samba - Oct 2005 - Samba 3.0 PDC + XP + roaming profile = big, strange mistery of sorts

Please bear with me as this is quite a complicated problem which has 
eluded me for days now...

I recently upgraded a Samba 2.2 PDC to Samba 3.0 [3.0.20a as of now]. 
After upgrading, I had problems with two XP machines, among 16 of them. 
One of them didn't validate the domain users correctly. That was 
immediately taken care of by having said machine leave and re-join the 
domain. Nothing else was done here. As for the other machine...

After the upgrade, when logging in to the domain in that machine, it 
said that the machine account didn't exist. Except it did :/ . I deleted 
the machine account and recreated it, having it leave and re-join the 
domain in the process.

Now, here comes the real problem:


- The user can now log on, except that all of Windows' settings were 
gone, and back to the default.
- The profile *was* downloaded to the local machine, and all the files 
were present, but it acted as if the registry somehow wasn't present.
- Even after redoing some configuration, on logging off, even though 
some files in the roaming profile were updated in the server (NTUSER.DAT 
included), logging in again produced the same problem.
- Deleted all local copies of the profile. Same thing. I always reverted 
to a known-good copy of the profile between tests.
- Checked permissions on the local copy of the profile. Permissions were 
OK, the domain user had the full control over his local profile directory.
- Out of spite, said machine was reformatted. Problem repeated itself 
and remained. Note: said machine has no different configuration from any 
other; the user also has a regular roaming profile like anyone else.


I'm now out of a total loss of ideas. jerry @ freenode (Jeremy Allison?) 
even helped out a bit, but I couldn't get anywhere, even after trying 
lots of things.

Now, something tells me that this has something to do with domain SIDs 
or the like (of which I have little knowledge, I know what they are, but 
I'm not savvy enough to go around investigating them). I even deleted 
secrets.tdb so that Samba would recreate it, which wasn't a smart move, 
as I came to learn, but will most likely come to no harm (I hope).


I'd like to know two things, and I'll take any suggestions that I can
get.

a) The cause, so that I know why this happens, and I can avoid it later.
b) The solution, obviously. I've been delaying other work because of 
this and my brain now feels like jelly because of bashing my head 
against the table :(


Hopeful for some insight on this,

Bruno Ferreira

Hi, 

This seems familuar to me.. 
>Now, here comes the real problem:
>
>
>- The user can now log on, except that all of Windows' settings were 
>gone, and back to the default.
>- The profile *was* downloaded to the local machine, and all the files 
>were present, but it acted as if the registry somehow wasn't present.
>- Even after redoing some configuration, on logging off, even though 
>some files in the roaming profile were updated in the server 
>(NTUSER.DAT 
>included), logging in again produced the same problem.
>- Deleted all local copies of the profile. Same thing. I 
>always reverted 
>to a known-good copy of the profile between tests.
>- Checked permissions on the local copy of the profile. 
>Permissions were 
>OK, the domain user had the full control over his local 
>profile directory.
>- Out of spite, said machine was reformatted. Problem repeated itself 
>and remained. Note: said machine has no different 
>configuration from any 
>other; the user also has a regular roaming profile like anyone else.
Do you have the setting POFILES ACL = YES .. set it to NO.
I had the same problem as above and this resolved it for me.

can you post you config of the [profiles]

Louis

>
>
>I'm now out of a total loss of ideas. jerry @ freenode (Jeremy 
>Allison?) 
>even helped out a bit, but I couldn't get anywhere, even after trying 
>lots of things.
>
>Now, something tells me that this has something to do with domain SIDs 
>or the like (of which I have little knowledge, I know what 
>they are, but 
>I'm not savvy enough to go around investigating them). I even deleted 
>secrets.tdb so that Samba would recreate it, which wasn't a 
>smart move, 
>as I came to learn, but will most likely come to no harm (I hope).
>
>
>I'd like to know two things, and I'll take any suggestions 
>that I can get.
>
>a) The cause, so that I know why this happens, and I can avoid 
>it later.
>b) The solution, obviously. I've been delaying other work because of 
>this and my brain now feels like jelly because of bashing my head 
>against the table :(
>
>
>Hopeful for some insight on this,
>
>Bruno Ferreira
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba
>

Wel i see you have the same problem as i had.

this is my working config now :
[profiles]
        path = /home/samba/profiles
        comment = Profiel omgeving
        read only = no
        create mask = 0600
        directory mask = 0700
        browseable = Yes
        guest ok = Yes
        csc policy = disable
        # next line is a great way to secure the profiles
        force user = %U
        # next line allows administrator to access all profiles
        valid users = %U @"Domain Admins"

The /home/samba/profiles dir MUST HAVE 777 Rights. ( and
Administrator:Domain Admin in my case.)
Also check what rights there are now on the user folders.
example /home/samba/profiles/myusername has 0700 if its correct.

you can simpel fix this, first login the users on
the computers in in the domain, check if there profile is correct.

now the scary thing, remove all the user profiles, and beter MOVE THEM !!!!

now log out 1 computer, and login again, put something on the desktop 
and check if it worked. I fixed 50 profiles this way on the fly 
when everybody was working, and nobody notised.

Louis



>-----Oorspronkelijk bericht-----
>Van: Bruno Ferreira [mailto:morphine@digitalmente.net] 
>Verzonden: dinsdag 11 oktober 2005 11:17
>Aan: Louis van Belle
>Onderwerp: Re: [Samba] Samba 3.0 PDC + XP + roaming profile = 
>big, strange mistery of sorts
>
>Louis van Belle wrote: 
>
>	Hi, 
>	
>	This seems familuar to me.. 
>	  
>
>		Now, here comes the real problem:
>		
>		
>		- The user can now log on, except that all of 
>Windows' settings were 
>		gone, and back to the default.
>		- The profile *was* downloaded to the local 
>machine, and all the files 
>		were present, but it acted as if the registry 
>somehow wasn't present.
>		- Even after redoing some configuration, on 
>logging off, even though 
>		some files in the roaming profile were updated 
>in the server 
>		(NTUSER.DAT 
>		included), logging in again produced the same problem.
>		- Deleted all local copies of the profile. Same 
>thing. I 
>		always reverted 
>		to a known-good copy of the profile between tests.
>		- Checked permissions on the local copy of the profile. 
>		Permissions were 
>		OK, the domain user had the full control over his local 
>		profile directory.
>		- Out of spite, said machine was reformatted. 
>Problem repeated itself 
>		and remained. Note: said machine has no different 
>		configuration from any 
>		other; the user also has a regular roaming 
>profile like anyone else.
>		    
>
>	
>	Do you have the setting POFILES ACL = YES .. set it to NO.
>	I had the same problem as above and this resolved it for me.
>	
>	can you post you config of the [profiles]
>	
>	Louis
>	  
>
>
>    Here it goes, and yes, profile acls is set to "Yes". That 
>was the only change in the Samba side in the upgrade, and it 
>was necessary because if it wasn't set to "yes", then none of 
>the XP boxes would load the profiles (claiming it couldn't 
>find the network service). Looking through the logs, I'd see 
>that it tried to look for the [user] share in profiles, which 
>existed, but somehow wasn't accessible. Setting profile acls 
>solved that. Could that be related?
>
>
>    [Profiles]
>        path = /docs/main/profiles
>        read only = No
>        profile acls = Yes
>        writeable = Yes
>        browseable = No
>        create mode = 0600
>        directory mode = 0700
>
>    -- Bruno Ferreira
>
>