Hi list: I've been using samba+ldap as a PDC with roaming profiles for some time but recently I joined some machines to the domain wich are used by several users and then started the problems, the profiles loaded are not the ones owned by the users, I mean user1 loads the profile of the user2 and so on. I'm using Debian Etch (stable) with samba 3.0.24. Any Help Thanks Harol Hunter
Harol Hunter wrote:> Hi list: > > I've been using samba+ldap as a PDC with roaming profiles for some > time but recently I joined some machines to the domain wich are used > by several users and then started the problems, the profiles loaded > are not the ones owned by the users, I mean user1 loads the profile of > the user2 and so on. I'm using Debian Etch (stable) with samba 3.0.24. > Any Help > > Thanks > Harol Hunter >Harol, How are you mapping your UIDs? Are they statically mapped?
On Jan 25, 2008 12:45 PM, Harol Hunter <hhuntercu@gmail.com> wrote:> 2008/1/24, Scott Lovenberg <scott.lovenberg@gmail.com>: > > Harol Hunter wrote: > > > Hi list: > > > > > > I've been using samba+ldap as a PDC with roaming profiles for some > > > time but recently I joined some machines to the domain wich are used > > > by several users and then started the problems, the profiles loaded > > > are not the ones owned by the users, I mean user1 loads the profile of > > > the user2 and so on. I'm using Debian Etch (stable) with samba 3.0.24. > > > Any Help > > > > > > Thanks > > > Harol Hunter > > > > > Harol, > > How are you mapping your UIDs? Are they statically mapped? > > > > > > I'm not sure what you're asking but if you mean whether I map the > ldap users to smbuser file or not, then the answer is no, I thought it > wasn't necessary if I were using ldap. Now I have some more > information I active de debug level for profiles in windows after > reading some old posts and I found Windows loads the right profile > from server, but then try to reconcile it with the local profile and > as I had to activate the Delete Profiles After closing session then it > uses whatever old profile it might find and if it can't find any then > it creates one that won't be deleted later the result is that all the > profiles got mixed (and screwed) . Now all my users are about to > lynch. I'm sending you the options of my profiles share so you can > examinate it > > [profiles] > comment = Network Users Profiles > path = /home/samba/profiles > read only = No > create mask = 0600 > directory mask = 0700 > profile acls = Yes > browseable = No > csc policy = disable > > Thanks for the help, still wating > > Harol Hunter >Sorry for the delay. I hope the users haven't killed you just yet; a LART comes in handy in these cases! What I meant was, how do you have your domain (samba) users mapped to an unix UID/GID? From the <a href=" http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#passdbtech">Samba How-To</a>: <quote> Every operation in UNIX/Linux requires a user identifier (UID), just as in MS Windows NT4/200x this requires a security identifier (SID). Samba provides two means for mapping an MS Windows user to a UNIX/Linux UID. First, all Samba SAM database accounts require a UNIX/Linux UID that the account will map to. As users are added to the account information database, Samba will call the add user script interface to add the account to the Samba host OS. In essence all accounts in the local SAM require a local user account. The second way to map Windows SID to UNIX UID is via the *idmap uid* and *idmap gid* parameters in smb.conf. Please refer to the man page for information about these parameters. These parameters are essential when mapping users from a remote (non-member Windows client or a member of a foreign domain) SAM server. </quote> Can you provide your entire smb.conf file? I've CC'ed the list, as I am an LDAP amateur! -- Peace and Blessings, -Scott. "Of course, that's just my opinion; I could be wrong" -Dennis Miller
On Jan 28, 2008 1:39 PM, Harol Hunter <hhuntercu@gmail.com> wrote:> As you can see I still alive (I don't know for how long but ... ;-) > Well let me tell you all my users have a SID and a UID in her/his > accounts entries in LDAP I'll attach you my full smb.conf hoping you > can help me, thanks a lot pal > > [global] > > ######################################################################### > # NETBIOS OPTIONS # > ######################################################################### > > netbios name = intranet > > workgroup = icic > > server string = Servidor Intranet > > #disable netbios = yes > > ######################################################################### > # SERVER OPTIONS # > ######################################################################### > > interfaces = eth0 lo > > bind interfaces only = yes > > socket address = 10.0.0.1 > > hosts allow = 10.0.0. 