samba - Dec 2008 - Vista roaming profiles...

Hi everybody,

after many weeks of searching/trying, I still can't manage to get vista to
use/save roaming profiles with samba as PDC...
It has apparently worked a few times in the beginning since the profiles
directories are populated.
Could it be related to a Vista update or SP1?
Here's what I did so far:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"CompatibleRUPSecurity"=dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogon\parameters
"RequireSignOrSeal"=dword:00000000

[Profiles]
    path = /home/samba/
    browseable = yes
    writable = yes
    create mode = 0600 
    directory mask = 0700
    csc policy = disable
    nt acl support = no
    read only = no

[Profiles.V2]
  copy = Profiles

Created /home/samba/<user>.V2 directories...

I have three questions:
1. Anything to fix/improve in my confs?
2. Do you know a good howto for Vista and samba?
3. If I fix the issue, is there a possibility of overwriting my users recent
local profiles with the old server profiles?   Should I empty the profiles
directories first?

Thx,
JD

vista works fine for me w/ roaming profiles.  i can send you my smb.conf 
and LDAP entries if you wish to take a look.

John Doe wrote:
> Hi everybody,
>
> after many weeks of searching/trying, I still can't manage to get vista
to use/save roaming profiles with samba as PDC...
> It has apparently worked a few times in the beginning since the profiles
directories are populated.
> Could it be related to a Vista update or SP1?
> Here's what I did so far:
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
> "CompatibleRUPSecurity"=dword:00000001
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogon\parameters
> "RequireSignOrSeal"=dword:00000000
>
> [Profiles]
>     path = /home/samba/
>     browseable = yes
>     writable = yes
>     create mode = 0600 
>     directory mask = 0700
>     csc policy = disable
>     nt acl support = no
>     read only = no
>
> [Profiles.V2]
>   copy = Profiles
>
> Created /home/samba/<user>.V2 directories...
>
> I have three questions:
> 1. Anything to fix/improve in my confs?
> 2. Do you know a good howto for Vista and samba?
> 3. If I fix the issue, is there a possibility of overwriting my users
recent local profiles with the old server profiles?   Should I empty the
profiles directories first?
>
> Thx,
> JD
>
>
>       
>
>

I didn't do anything special, no registry hacks, changes with msconfig 
or gpedit.msc or anything.  just running vista SP1 32-bit and 64-bit.

here's the ldif of a vista user:

[root@roark mail]# ldapsearch -D 
'cn=Manager,dc=mdah,dc=state,dc=ms,dc=us' -b 
"uid=gjones,ou=People,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxxxx -x
# extended LDIF
#
# LDAPv3
# base <uid=gjones,ou=People,dc=mdah,dc=state,dc=ms,dc=us> with scope 
subtree
# filter: (objectclass=*)
# requesting: ALL
#

# gjones, People, mdah.state.ms.us
dn: uid=gjones,ou=People,dc=mdah,dc=state,dc=ms,dc=us
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: hostObject
objectClass: sambaSamAccount
cn: Gwendolyn Jones
sn: Jones
givenName: Gwendolyn Jones
uid: gjones
uidNumber: 874
gidNumber: 100
homeDirectory: /home/gjones
mail: gjones@mdah.state.ms.us
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
gecos: Gwendolyn Jones
host: roark
host: arrowhead
host: preshs
shadowLastChange: 14120
sambaSID: S-1-5-21-4231144054-2518398651-1985341777-2748
displayName: Gwendolyn Jones
sambaPasswordHistory: 
00000000000000000000000000000000000000000000000000000000
 00000000
sambaAcctFlags: [U          ]
sambaProfilePath: \\roark\profiles\gjones
sambaHomePath: \\roark\gjones
sambaLogonScript: scripts\gjones.bat
sambaHomeDrive: R:
sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
sambaNTPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
sambaPwdLastSet: 1220372614
userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

