samba - Oct 2006 - Profile permissions issue? Samba and FDS problem

First some information on the system set up.
OS: CentOS 4.3
Samba 3.0.10
FDS 7.1

Samba is acting as a PDC for our network. We have both windows 2000 and
windows XP client machines. They are all joined to our domain. Everything
"seems" to be fine except that when a user logs into a machine they
can not
make even simple changes to setting such as folder options (ie. view file
extensions). Our previous set up was using Samba 2 and OpenLDAP. Users whos
profiles and ldap entries were created uder that system do not have this
problem (these olders users where converted and imported into FDS). Only the
users which have been added since the switch have this problem. The uid's
are following the same path as previously and profiles are being copied from
a default windows profile directory. The users are members of the "Domain
Users" group with has sid 513 and maps to the unix group 2513 also
"Domain
Users". The Domain Users group is under the users group on the windows
clients. Profile folder permissions are set to username:"Domain Users"
and
they have wrx priveleges. Of course if the user is set to a local
administrator on the machine none of these problems arise. I have even tried
explicitely adding a single user to the users group in windows and still the
problem occurs. I've looked in gpedit.msc and have been unable to locate
anything to point to the problem there. Below is a copy of smb.conf with
certain information left out for security and such as well as a sample user
entry from FDS and a snippet of a windows login log from a windows 2000
client. I know it's a bit long but I wanted to try and get all possible
information in the email. Let me know if I left anything out.

-Robert

<--------- Start smb.conf ------------>

[global]
   workgroup = IPOV
   security = user
passdb backend = ldapsam:ldap://example.ldap.server
ldap admin dn = cn=admin users
ldap suffix = dc=company,dc=com
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups

log file = /var/log/%m.log
log level = 1
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

os level = 65
domain logons = yes
domain master = yes
local master = yes
preferred master = yes

wins support = yes

logon home = \\%N\homes\%U
logon path = \\%N\profiles\%U
logon drive = H:

   template shell = /bin/false
   winbind use default domain = no

   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431

[netlogon]
path = /mnt/data/netlogon
read only = yes
browsable = no

[profiles]
path = /mnt/data/profiles
read only = no
create mask = 0777
directory mask = 0777
writeable = yes
browsable = no
guest ok = no

[homes]
browsable = no
writable = yes
create mask = 0764
directory mask = 0775

<---------- End smb.con ---------->

<---------- Start example ldap entry ------------->
dn: uid=test.user,ou=Users,dc=company ,dc=com
modifytimestamp: 20060922201729Z
modifiersname: admin dn
gidNumber: 2513
sambaPrimaryGroupSID: S- sid_here-513
passwordgraceusertime: 0
sambaNTPassword: removed
sambaLMPassword: removed
userPassword: removed
uid: test.user
uidNumber: 1400
homeDirectory: /home/test.user
loginShell: /bin/bash
objectClass: inetOrgPerson
objectClass: sambaSAMAccount
objectClass: posixAccount
objectClass: organizationalPerson
objectClass: top
objectClass: person
cn: Test User
sn: User
gecos: Test User
description: Test User
displayName: Test User
mail: test.user@ipov.net
sambaSID: S- sid_here-3814
sambaHomeDrive: H:
sambaHomePath: \\ server_name\homes
sambaProfilePath: \\server_name\profiles\test.user
sambaLogonScript: STARTUP.BAT
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdMustChange: 2147483647
sambaPwdCanChange: 1142535948
sambaPasswordHistory:
0000000000000000000000000000000000000000000000000000000000000000
sambaPwdLastSet: 1142535948
sambaAcctFlags: [U          ]
creatorsname: cn=admin dn
createtimestamp: 20060914135759Z
nsuniqueid: removed
parentid: 24
entryid: 299
entrydn: uid=test.user,ou=users,dc=company,dc=com
numsubordinates: 0
subschemasubentry: cn=schema
hassubordinates: FALSE
<---------- End example ldap entry ------------>

