samba - Oct 2005 - Re: BUG: default profile failure in 3.0.20 [was: Regression in 3.0.20 wrt netlogon and profiles ?]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

J?rn Nettingsmeier wrote:

| win2k clients, samba 3.0.20 pdc.
| a new user, who has never logged on, does so for the
| first time. the domain uses roaming profiles, and the
| netlogon share provides a custom Default User dir
| as well as an NTConfig.POL.
|
| problem:
|
| the default profile and policy are not downloaded
| successfully from the  server. instead the user gets
| a local profile, missing all our folder redirections.
| the userenv.log on the client reports this error:
| USERENV(bc.a4) 12:46:47:804 MyRegLoadKey:  Failed
| to load subkey
| <S-1-5-21-1503970882-379070074-3014308087-3158>, error =87
| USERENV(bc.a4) 12:46:47:804 MyRegLoadKey: Mutex released.
| Returning 87. USERENV(bc.a4) 12:46:47:804 IssueDefaultProfile:
| MyRegLoadKey failed with error 87
|
| "net helpmsg 87" says "Falscher Parameter." (on my
| german windows) which translates to "illegal parameter"
| in english.
|
| the problem was clearly introduced in 3.0.20. i just
| reverted to 3.0.16a, and it disappeared.

Assuming you mean 3.0.14a here.

| an interesting datapoint is that the failure is specific to win2k
| clients. i tried using an xp client, and it does pull a default profile
| correctly even from 3.0.20. it seems some backwards-compatibility cruft
| was omitted...
|
| this is a somewhat urgent issue to me, and i would appreciate a quick
| ACK from some knowledgeable people or (if it's my fault) a hint as to
| what mistakes i'm making. i have not yet entered this into the bug
| tracker, as i would like some sort of comment first. maybe you can
| suggest further relevant data that i should include?

Excellent bug report.  This sounds very similar to the
mandatory profiles but I spent a day tracking down
prior to the 3.0.20 release.  I'm trying to remember the
exact nature of it.  Do you by chance 'store dos attributes = yes'
set in smb.conf either globally for for the [netlogon] share?

When you view the properties of the NTUSER.DAT file in the
default user profile on the server, is the readonly attribute
set?

| for those who are interested, here are two userenv.log excerpts that
| illustrate the problem:
| http://pol-serv1.uni-duisburg.de/~nettings/userenv.log-3.0.16a-success.txt
| http://pol-serv1.uni-duisburg.de/~nettings/userenv.log-3.0.20-failure.txt
|
|
| one "specialty" of our setup is the fact that the profiles
| folder is *not* 777 (btw, i can't understand how this is
| recommended practice - to me it's just abysmal security).
| instead, a %USERNAME% sub-dir with appropriate permissions
| is added when a new account is created. this explains why
| the client initially thinks it has found a profile (it checks
| for the existence of a %USERNAME% sub-directory), but it
| is empty. but this should not make a difference, since when
| it tries to stat NTUSER.DAT, the client realizes it has to
| create a new profile from the default.

This should nto be a problem.  It's similar to how I run
my setup as well.







cheers, jerry
====================================================================Alleviating
the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"There's an anonymous coward in all of us."              
--anonymous
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDTq+LIR7qMdg1EfYRAsvqAJwN4PzWDLN7gw9vunTzW9N3r/sjQgCgrnld
iw9YqkgqZ74WagFNZ4cAens=T9D9
-----END PGP SIGNATURE-----

On Thu, 2005-10-13 at 14:03 -0500, Gerald (Jerry) Carter
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> J?rn Nettingsmeier wrote:
> 
> | win2k clients, samba 3.0.20 pdc.
> | a new user, who has never logged on, does so for the
> | first time. the domain uses roaming profiles, and the
> | netlogon share provides a custom Default User dir
> | as well as an NTConfig.POL.
> |
> | problem:
> |
> | the default profile and policy are not downloaded
> | successfully from the  server. instead the user gets
> | a local profile, missing all our folder redirections.
> | the userenv.log on the client reports this error:
> | USERENV(bc.a4) 12:46:47:804 MyRegLoadKey:  Failed
> | to load subkey
> | <S-1-5-21-1503970882-379070074-3014308087-3158>, error =87
> | USERENV(bc.a4) 12:46:47:804 MyRegLoadKey: Mutex released.
> | Returning 87. USERENV(bc.a4) 12:46:47:804 IssueDefaultProfile:
> | MyRegLoadKey failed with error 87
> |
> | "net helpmsg 87" says "Falscher Parameter." (on my
> | german windows) which translates to "illegal parameter"
> | in english.
> |
> | the problem was clearly introduced in 3.0.20. i just
> | reverted to 3.0.16a, and it disappeared.
> 
> Assuming you mean 3.0.14a here.
> 
> | an interesting datapoint is that the failure is specific to win2k
> | clients. i tried using an xp client, and it does pull a default profile
> | correctly even from 3.0.20. it seems some backwards-compatibility cruft
> | was omitted...
> |
> | this is a somewhat urgent issue to me, and i would appreciate a quick
> | ACK from some knowledgeable people or (if it's my fault) a hint as to
> | what mistakes i'm making. i have not yet entered this into the bug
> | tracker, as i would like some sort of comment first. maybe you can
> | suggest further relevant data that i should include?
> 
> Excellent bug report.  This sounds very similar to the
> mandatory profiles but I spent a day tracking down
> prior to the 3.0.20 release.  I'm trying to remember the
> exact nature of it.  Do you by chance 'store dos attributes = yes'
> set in smb.conf either globally for for the [netlogon] share?
> 
> When you view the properties of the NTUSER.DAT file in the
> default user profile on the server, is the readonly attribute
> set?
A [netlogon] share is typically 'read only = yes', and in the 3.0.20
release, the default configuration ('acl check permissions = yes') sets
read only attributes on all files, including NTUSER.DAT.  Hence 3.0.20b.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20051014/f909f11e/attachment.bin