samba - Jul 2005 - Profiles share on BDC

Greetings,

I have a Suse 9.3 server running 3.0.9 as a PDC, using OpenLDAP as the
passdb and idmap backend.  I also have a 3.0.9 server set up as an OpenLDAP
slave, but it only serves files.  I decided that I'd like to set this other
server up to service logins as well.  When I add the "domain logons =
yes"
in this server's smb.conf file, I get some rather strange behavior.

Many users experience no problems whatsoever and logons are a little
speedier (to be expected).  Other users, on the other hand, are able to log
in, but after their profile has loaded, they are informed that a domain
controller could not be contacted and changes to their profile will not be
saved. Note that this occurs AFTER the profiles has loaded - the user is at
the desktop, with all their icons when a modal dialog box gives them this
error.  Even stranger, the %logonserver% environment variable is set to the
PDC! When I set "domain logons = no" on the BDC, everything behaves
properly.

Every user has the sambaProfilePath explicitly set in the LDAP directory. 
Also logon home and logon path are set the same on both PDC and BDC. 
'pdbedit -v' outputs the exact same information whether run on PDC or
BDC.
I can't understand why some users have this experience and some do not.

I do not, however, have a profiles share set up on the BDC.  In reading the
"By Example" book, it does not explicitly state that I must have it
set,
however the "500 user office" BDC does have a profiles share.  I'm
wondering if BDCs need a profiles share, even if it only shares an NFS
export from the PDC. Is that the case?

I have one other possibility.  Since the BDC was not alwasy a BDC, it had
its own SID for most of its life.  While I did do a "net rpc getsid"
and a
"net rpc join", the old sid still appears in the secrets.tdb along
with the
new sid.  I'm thinking of erasing the .tdb files and starting over - could
smbd be reading the wrong SID and thus somehow cause the problem?

Many thanks!

It occurs to me that I should have attached the smb.conf files
-------------- next part --------------

--PDC--
[global]
????????workgroup?=?DOMAIN
????????server?string?=?"Primary?Domain?Controller"
????????null?passwords?=?Yes
????????passdb?backend?=?ldapsam:ldap://XXXXXXXXXX
????????log?level?=?1
????????syslog?=?0
????????name?resolve?order?=?wins?hosts?bcast
????????time?server?=?Yes
????????socket?options?=?TCP_NODELAY?SO_SNDBUF=65536?SO_RCVBUF=65536
IPTOS_LOWDELAY
????????show?add?printer?wizard?=?No
????????add?user?script?=?/var/lib/samba/sbin/smbldap-useradd.pl?-a?-m?'%u'
????????delete?user?script?=?/var/lib/samba/sbin/smbldap-userdel.pl?'%u'
????????add?group?script?=?/var/lib/samba/sbin/smbldap-groupadd.pl?-p?'%g'
????????delete?group?script?=?/var/lib/samba/sbin/smbldap-groupdel.pl?'%g'
????????add?user?to?group?script?=?/var/lib/samba/sbin/smbldap-groupmod.pl
-m '%u' '%g'
????????delete?user?from?group?script
= /var/lib/samba/sbin/smbldap-groupmod.pl-x '%u' '%g'
????????set?primary?group?script?=?/var/lib/samba/sbin/smbldap-usermod.pl?-g
'%g' '%u'
????????add?machine?script?=?/var/lib/samba/sbin/smbldap-useradd.pl?-w?'%u'
????????logon?script?=?netlogon.cmd
????????logon?path?=?\\XXXXXXXXXX\profiles\%U
????????logon?home?=?\\XXXXXXXXXX\profiles\%U
????????domain?logons?=?Yes
????????os?level?=?75
????????preferred?master?=?Yes
????????domain?master?=?Yes
????????wins?support?=?Yes
????????ldap?admin?dn?=?cn=Manager,XXXXXXXXXX
????????ldap?group?suffix?=?ou=group
????????ldap?idmap?suffix?=?ou=Idmap
????????ldap?machine?suffix?=?ou=people
????????ldap?suffix?=?dc=XXXXXXXXXX
????????ldap?user?suffix?=?ou=people
????????idmap?backend?=?ldap://XXXXXXXXXX
????????idmap?uid?=?10000-20000
????????idmap?gid?=?10000-20000
????????profile?acls?=?Yes
????????map?acl?inherit?=?Yes

[netlogon]
????????comment?=?"Net?logon?share"
????????path?=?/netlogon
????????write?list?=?root

[profiles]
????????comment?=?"Roaming?profile?share"
????????path?=?/profiles
????????read?only?=?No
????????hide?files?=?/desktop.ini/Desktop.ini/DESKTOP.INI/


--BDC--

[global]
        workgroup = DOMAIN
        server string = "Backup Domain Controller"
        passdb backend = ldapsam:ldap://172.22.10.23
        log level = 1
        syslog = 0
        logon path = \\pdc\profiles\%U
        logon home = \\pdc\profiles\%U
        domain logons = Yes
        domain master = No
        wins server = <pdc address>
        ldap admin dn = uid=root,ou=People,dc=columbia,dc=mo,dc=gov
        ldap group suffix = ou=group
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=people
        ldap suffix = dc=XXXXXXXXXX
        ldap user suffix = ou=people
        idmap backend = ldap://<bdc>
        idmap uid = 10000-20000
        idmap gid = 10000-20000

[genvol]
        comment = "General Storage"
        path = /data/genvol
        valid users = helpdesk
        read only = No

[webdata]
        comment = "Web data"
        path = /data/www
        valid users = helpdesk
        read only = No

[backup]
        comment = "Backup Volume"
        path = /data/backup
        valid users = helpdesk
        read only = No

[inventory]
        comment = "Inventory 2005"
        path = /data/www/secure/inventory2005
        valid users = inventory
        read only = No

[netlogon]
        comment = "Net logon share"
        path = /netlogon
        write list = root