samba - Nov 2007 - Windows clients losing connection to Samba 3.0.27 PDC on FC7 i386

Hello all...

I have a site of about 50 pcs connected to a Samba domain controller.
The domain has been running flawlessly for several years through several
upgrades, and the last one (From Fedora Core 4/ Samba 3.0.23a to FC7/
Samba 3.0.27) seems to have caused something to come unglued.

The Workstations are periodically booting up in the morning and being
unable to contact the domain controller.  The Samba server is giving
failed authentication errors for the workstation itself (not the
username/ password) in log.{workstation}.

The upgrade was done nearly a month ago, and roughly 1/2 of the
workstations in the network were unable to connect the following
morning.  It happened again last week and about 10 more workstations
were affected.  And it happened again today, where 1 workstation and a
member server (Win2003r2) lost their credentials.  This time it was a
really bad deal because the member server runs an application that is
mission critical and therefore no one was able to work until it was
fixed.

In all cases, the users are able to log in by disconnecting their
network cable and rebooting, then logging in with the cached credentials
on the workstations.  Reconnecting the NIC after login allowed the users
to connect to network resources on the Samba PDC, and work until a
reboot.  A 'permanent' fix is to unjoin the PC from the domain and
rejoin again.

I had assumed that the issue was caused by the upgrade somehow, and that
once every system had been re-joined it would go away.  However, the
workstation from this morning had been unjoined and rejoined once before
and now I fear that the issue will keep cropping up all over the place.

Ideas, suggestions, flames?  I've copied my smb.conf below for your
review as well.

Thanks very much in advance,
Rubin

/etc/samba/smb.conf
[global]
  workgroup = WORKGROUP
  netbios name = Server
  server string = Network File Server
  printcap name = cups
  enable privileges = yes
  load printers = yes
  printcap cache time = 60
  printing = cups
  keepalive = 10000
  log file = /var/log/samba/log.%m
  max log size = 50

  log level = 3
  security = user
  encrypt passwords = Yes
  map to guest = bad user
  os level = 65
  domain master = yes
  preferred master = yes
  passdb backend = tdbsam

  pam password change = yes
  socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
  add machine script = /usr/sbin/useradd -d /dev/null -g 200
-s /bin/false -M  %u

  oplocks = no
  level2 oplocks = no
  domain logons = Yes
  logon script = login%G.bat
  logon drive = Z:
  logon home = \\server\%U
  logon path = \\server\profiles\%U
  wins support = Yes
  name resolve order = wins hosts bcast
  hide unreadable = Yes

# Added in an attempt to fix broken tdbsam backend...
  idmap uid = 10000-20000
  idmap gid = 10000-20000

  dns proxy = yes

#============================ Share Definitions
=============================[homes]
  comment = Home Directories
  create mask = 0700
  directory mask = 0700
  browseable = No
  writable = yes

 [netlogon]
   comment = Netlogon Scripts
   path = /var/lib/samba/netlogon
   comment = Network Logon Service
   path = /var/lib/samba/netlogon
   guest ok = yes
   writable = no

[printers]
  comment = All Printers
  path = /var/spool/samba
  browseable = no
  guest ok = yes
  writable = no
  printable = yes
  create mode = 0700
  ;print command = lpr-cups -P %p -o raw %s -r
   use client driver = yes

[print$]
  path = /var/lib/samba/printers
  read only = yes
  browseable = yes
  force group = noyle
  write list = @noyle root
  guest ok = yes
  inherit permissions = yes

[profiles]
  path = /var/lib/samba/profiles
  browseable = no
  read only = No
  guest ok = yes
  writable = yes
  create mask = 0600
  directory mask = 0700
  root preexec = PROFILE='/var/lib/samba/profiles/%u'; if [ ! -e
$PROFILE ]; \
                then mkdir -pm700 $PROFILE; chown '%u':'%g'
$PROFILE;fi

Hi Rubin,

Do you have any trusted domains and (if so) are users logging into a 
trusted domain ?  If this is the case, I would start smbd, nmbd normally 
(i.e. as daemons) but then run a single winbindd process in interactive 
mode, debug level 10.

i.e.

winbind -i -d 10

Check beforehand that no other winbindd processes are running (i.e. ps 
aux |grep winbindd).  Then I would attempt to logon from a member 
workstaion.  View the debug output to see if you can track any problems. 
  Ctrl-Z (i.e. background) may help here ("fg" to resume) as there
could
be a lot of output.