127. > > hosts deny = 0.0.0.0/0 > > ######################################################################### > # DOMAIN OPTIONS # > ######################################################################### > > security = user > > preferred master = yes > > domain master = yes > > local master = yes > > os level = 64 > > admin users = @"Domain Admins" > > enable privileges = yes > > allow trusted domains = no > > ######################################################################## > # PASSWORDS OPTIONS # > ######################################################################## > > passdb backend = ldapsam:ldap://127.0.0.1/ > > encrypt passwords = true > > #passwd chat = Cambiando contrasena de \nNueva Contrasena %n\n Retype > new password %n\n > > passwd program = /usr/sbin/smbldap-passwd -u '%u' > > obey pam restrictions = No > > ######################################################################## > # USERS & GROUPS SCRIPTS # > ######################################################################## > > #min passwd length = 6 > > add user script = /usr/sbin/smbldap-useradd -a -m '%u' > > delete user script = /usr/sbin/smbldap-userdel '%u' > > add group script = /usr/sbin/smbldap-groupadd -p '%g' > > delete group script = /usr/sbin/smbldap-groupdel '%g' > > add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' > > delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' > > set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' > > add machine script = /usr/sbin/smbldap-useradd -w '%u' > > ######################################################################## > # LOGONS OPTIONS # > ######################################################################## > > domain logons = yes > > logon path = \\intranet\profiles\%u > > logon home = \\%L\%u\.profiles > > logon drive = H > > logon script = logon.cmd > > ####################################################################### > # LDAP OPTIONS # > ####################################################################### > > ldap suffix = dc=my,dc=domain,dc=com > > ldap admin dn = cn=admin,dc=my,dc=domain,dc=com > > ldap machine suffix = ou=Computers > > ldap user suffix = ou=Users > > ldap group suffix = ou=Groups > > ldap idmap suffix = ou=Idmap > > #ldap filter = ((uid=%u)&(objectclass=sambaSamAccount)) > > #ldap ssl = start_tls > > ldap passwd sync = Yes > > ldap delete dn = yes > > #ldapsam:trusted = no > > ####################################################################### > # WINBIND OPTIONS # > ####################################################################### > > idmap backend = ldap://127.0.0.1/ > > #idmap uid = 10000-20000 > > #idmap gid = 10000-20000 > > #winbind separator = '\' > > winbind trusted domains only = yes > > winbind use default domain = yes > > > ####################################################################### > # LOGS OPTIONS # > ####################################################################### > > log file = /var/log/samba/smb.%m > > #log level = 1 > > log level = 10 auth:10 nmbd:10 > > #max log size = 5000 > > syslog = 0 > > ####################################################################### > # MISC. OPTIONS # > ####################################################################### > > wins support = yes > > time server = yes > > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > max xmit = 8192 > > #getwd cache = yes > > name resolve order = hosts bcast > > inherit acls = no > > map acl inherit = yes > > server signing = mandatory > > dns proxy = no > > svcctl list = bind9 apache2 chrony cron slapd winbind dhcpd3 > > ####################################################################### > # SHARES # > ######################################################################## > > [homes] > comment = User's Home > > writable = yes > > browseable = no > > create mask = 0700 > > directory mask = 0700 > > > [netlogon] > > comment = Network Logon Service > > path = /home/samba/netlogon > > browseable = no > > writable = no > > write list = @"Domain Admins" > > > [profiles] > > comment = Network Users Profiles > > path = /home/samba/profiles > > csc policy = disable > > writable =yes > > #force user = %U > > #valid users = %U > > profile acls = yes > > browseable = no > > readonly = no > > create mask = 0600 > > directory mask = 0700 >Hrm, settings seem fine, as far as I can tell. Have you tried the UPHClean Windows Service?>From Chapter 27. Desktop ProfileManagement<http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html#id425774>of the Samba How-To:> There are certain situations that cause a cached local copy of roaming > profile not to be deleted on exit, even if the policy to force such deletion > is set. To deal with that situation, a special service was created. The > application UPHClean (User Profile Hive Cleanup) can be installed as a > service on Windows NT4/2000/XP Professional and Windows 2003. > > The UPHClean software package can be downloaded from the User Profile Hive > Cleanup Service[7<http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html#ftn.id427636> > ] web site. >Chapter 27 of the Samba How-To might be worth a read. I'm really fuzzy as to exactly is going on. All you did was add a few extra clients, correct? You were deleting the roaming profile successfully before this without having problems? -- Peace and Blessings, -Scott. "Of course, that's just my opinion; I could be wrong" -Dennis Miller
