggestions, > >NM> thanks >NM> Nicola > > > > >
My clients are windows xp sp2, however there is the same function: Start->Run->gpedit.msc LocalComputerPolicy -> ComputerConfiguration AdministrativeTemplates -> System -> User Profile -> Do not check for user ownership of Roaming profiles set to enable now a basic PDC works :-), thanks Nicola P.S. If this is a common problem (I have this issue with different samba versions on different distributions) maybe would be a good idea insert this issue in samba faq or in documentation such as samba by example or other samba official doc (excuse me if it is already inserted) ?????????? ?????? ?????????? ha scritto:>Hello Nicola, > >Monday, July 11, 2005, 8:16:16 PM, you wrote: > >if client = windows 2000 >try to Start -> Run -> gpedit.msc >LocalComputerPolicy -> ComputerConfiguration -> >AdministrativeTemplates -> System -> Logon -> Do not check for user >ownership of Roaming profiles >set to Enable > >NM> Hi all, > >NM> I'm trying to configure samba as PDC, I have a problem when windows >NM> client log in this is the error: > >NM> Windows cannot load the profile and is logging you on with a temporary >NM> profile. Changes you make to this profile will be lost when you log off > >NM> I have samba-3.0.11 and smbldap-tools-0.8.8. I tryed also samba-3.0.14 >NM> and smbldap-tools-0-9.1, I have the same problem on Gentoo and on Fedora >NM> Core4 > >NM> my configuration file > >NM> smb.conf: > >NM> [global] >NM> workgroup = THEOREMATICA >NM> netbios name = FERRARI >NM> enable privileges = yes >NM> interfaces = 10.88.77.201 >NM> bind interfaces only = yes >NM> username map = /etc/samba/smbusers >NM> server string = Samba PDC Server >NM> hosts allow = 10.88.77.0/24 127.0.0.0/8 >NM> security = user >NM> encrypt passwords = Yes >NM> min passwd length = 3 >NM> obey pam restrictions = No >NM> #unix password sync = Yes >NM> #passwd program = /usr/sbin/smbldap-passwd -u %u >NM> #passwd chat = "Changing password for*\nNew password*" %n\n >NM> "*Retype new password*" %n\n" >NM> ldap passwd sync = Yes >NM> log level = 0 >NM> syslog = 0 >NM> log file = /var/log/samba/log.%m >NM> max log size = 100000 >NM> time server = Yes >NM> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >NM> mangling method = hash2 >NM> Dos charset = 850 >NM> Unix charset = ISO8859-1 > >NM> logon script = STARTUP.BAT >NM> #logon script >NM> #logon drive = H: >NM> logon drive >NM> #logon home = \\%L\%U >NM> logon home >NM> #logon path = \\%L\profiles\%U >NM> logon path > >NM> domain logons = Yes >NM> #os level = 65 >NM> os level = 200 >NM> preferred master = Yes >NM> domain master = Yes >NM> wins support = Yes >NM> name resolve order = wins lmhosts hosts bcast >NM> dns proxy = no >NM> passdb backend = ldapsam:ldap://127.0.0.1/ >NM> # passdb backend = ldapsam:"ldap://127.0.0.1/ >NM> ldap://slave.idealx.com" >NM> # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u)) >NM> ldap admin dn = cn=Manager,dc=theorematica,dc=it >NM> ldap suffix = dc=theorematica,dc=it >NM> ldap group suffix = ou=Groups >NM> ldap user suffix = ou=Users >NM> ldap machine suffix = ou=Computers >NM> ldap idmap suffix = ou=Users >NM> #ldap ssl = start tls >NM> add user script = /usr/sbin/smbldap-useradd -m "%u" >NM> ldap delete dn = Yes >NM> #delete user script = /usr/sbin/smbldap-userdel "%u" >NM> add machine script = /usr/sbin/smbldap-useradd -w "%u" >NM> add group script = /usr/sbin/smbldap-groupadd -p "%g" >NM> #delete group script = /usr/sbin/smbldap-groupdel "%g" >NM> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" >NM> delete user from group script = /usr/sbin/smbldap-groupmod -x >NM> "%u" "%g" >NM> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" > >NM> # printers configuration >NM> printer admin = @"Print Operators" >NM> load printers = Yes >NM> create mask = 0640 >NM> directory mask = 0750 >NM> nt acl support = No >NM> printing = cups >NM> printcap name = cups >NM> deadtime = 10 >NM> guest account = nobody >NM> map to guest = Bad User >NM> dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd >NM> show add printer wizard = yes >NM> ; to maintain capital letters in shortcuts in any of the profile