If you don't have any trusted domains (and therefore aren't running 
winbindd) then the approach I take is very similar. Start nmbd normally 
(i.e. as a background daemon) but then run smbd as an interactive 
process, again in debug level 10 mode.

i.e.

smbd -i -d 10

 From what you're describing, there may be a problem with the machine 
account for the affected machines.  Look for something like 
NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE or some other NT STATUS code 
(these are defined in source/include/nterr.h if you happen to have the 
Samba source on your domain controller).

Regards,

Patrick

Rubin Bennett wrote:
> Hello all...
> 
> I have a site of about 50 pcs connected to a Samba domain controller.
> The domain has been running flawlessly for several years through several
> upgrades, and the last one (From Fedora Core 4/ Samba 3.0.23a to FC7/
> Samba 3.0.27) seems to have caused something to come unglued.
> 
> The Workstations are periodically booting up in the morning and being
> unable to contact the domain controller.  The Samba server is giving
> failed authentication errors for the workstation itself (not the
> username/ password) in log.{workstation}.
> 
> The upgrade was done nearly a month ago, and roughly 1/2 of the
> workstations in the network were unable to connect the following
> morning.  It happened again last week and about 10 more workstations
> were affected.  And it happened again today, where 1 workstation and a
> member server (Win2003r2) lost their credentials.  This time it was a
> really bad deal because the member server runs an application that is
> mission critical and therefore no one was able to work until it was
> fixed.
> 
> In all cases, the users are able to log in by disconnecting their
> network cable and rebooting, then logging in with the cached credentials
> on the workstations.  Reconnecting the NIC after login allowed the users
> to connect to network resources on the Samba PDC, and work until a
> reboot.  A 'permanent' fix is to unjoin the PC from the domain and
> rejoin again.
> 
> I had assumed that the issue was caused by the upgrade somehow, and that
> once every system had been re-joined it would go away.  However, the
> workstation from this morning had been unjoined and rejoined once before
> and now I fear that the issue will keep cropping up all over the place.
> 
> Ideas, suggestions, flames?  I've copied my smb.conf below for your
> review as well.
> 
> Thanks very much in advance,
> Rubin
> 
> /etc/samba/smb.conf
> [global]
>   workgroup = WORKGROUP
>   netbios name = Server
>   server string = Network File Server
>   printcap name = cups
>   enable privileges = yes
>   load printers = yes
>   printcap cache time = 60
>   printing = cups
>   keepalive = 10000
>   log file = /var/log/samba/log.%m
>   max log size = 50
> 
>   log level = 3
>   security = user
>   encrypt passwords = Yes
>   map to guest = bad user
>   os level = 65
>   domain master = yes
>   preferred master = yes
>   passdb backend = tdbsam
> 
>   pam password change = yes
>   socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
>   add machine script = /usr/sbin/useradd -d /dev/null -g 200
> -s /bin/false -M  %u
> 
>   oplocks = no
>   level2 oplocks = no
>   domain logons = Yes
>   logon script = login%G.bat
>   logon drive = Z:
>   logon home = \\server\%U
>   logon path = \\server\profiles\%U
>   wins support = Yes
>   name resolve order = wins hosts bcast
>   hide unreadable = Yes
> 
> # Added in an attempt to fix broken tdbsam backend...
>   idmap uid = 10000-20000
>   idmap gid = 10000-20000
> 
>   dns proxy = yes
> 
> #============================ Share Definitions
> =============================> [homes]
>   comment = Home Directories
>   create mask = 0700
>   directory mask = 0700
>   browseable = No
>   writable = yes
> 
>  [netlogon]
>    comment = Netlogon Scripts
>    path = /var/lib/samba/netlogon
>    comment = Network Logon Service
>    path = /var/lib/samba/netlogon
>    guest ok = yes
>    writable = no
> 
> [printers]
>   comment = All Printers
>   path = /var/spool/samba
>   browseable = no
>   guest ok = yes
>   writable = no
>   printable = yes
>   create mode = 0700
>   ;print command = lpr-cups -P %p -o raw %s -r
>    use client driver = yes
> 
> [print$]
>   path = /var/lib/samba/printers
>   read only = yes
>   browseable = yes
>   force group = noyle
>   write list = @noyle root
>   guest ok = yes
>   inherit permissions = yes
> 
> [profiles]
>   path = /var/lib/samba/profiles
>   browseable = no
>   read only = No
>   guest ok = yes
>   writable = yes
>   create mask = 0600
>   directory mask = 0700
>   root preexec = PROFILE='/var/lib/samba/profiles/%u'; if [ ! -e
> $PROFILE ]; \
>                 then mkdir -pm700 $PROFILE; chown '%u':'%g'
$PROFILE;fi
> 
>