<----------- Start Windows login log ---------------->
USERENV(bc.a4) 11:09:27:921 CopyProfileDirectoryEx: Setting Directory
TimeStamps all Directories
USERENV(bc.a4) 11:09:27:953 CopyProfileDirectoryEx: Set times on all
directories
USERENV(bc.a4) 11:09:27:953 CopyProfileDirectoryEx: Leaving with a return
value of 1
USERENV(bc.a4) 11:09:28:000 MyRegLoadKey: Mutex released.  Returning 0.
USERENV(bc.a4) 11:09:28:015 MyRegLoadKey: Mutex released.  Returning 0.
USERENV(bc.a4) 11:09:28:015 CreateClassHive: existing user classes hive
found
USERENV(bc.a4) 11:09:28:015 RestoreUserProfile:  About to Leave.  Final
Information follows:
USERENV(bc.a4) 11:09:28:015 Profile was successfully loaded.
USERENV(bc.a4) 11:09:28:015 lpProfile->lpRoamingProfile = <\\server_name
\profiles\test.user>
USERENV(bc.a4) 11:09:28:015 lpProfile->lpLocalProfile = <C:\Documents and
Settings\test.user>
USERENV(bc.a4) 11:09:28:015 lpProfile->dwInternalFlags = 0x10
USERENV(bc.a4) 11:09:28:015 RestoreUserProfile:  Leaving.
USERENV(bc.a4) 11:09:28:015 GetUserGuid: Failed to get user guid with 1355.
USERENV(bc.a4) 11:09:28:031 GetUserGuid: Failed to get user guid with 1355.
USERENV(bc.a4) 11:09:28:031 UpgradeProfile: Entering
USERENV(bc.a4) 11:09:28:031 UpgradeProfile: Build numbers match
USERENV(bc.a4) 11:09:28:031 UpgradeProfile: Leaving Successfully
USERENV(bc.a4) 11:09:28:031 LoadUserProfile: Releasing mutex.
USERENV(bc.a4) 11:09:28:031 LoadUserProfile: Leaving with a value of 1.
USERENV(bc.a4) 11:09:28:031 LoadUserProfile: hProfile = <0x300>
<----------- End Windows login log ---------------->
<http://www.ipov.net>

You probably should verify...

getent group (does it enumerate groups)

net groupmap list (do your groups work and do they map to your SID's)?