folders: >NM> preserve case = yes >NM> short preserve case = yes >NM> case sensitive = no > >NM> [homes] >NM> comment = Directory personale di %U, %u >NM> read only = No >NM> create mask = 0644 >NM> directory mask = 0775 >NM> browseable = No > >NM> [netlogon] >NM> path = /var/lib/samba/netlogon >NM> browseable = No >NM> read only = yes > >NM> [doc] >NM> path=/usr/share/doc >NM> public=yes >NM> writable=no >NM> read only=no >NM> create mask = 0750 >NM> guest ok = Yes > >NM> [profiles] >NM> path = /var/lib/samba/profiles >NM> writable = yes >NM> create mask = 0600 >NM> directory mask = 0700 >NM> # browseable = no >NM> # default case = lower >NM> # preserve case = no >NM> # short preserve case = no >NM> # case sensitive = no >NM> # hide files = /desktop.ini/ntuser.ini/NTUSER.*/ >NM> # guest ok = no >NM> #profile acls = Yes >NM> # profile acls = No >NM> # csc policy = disable >NM> # next line is a great way to secure the profiles >NM> # force user = %U >NM> # next line allows administrator to access all profiles >NM> #valid users = %U @"Domain Admins" >NM> #valid users = %U >NM> #root preexec = PROFILE=/var/lib/samba/profiles/%u; if [ ! -e >NM> $PROFILE ]; then mkdir -pm700 $PROFILE; chown %u:%g $PROFILE;fi > >NM> I tryed most combinations of the commented options in profiles section > >NM> ls -la /var/lib/samba/profiles/ >NM> total 0 >NM> drwxr-x--- 4 root root 96 Jul 11 18:51 . >NM> drwxr-xr-x 6 root root 144 Jun 23 21:16 .. >NM> drwx------ 2 nicola Domain Users 48 Jul 11 18:20 nicola >NM> drwx------ 2 test Domain Users 48 Jul 11 17:54 test > >NM> please some suggestions, > >NM> thanks >NM> Nicola > > > > >
Hi Nicola, with WinNT, Win2k or WinXP I need to change some permissions. Start on the client machines the Group Policy editor (gpedit.msc) and try to find the switch "Don't check for permissions on profile". I'am sorry but I don't own a Win32 machine right now. Your problem is that the Windows internal permission check fails on the Samba PDC profile. Hope I could help. Martin Petersen
Hi Nicola (again :),
found what You were looking for:
Some information I found in the Unofficial Samba HowTo
(http://hr.uoregon.edu/davidrl/samba.html) on XP Pro clients.
Extract from there follows:
############## EXTRACT ##############
Windows XP Clients
To force Windows XP Professional clients to accept Samba as a PDC, use
the built-in XP Group Policy editor (gpedit.msc) and locate the Computer
Configuration\Windows Settings\Security Settings\Local Policies\Security
Options branch. Make sure to disable the following policies:
Domain Member: Digitally encrypt or sign secure channel data (always)
Domain Member: Digitally sign secure channel data (when possible)
Alternately, you can make the following change to the registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"requiresignorseal"=dword:00000000
"signsecurechannel"=dword:00000000
To disable annoying Event Viewer notifications about "Automatic
ertificate enrollment for local system failed to contact the active
directory" every eight hours, locate the Computer Configuration\Windows
Settings\Security Settings\Public Key Policies branch and select "Do not
enroll certificates automatically" under Autoenrollment Settings. Note
that this policy won't be available until after the XP machine has
joined the domain.
If you'd like to use Roaming Profiles with Windows XP clients that have
Service Pack 1 or later installed, use the built-in XP Group Policy
editor (gpedit.msc) and locate the Computer Configuration\Administrative
Templates\System\User Profiles branch. This is described in Microsoft's
Technet Q327462. Make sure to enable the following policy:
Do not check for user ownership of Roaming Profile Folders
Alternately, you can make the following change to the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"CompatibleRUPSecurity"=dword:00000001
Alternately as well, you can make the following addition to your
smb.conf file:
[profile]
profile acls = yes
Windows XP Home Edition does not support logging into a Primary Domain
Controller, so you'll have to use Windows XP Professional instead.
############## END EXTRACT ##############
Ciao,
Martin