On Wed, 2007-11-28 at 09:36 +1200, Patrick Rynhart
wrote:
> Hi Rubin,
> 
> Do you have any trusted domains and (if so) are users logging into a 
> trusted domain ?  If this is the case, I would start smbd, nmbd normally 
> (i.e. as daemons) but then run a single winbindd process in interactive 
> mode, debug level 10.
> 
> i.e.
> 
> winbind -i -d 10
>
No domain trusts - this is the only DC in a 3 site WAN connected (routed)
domain.
> Check beforehand that no other winbindd processes are running (i.e. ps 
> aux |grep winbindd).  Then I would attempt to logon from a member 
> workstaion.  View the debug output to see if you can track any problems. 
>   Ctrl-Z (i.e. background) may help here ("fg" to resume) as
there could
> be a lot of output.
> 
> If you don't have any trusted domains (and therefore aren't running
> winbindd) then the approach I take is very similar. Start nmbd normally 
> (i.e. as a background daemon) but then run smbd as an interactive 
> process, again in debug level 10 mode.
> 
> i.e.
> 
> smbd -i -d 10
> 
>  From what you're describing, there may be a problem with the machine 
> account for the affected machines.  Look for something like 
> NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE or some other NT STATUS code 
> (these are defined in source/include/nterr.h if you happen to have the 
> Samba source on your domain controller).
>
The problem is that exactly this is happening, but to different machines, and
totally sporadically.
When it happens, I get lines like the following in my /var/log/messages:

Nov 24 19:39:01 server smbd[10339]:   _net_auth2: failed to get machine
password for account SYSTEM$: NT_STATUS_ACCESS_DENIED
 
> Regards,
> 
> Patrick

This, at least, is completely consistent - when a system gets 'locked
out' of the domain, it *always* shows lines like above in the logs.

I've Googled fairly extensively for errors as above, but turned up
nothing that seemed particularly applicable to my setup/ issue.

FWIW, I'm not running Winbind at all on the PDC or anywhere else on the
network (AFAIK, anyway).