Harol Hunter wrote:> 2008/1/28, Scott Lovenberg <scott.lovenberg@gmail.com>: > >> On Jan 28, 2008 1:39 PM, Harol Hunter <hhuntercu@gmail.com> wrote: >> >>> As you can see I still alive (I don't know for how long but ... ;-) >>> Well let me tell you all my users have a SID and a UID in her/his >>> accounts entries in LDAP I'll attach you my full smb.conf hoping you >>> can help me, thanks a lot pal >>> >>> [global] >>> >>> >>> >> ######################################################################### >> >>> # NETBIOS OPTIONS # >>> >>> >> ######################################################################### >> >>> netbios name = intranet >>> >>> workgroup = icic >>> >>> server string = Servidor Intranet >>> >>> #disable netbios = yes >>> >>> >>> >> ######################################################################### >> >>> # SERVER OPTIONS # >>> >>> >> ######################################################################### >> >>> interfaces = eth0 lo >>> >>> bind interfaces only = yes >>> >>> socket address = 10.0.0.1 >>> >>> hosts allow = 10.0.0. 127. >>> >>> hosts deny = 0.0.0.0/0 >>> >>> >>> >> ######################################################################### >> >>> # DOMAIN OPTIONS # >>> >>> >> ######################################################################### >> >>> security = user >>> >>> preferred master = yes >>> >>> domain master = yes >>> >>> local master = yes >>> >>> os level = 64 >>> >>> admin users = @"Domain Admins" >>> >>> enable privileges = yes >>> >>> allow trusted domains = no >>> >>> >>> >> ######################################################################## >> >>> # PASSWORDS OPTIONS # >>> >>> >> ######################################################################## >> >>> passdb backend = ldapsam:ldap://127.0.0.1/ >>> >>> encrypt passwords = true >>> >>> #passwd chat = Cambiando contrasena de \nNueva Contrasena %n\n Retype >>> new password %n\n >>> >>> passwd program = /usr/sbin/smbldap-passwd -u '%u' >>> >>> obey pam restrictions = No >>> >>> >>> >> ######################################################################## >> >>> # USERS & GROUPS SCRIPTS # >>> >>> >> ######################################################################## >> >>> #min passwd length = 6 >>> >>> add user script = /usr/sbin/smbldap-useradd -a -m '%u' >>> >>> delete user script = /usr/sbin/smbldap-userdel '%u' >>> >>> add group script = /usr/sbin/smbldap-groupadd -p '%g' >>> >>> delete group script = /usr/sbin/smbldap-groupdel '%g' >>> >>> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' >>> >>> delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' >>> >>> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' >>> >>> add machine script = /usr/sbin/smbldap-useradd -w '%u' >>> >>> >>> >> ######################################################################## >> >>> # LOGONS OPTIONS # >>> >>> >> ######################################################################## >> >>> domain logons = yes >>> >>> logon path = \\intranet\profiles\%u >>> >>> logon home = \\%L\%u\.profiles >>> >>> logon drive = H >>> >>> logon script = logon.cmd >>> >>> >>> >> ####################################################################### >> >>> # LDAP OPTIONS # >>> >>> >> ####################################################################### >> >>> ldap suffix = dc=my,dc=domain,dc=com >>> >>> ldap admin dn = cn=admin,dc=my,dc=domain,dc=com >>> >>> ldap machine suffix = ou=Computers >>> >>> ldap user suffix = ou=Users >>> >>> ldap group suffix = ou=Groups >>> >>> ldap idmap suffix = ou=Idmap >>> >>> #ldap filter = ((uid=%u)&(objectclass=sambaSamAccount)) >>> >>> #ldap ssl = start_tls >>> >>> ldap passwd sync = Yes >>> >>> ldap delete dn = yes >>> >>> #ldapsam:trusted = no >>> >>> >>> >> ####################################################################### >> >>> # WINBIND OPTIONS # >>> >>> >> ####################################################################### >> >>> idmap backend = ldap://127.0.0.1/ >>> >>> #idmap uid = 10000-20000 >>> >>> #idmap gid = 10000-20000 >>> >>> #winbind separator = '\' >>> >>> winbind trusted domains only = yes >>> >>> winbind use default domain = yes >>> >>> >>> >>> >> ####################################################################### >> >>> # LOGS OPTIONS # >>> >>> >> ####################################################################### >> >>> log file = /var/log/samba/smb.