a sample group

Craig

On Wed, 2006-10-18 at 13:30 -0500, Robert Beaty wrote:
> First some information on the system set up.
> OS: CentOS 4.3
> Samba 3.0.10
> FDS 7.1
> 
> Samba is acting as a PDC for our network. We have both windows 2000 and
> windows XP client machines. They are all joined to our domain. Everything
> "seems" to be fine except that when a user logs into a machine
they can not
> make even simple changes to setting such as folder options (ie. view file
> extensions). Our previous set up was using Samba 2 and OpenLDAP. Users whos
> profiles and ldap entries were created uder that system do not have this
> problem (these olders users where converted and imported into FDS). Only
the
> users which have been added since the switch have this problem. The
uid's
> are following the same path as previously and profiles are being copied
from
> a default windows profile directory. The users are members of the
"Domain
> Users" group with has sid 513 and maps to the unix group 2513 also
"Domain
> Users". The Domain Users group is under the users group on the windows
> clients. Profile folder permissions are set to username:"Domain
Users" and
> they have wrx priveleges. Of course if the user is set to a local
> administrator on the machine none of these problems arise. I have even
tried
> explicitely adding a single user to the users group in windows and still
the
> problem occurs. I've looked in gpedit.msc and have been unable to
locate
> anything to point to the problem there. Below is a copy of smb.conf with
> certain information left out for security and such as well as a sample user
> entry from FDS and a snippet of a windows login log from a windows 2000
> client. I know it's a bit long but I wanted to try and get all possible
> information in the email. Let me know if I left anything out.
> 
> -Robert
> 
> <--------- Start smb.conf ------------>
> 
> [global]
>    workgroup = IPOV
>    security = user
> passdb backend = ldapsam:ldap://example.ldap.server
> ldap admin dn = cn=admin users
> ldap suffix = dc=company,dc=com
> ldap user suffix = ou=Users
> ldap machine suffix = ou=Computers
> ldap group suffix = ou=Groups
> 
> log file = /var/log/%m.log
> log level = 1
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> 
> os level = 65
> domain logons = yes
> domain master = yes
> local master = yes
> preferred master = yes
> 
> wins support = yes
> 
> logon home = \\%N\homes\%U
> logon path = \\%N\profiles\%U
> logon drive = H:
> 
>    template shell = /bin/false
>    winbind use default domain = no
> 
>    idmap uid = 16777216-33554431
>    idmap gid = 16777216-33554431
> 
> [netlogon]
> path = /mnt/data/netlogon
> read only = yes
> browsable = no
> 
> [profiles]
> path = /mnt/data/profiles
> read only = no
> create mask = 0777
> directory mask = 0777
> writeable = yes
> browsable = no
> guest ok = no
> 
> [homes]
> browsable = no
> writable = yes
> create mask = 0764
> directory mask = 0775
> 
> <---------- End smb.con ---------->
> 
> <---------- Start example ldap entry ------------->
> dn: uid=test.user,ou=Users,dc=company ,dc=com
> modifytimestamp: 20060922201729Z
> modifiersname: admin dn
> gidNumber: 2513
> sambaPrimaryGroupSID: S- sid_here-513
> passwordgraceusertime: 0
> sambaNTPassword: removed
> sambaLMPassword: removed
> userPassword: removed
> uid: test.user
> uidNumber: 1400
> homeDirectory: /home/test.user
> loginShell: /bin/bash
> objectClass: inetOrgPerson
> objectClass: sambaSAMAccount
> objectClass: posixAccount
> objectClass: organizationalPerson
> objectClass: top
> objectClass: person
> cn: Test User
> sn: User
> gecos: Test User
> description: Test User
> displayName: Test User
> mail: test.user@ipov.net
> sambaSID: S- sid_here-3814
> sambaHomeDrive: H:
> sambaHomePath: \\ server_name\homes
> sambaProfilePath: \\server_name\profiles\test.user
> sambaLogonScript: STARTUP.BAT
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdMustChange: 2147483647
> sambaPwdCanChange: 1142535948
> sambaPasswordHistory:
> 0000000000000000000000000000000000000000000000000000000000000000
> sambaPwdLastSet: 1142535948
> sambaAcctFlags: [U          ]
> creatorsname: cn=admin dn
> createtimestamp: 20060914135759Z
> nsuniqueid: removed
> parentid: 24
> entryid: 299
> entrydn: uid=test.user,ou=users,dc=company,dc=com
> numsubordinates: 0
> subschemasubentry: cn=schema
> hassubordinates: FALSE
> <---------- End example ldap entry ------------>
> 
> <----------- Start Windows login log ---------------->
> USERENV(bc.a4) 11:09:27:921 CopyProfileDirectoryEx: Setting Directory
> TimeStamps all Directories
> USERENV(bc.a4) 11:09:27:953 CopyProfileDirectoryEx: Set times on all
> directories
> USERENV(bc.a4) 11:09:27:953 CopyProfileDirectoryEx: Leaving with a return
> value of 1
> USERENV(bc.a4) 11:09:28:000 MyRegLoadKey: Mutex released.  Returning 0.
> USERENV(bc.a4) 11:09:28:015 MyRegLoadKey: Mutex released.  Returning 0.
> USERENV(bc.a4) 11:09:28:015 CreateClassHive: existing user classes hive
> found
> USERENV(bc.a4) 11:09:28:015 RestoreUserProfile:  About to Leave.  Final
> Information follows:
> USERENV(bc.a4) 11:09:28:015 Profile was successfully loaded.
> USERENV(bc.a4) 11:09:28:015 lpProfile->lpRoamingProfile =
<\\server_name
> \profiles\test.user>
> USERENV(bc.a4) 11:09:28:015 lpProfile->lpLocalProfile = <C:\Documents
and
> Settings\test.user>
> USERENV(bc.a4) 11:09:28:015 lpProfile->dwInternalFlags = 0x10
> USERENV(bc.a4) 11:09:28:015 RestoreUserProfile:  Leaving.
> USERENV(bc.a4) 11:09:28:015 GetUserGuid: Failed to get user guid with 1355.
> USERENV(bc.a4) 11:09:28:031 GetUserGuid: Failed to get user guid with 1355.
> USERENV(bc.a4) 11:09:28:031 UpgradeProfile: Entering
> USERENV(bc.a4) 11:09:28:031 UpgradeProfile: Build numbers match
> USERENV(bc.a4) 11:09:28:031 UpgradeProfile: Leaving Successfully
> USERENV(bc.a4) 11:09:28:031 LoadUserProfile: Releasing mutex.
> USERENV(bc.a4) 11:09:28:031 LoadUserProfile: Leaving with a value of 1.
> USERENV(bc.a4) 11:09:28:031 LoadUserProfile: hProfile = <0x300>
> <----------- End Windows login log ---------------->
> <http://www.ipov.net>