Thanks again,
Rubin
> 
> Rubin Bennett wrote:
> > Hello all...
> > 
> > I have a site of about 50 pcs connected to a Samba domain controller.
> > The domain has been running flawlessly for several years through
several
> > upgrades, and the last one (From Fedora Core 4/ Samba 3.0.23a to FC7/
> > Samba 3.0.27) seems to have caused something to come unglued.
> > 
> > The Workstations are periodically booting up in the morning and being
> > unable to contact the domain controller.  The Samba server is giving
> > failed authentication errors for the workstation itself (not the
> > username/ password) in log.{workstation}.
> > 
> > The upgrade was done nearly a month ago, and roughly 1/2 of the
> > workstations in the network were unable to connect the following
> > morning.  It happened again last week and about 10 more workstations
> > were affected.  And it happened again today, where 1 workstation and a
> > member server (Win2003r2) lost their credentials.  This time it was a
> > really bad deal because the member server runs an application that is
> > mission critical and therefore no one was able to work until it was
> > fixed.
> > 
> > In all cases, the users are able to log in by disconnecting their
> > network cable and rebooting, then logging in with the cached
credentials
> > on the workstations.  Reconnecting the NIC after login allowed the
users
> > to connect to network resources on the Samba PDC, and work until a
> > reboot.  A 'permanent' fix is to unjoin the PC from the domain
and
> > rejoin again.
> > 
> > I had assumed that the issue was caused by the upgrade somehow, and
that
> > once every system had been re-joined it would go away.  However, the
> > workstation from this morning had been unjoined and rejoined once
before
> > and now I fear that the issue will keep cropping up all over the
place.
> > 
> > Ideas, suggestions, flames?  I've copied my smb.conf below for
your
> > review as well.
> > 
> > Thanks very much in advance,
> > Rubin
> > 
> > /etc/samba/smb.conf
> > [global]
> >   workgroup = WORKGROUP
> >   netbios name = Server
> >   server string = Network File Server
> >   printcap name = cups
> >   enable privileges = yes
> >   load printers = yes
> >   printcap cache time = 60
> >   printing = cups
> >   keepalive = 10000
> >   log file = /var/log/samba/log.%m
> >   max log size = 50
> > 
> >   log level = 3
> >   security = user
> >   encrypt passwords = Yes
> >   map to guest = bad user
> >   os level = 65
> >   domain master = yes
> >   preferred master = yes
> >   passdb backend = tdbsam
> > 
> >   pam password change = yes
> >   socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
> >   add machine script = /usr/sbin/useradd -d /dev/null -g 200
> > -s /bin/false -M  %u
> > 
> >   oplocks = no
> >   level2 oplocks = no
> >   domain logons = Yes
> >   logon script = login%G.bat
> >   logon drive = Z:
> >   logon home = \\server\%U
> >   logon path = \\server\profiles\%U
> >   wins support = Yes
> >   name resolve order = wins hosts bcast
> >   hide unreadable = Yes
> > 
> > # Added in an attempt to fix broken tdbsam backend...
> >   idmap uid = 10000-20000
> >   idmap gid = 10000-20000
> > 
> >   dns proxy = yes
> > 
> > #============================ Share Definitions
> > =============================> > [homes]
> >   comment = Home Directories
> >   create mask = 0700
> >   directory mask = 0700
> >   browseable = No
> >   writable = yes
> > 
> >  [netlogon]
> >    comment = Netlogon Scripts
> >    path = /var/lib/samba/netlogon
> >    comment = Network Logon Service
> >    path = /var/lib/samba/netlogon
> >    guest ok = yes
> >    writable = no
> > 
> > [printers]
> >   comment = All Printers
> >   path = /var/spool/samba
> >   browseable = no
> >   guest ok = yes
> >   writable = no
> >   printable = yes
> >   create mode = 0700
> >   ;print command = lpr-cups -P %p -o raw %s -r
> >    use client driver = yes
> > 
> > [print$]
> >   path = /var/lib/samba/printers
> >   read only = yes
> >   browseable = yes
> >   force group = noyle
> >   write list = @noyle root
> >   guest ok = yes
> >   inherit permissions = yes
> > 
> > [profiles]
> >   path = /var/lib/samba/profiles
> >   browseable = no
> >   read only = No
> >   guest ok = yes
> >   writable = yes
> >   create mask = 0600
> >   directory mask = 0700
> >   root preexec = PROFILE='/var/lib/samba/profiles/%u'; if [ !
-e
> > $PROFILE ]; \
> >                 then mkdir -pm700 $PROFILE; chown
'%u':'%g' $PROFILE;fi
> > 
> > 
>

First of all update to 3.0.27a, 3.0.27 had a regression in the security
fix that prompted that release.

Simo.