%m >>> >>> #log level = 1 >>> >>> log level = 10 auth:10 nmbd:10 >>> >>> #max log size = 5000 >>> >>> syslog = 0 >>> >>> >>> >> ####################################################################### >> >>> # MISC. OPTIONS # >>> >>> >> ####################################################################### >> >>> wins support = yes >>> >>> time server = yes >>> >>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >>> >>> max xmit = 8192 >>> >>> #getwd cache = yes >>> >>> name resolve order = hosts bcast >>> >>> inherit acls = no >>> >>> map acl inherit = yes >>> >>> server signing = mandatory >>> >>> dns proxy = no >>> >>> svcctl list = bind9 apache2 chrony cron slapd winbind dhcpd3 >>> >>> >>> >> ####################################################################### >> >>> # SHARES # >>> >>> >> ######################################################################## >> >>> [homes] >>> comment = User's Home >>> >>> writable = yes >>> >>> browseable = no >>> >>> create mask = 0700 >>> >>> directory mask = 0700 >>> >>> >>> [netlogon] >>> >>> comment = Network Logon Service >>> >>> path = /home/samba/netlogon >>> >>> browseable = no >>> >>> writable = no >>> >>> write list = @"Domain Admins" >>> >>> >>> >>> [profiles] >>> >>> comment = Network Users Profiles >>> >>> path = /home/samba/profiles >>> >>> csc policy = disable >>> >>> writable =yes >>> >>> #force user = %U >>> >>> #valid users = %U >>> >>> profile acls = yes >>> >>> browseable = no >>> >>> readonly = no >>> >>> >>> >>> >>> create mask = 0600 >>> >>> directory mask = 0700 >>> >>> >> Hrm, settings seem fine, as far as I can tell. Have you tried the UPHClean >> Windows Service? >> >> From Chapter 27. Desktop Profile Management of the Samba How-To: >> >>> There are certain situations that cause a cached local copy of roaming >>> >> profile not to be deleted on exit, even if the policy to force such deletion >> is set. To deal with that situation, a special service was created. The >> application UPHClean (User Profile Hive Cleanup) can be installed as a >> service on Windows NT4/2000/XP Professional and Windows 2003. >> >>> The UPHClean software package can be downloaded from the User Profile Hive >>> >> Cleanup Service[7] web site. >> >> Chapter 27 of the Samba How-To might be worth a read. >> >> I'm really fuzzy as to exactly is going on. All you did was add a few extra >> clients, correct? You were deleting the roaming profile successfully before >> this without having problems? >> >> -- >> Peace and Blessings, >> -Scott. >> >> "Of course, that's just my opinion; I could be wrong" >> -Dennis Miller >> > > I think I finally find the problem, but now I don't know how to fix > it, googling a little I found a few old posts related to my problems > saying that the problem was the SambaSID entry duplicated so I made a > search and guess what all my users have the very same SambaSID so you > were right from the beginning about users map, I read I don't have to > map the samba accounts to unix but all the users must have a > different SambaSID of course, I've no clue how this happened and how > to solve it, I only assume that it's because of W2K profiles are > differents to WXP and the users that start having problems has logged > in both XP an 2K, am I correct? Any way I'll install XP on this > computers so all my network have the same OS but I'm still needing > help how to change uses SambaSID because I'm no sure how this SID is > given. Once again thanks for your help > > Harol Hunter > >Well, Win2K uses a different home path variable. I think they suggest using something like .9xprofile or something like that for the folder. I think there's a section on mixed environments in the samba guide; how this plays with LDAP is beyond my experience, but in theory it should work exactly the same as without LDAP - the backend data interface should not, IMHO, change the behavior of the application. Of course, theory and practice don't mix so well in computer science :). I think you can back up your profiles, and change the name of the server which should break the SID. This will invalidate EVERY account (machine accounts as well - you'll have to have a script for automatically adding machines, or create the machine accounts again), so when you add them back, you should get a new SID mapping for each user name. I wouldn't just do this in a production environment, test it before doing it as there is no way to undo it! I'm sure there must be a more elegant way to do this, but I don't know it.
Seemingly Similar Threads
- [OT] DeleteRoamingCache=1 doesn't work
- Roaming profiles and accounts
- temporary profiles problem - don't want roaming profiles
- CIFS: Deprecating NFS mounting syntax in mount.cifs
- Anybody got windows 10 working with our classic DC / need to migrate to samba4?