On Tue, 2007-11-27 at 12:46 -0500, Rubin Bennett wrote:
> Hello all...
> 
> I have a site of about 50 pcs connected to a Samba domain controller.
> The domain has been running flawlessly for several years through several
> upgrades, and the last one (From Fedora Core 4/ Samba 3.0.23a to FC7/
> Samba 3.0.27) seems to have caused something to come unglued.
> 
> The Workstations are periodically booting up in the morning and being
> unable to contact the domain controller.  The Samba server is giving
> failed authentication errors for the workstation itself (not the
> username/ password) in log.{workstation}.
> 
> The upgrade was done nearly a month ago, and roughly 1/2 of the
> workstations in the network were unable to connect the following
> morning.  It happened again last week and about 10 more workstations
> were affected.  And it happened again today, where 1 workstation and a
> member server (Win2003r2) lost their credentials.  This time it was a
> really bad deal because the member server runs an application that is
> mission critical and therefore no one was able to work until it was
> fixed.
> 
> In all cases, the users are able to log in by disconnecting their
> network cable and rebooting, then logging in with the cached credentials
> on the workstations.  Reconnecting the NIC after login allowed the users
> to connect to network resources on the Samba PDC, and work until a
> reboot.  A 'permanent' fix is to unjoin the PC from the domain and
> rejoin again.
> 
> I had assumed that the issue was caused by the upgrade somehow, and that
> once every system had been re-joined it would go away.  However, the
> workstation from this morning had been unjoined and rejoined once before
> and now I fear that the issue will keep cropping up all over the place.
> 
> Ideas, suggestions, flames?  I've copied my smb.conf below for your
> review as well.
> 
> Thanks very much in advance,
> Rubin
> 
> /etc/samba/smb.conf
> [global]
>   workgroup = WORKGROUP
>   netbios name = Server
>   server string = Network File Server
>   printcap name = cups
>   enable privileges = yes
>   load printers = yes
>   printcap cache time = 60
>   printing = cups
>   keepalive = 10000
>   log file = /var/log/samba/log.%m
>   max log size = 50
> 
>   log level = 3
>   security = user
>   encrypt passwords = Yes
>   map to guest = bad user
>   os level = 65
>   domain master = yes
>   preferred master = yes
>   passdb backend = tdbsam
> 
>   pam password change = yes
>   socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
>   add machine script = /usr/sbin/useradd -d /dev/null -g 200
> -s /bin/false -M  %u
> 
>   oplocks = no
>   level2 oplocks = no
>   domain logons = Yes
>   logon script = login%G.bat
>   logon drive = Z:
>   logon home = \\server\%U
>   logon path = \\server\profiles\%U
>   wins support = Yes
>   name resolve order = wins hosts bcast
>   hide unreadable = Yes
> 
> # Added in an attempt to fix broken tdbsam backend...
>   idmap uid = 10000-20000
>   idmap gid = 10000-20000
> 
>   dns proxy = yes
> 
> #============================ Share Definitions
> =============================> [homes]
>   comment = Home Directories
>   create mask = 0700
>   directory mask = 0700
>   browseable = No
>   writable = yes
> 
>  [netlogon]
>    comment = Netlogon Scripts
>    path = /var/lib/samba/netlogon
>    comment = Network Logon Service
>    path = /var/lib/samba/netlogon
>    guest ok = yes
>    writable = no
> 
> [printers]
>   comment = All Printers
>   path = /var/spool/samba
>   browseable = no
>   guest ok = yes
>   writable = no
>   printable = yes
>   create mode = 0700
>   ;print command = lpr-cups -P %p -o raw %s -r
>    use client driver = yes
> 
> [print$]
>   path = /var/lib/samba/printers
>   read only = yes
>   browseable = yes
>   force group = noyle
>   write list = @noyle root
>   guest ok = yes
>   inherit permissions = yes
> 
> [profiles]
>   path = /var/lib/samba/profiles
>   browseable = no
>   read only = No
>   guest ok = yes
>   writable = yes
>   create mask = 0600
>   directory mask = 0700
>   root preexec = PROFILE='/var/lib/samba/profiles/%u'; if [ ! -e
> $PROFILE ]; \
>                 then mkdir -pm700 $PROFILE; chown '%u':'%g'
$PROFILE;fi
> 
> 
-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo@samba.org>
Senior Software Engineer at Red Hat Inc. <ssorce@redhat.com>

I've done that, and we'll wait and see I suppose... I *really* hate
waiting for the other shoe to drop though.

FWIW, I did some more digging and came up with a couple systems that
show the following when I run pdbedit -Lv:

Password must change: 0

Any idea as to why those show a 0 value and the rest either say
"never"
or have some huge value for seconds since the epoch that the password in
theory will need to be changed?

Thanks again,
Rubin

On Thu, 2007-11-29 at 18:22 -0500, simo wrote:
> First of all update to 3.0.27a, 3.0.27 had a regression in the security
> fix that prompted that release.
> 
> Simo.
> 
> On Tue, 2007-11-27 at 12:46 -0500, Rubin Bennett wrote:
> > Hello all...
> > 
> > I have a site of about 50 pcs connected to a Samba domain controller.
> > The domain has been running flawlessly for several years through
several
> > upgrades, and the last one (From Fedora Core 4/ Samba 3.0.23a to FC7/
> > Samba 3.0.27) seems to have caused something to come unglued.
> > 
> > The Workstations are periodically booting up in the morning and being
> > unable to contact the domain controller.  The Samba server is giving
> > failed authentication errors for the workstation itself (not the
> > username/ password) in log.{workstation}.
> > 
> > The upgrade was done nearly a month ago, and roughly 1/2 of the
> > workstations in the network were unable to connect the following
> > morning.  It happened again last week and about 10 more workstations
> > were affected.  And it happened again today, where 1 workstation and a
> > member server (Win2003r2) lost their credentials.  This time it was a
> > really bad deal because the member server runs an application that is
> > mission critical and therefore no one was able to work until it was
> > fixed.
> > 
> > In all cases, the users are able to log in by disconnecting their
> > network cable and rebooting, then logging in with the cached
credentials
> > on the workstations.  Reconnecting the NIC after login allowed the
users
> > to connect to network resources on the Samba PDC, and work until a
> > reboot.  A 'permanent' fix is to unjoin the PC from the domain
and
> > rejoin again.
> > 
> > I had assumed that the issue was caused by the upgrade somehow, and
that
> > once every system had been re-joined it would go away.  However, the
> > workstation from this morning had been unjoined and rejoined once
before
> > and now I fear that the issue will keep cropping up all over the
place.
> > 
> > Ideas, suggestions, flames?  I've copied my smb.conf below for
your
> > review as well.
> > 
> > Thanks very much in advance,
> > Rubin
> > 
> > /etc/samba/smb.conf
> > [global]
> >   workgroup = WORKGROUP
> >   netbios name = Server
> >   server string = Network File Server
> >   printcap name = cups
> >   enable privileges = yes
> >   load printers = yes
> >   printcap cache time = 60
> >   printing = cups
> >   keepalive = 10000
> >   log file = /var/log/samba/log.%m
> >   max log size = 50
> > 
> >   log level = 3
> >   security = user
> >   encrypt passwords = Yes
> >   map to guest = bad user
> >   os level = 65
> >   domain master = yes
> >   preferred master = yes
> >   passdb backend = tdbsam
> > 
> >   pam password change = yes
> >   socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
> >   add machine script = /usr/sbin/useradd -d /dev/null -g 200
> > -s /bin/false -M  %u
> > 
> >   oplocks = no
> >   level2 oplocks = no
> >   domain logons = Yes
> >   logon script = login%G.bat
> >   logon drive = Z:
> >   logon home = \\server\%U
> >   logon path = \\server\profiles\%U
> >   wins support = Yes
> >   name resolve order = wins hosts bcast
> >   hide unreadable = Yes
> > 
> > # Added in an attempt to fix broken tdbsam backend...
> >   idmap uid = 10000-20000
> >   idmap gid = 10000-20000
> > 
> >   dns proxy = yes
> > 
> > #============================ Share Definitions
> > =============================> > [homes]
> >   comment = Home Directories
> >   create mask = 0700
> >   directory mask = 0700
> >   browseable = No
> >   writable = yes
> > 
> >  [netlogon]
> >    comment = Netlogon Scripts
> >    path = /var/lib/samba/netlogon
> >    comment = Network Logon Service
> >    path = /var/lib/samba/netlogon
> >    guest ok = yes
> >    writable = no
> > 
> > [printers]
> >   comment = All Printers
> >   path = /var/spool/samba
> >   browseable = no
> >   guest ok = yes
> >   writable = no
> >   printable = yes
> >   create mode = 0700
> >   ;print command = lpr-cups -P %p -o raw %s -r
> >    use client driver = yes
> > 
> > [print$]
> >   path = /var/lib/samba/printers
> >   read only = yes
> >   browseable = yes
> >   force group = noyle
> >   write list = @noyle root
> >   guest ok = yes
> >   inherit permissions = yes
> > 
> > [profiles]
> >   path = /var/lib/samba/profiles
> >   browseable = no
> >   read only = No
> >   guest ok = yes
> >   writable = yes
> >   create mask = 0600
> >   directory mask = 0700
> >   root preexec = PROFILE='/var/lib/samba/profiles/%u'; if [ !
-e
> > $PROFILE ]; \
> >                 then mkdir -pm700 $PROFILE; chown
'%u':'%g' $PROFILE;fi
> > 
> >