[root@roark mail]# ldapsearch -D 
'cn=Manager,dc=mdah,dc=state,dc=ms,dc=us' -b 
"uid=gjones$,ou=Computers,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxxxxxxx
-x
# extended LDIF
#
# LDAPv3
# base <uid=gjones$,ou=Computers,dc=mdah,dc=state,dc=ms,dc=us> with 
scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# gjones$, Computers, mdah.state.ms.us
dn: uid=gjones$,ou=Computers,dc=mdah,dc=state,dc=ms,dc=us
uid: gjones$
cn: gjones$
sn: gjones$
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: sambaSamAccount
userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
shadowLastChange: 13916
shadowMax: 99999
shadowWarning: 7
loginShell: /dev/null
uidNumber: 10874
gidNumber: 100
homeDirectory: /dev/null
sambaSID: S-1-5-21-4231144054-2518398651-1985341777-1029
displayName: gjones$
sambaAcctFlags: [W          ]
sambaNTPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
sambaPwdLastSet: 1228486918

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


[global]
        unix charset = LOCALE
        workgroup = ADMIN
        server string = Roark
        update encrypted = Yes
        map to guest = Bad Password
        password server = roark
        passdb backend = ldapsam:ldap://roark.mdah.state.ms.us
        username map = /etc/samba/smbusers
        log level = 4
        log file = /var/log/samba/log.%m
        max log size = 50
        name resolve order = wins bcast hosts
        time server = Yes
        printcap name = CUPS
        show add printer wizard = No
        add user script = /usr/sbin/smbldap-useradd -a -m "%u"
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x 
"%u" "%g"
        set primary group script = /usr/sbin/smbldap-groupmod -g "%g"
"%u"

        add machine script = /usr/sbin/smbldap-useradd -w "%u"
        domain logons = Yes
        os level = 66
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins proxy = Yes
        wins support = Yes
        ldap admin dn = cn=Manager,dc=mdah,dc=state,dc=ms,dc=us
        ldap group suffix = ou=Group
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = Computers
        ldap passwd sync = Yes
        ldap suffix = dc=mdah,dc=state,dc=ms,dc=us
        ldap user suffix = ou=People
        idmap backend = ldap:ldap://mdah.state.ms.us
        idmap uid = 20000-30000
        idmap gid = 20000-30000
        template homedir = /home/winnt/%D/%U
        template shell = /bin/bash
        printer admin = root, awilliam, smccoy, jomiles, sokolsky
        guest ok = Yes
        hosts allow = 10.8.
        profile acls = Yes
        map acl inherit = Yes
        posix locking = No
        msdfs root = Yes

[homes]
        comment = Home Directories
        valid users = %S
        force group = users
        read only = No
        create mask = 0750
        force create mode = 0750
        directory mask = 0750
        force directory mode = 0750
        guest ok = No
        nt acl support = No
        browseable = No
        csc policy = disable

[printers]
        comment = All Printers
        path = /var/spool/samba
        create mask = 0700
        printable = Yes
        use client driver = Yes
        browseable = No

[share]
        path = /samba/admin
        force group = admin
        read only = No
        create mask = 0777
        force create mode = 0777
        force security mode = 0777
        directory mask = 0777
        force directory mode = 0777
        guest only = Yes
        nt acl support = No
        csc policy = disable

[pers]
        path = /samba/pers
        valid users = chall, mckinnon, awilliam
        force group = pers
        read only = No
        create mask = 0760
        force create mode = 0760
        force security mode = 0777
        directory mask = 0770
        force directory mode = 0770
        nt acl support = No
        csc policy = disable
        wide links = No

[pubinfo]
        path = /samba/pubinfo
        valid users = @pubinfo
        force group = pubinfo
        read only = No
        create mask = 0777
        force create mode = 0777
        force security mode = 0777
        directory mask = 0777
        force directory mode = 0777
        nt acl support = No
        csc policy = disable

[exec]
        path = /samba/executive
        valid users = @executive
        force group = executive
        read only = No
        create mask = 0770
        force create mode = 0770
        force security mode = 0777
        directory mask = 0770
        force directory mode = 0770
        nt acl support = No
        browseable = No
        csc policy = disable

[exec-hr]
        path = /samba/executive/hr
        valid users = @exec-hr
        force group = exec-hr
        read only = No
        create mask = 0770
        force create mode = 0770
        force security mode = 0777
        directory mask = 0770
        force directory mode = 0770
        nt acl support = No
        browseable = No
        csc policy = disable

[netlogon]
        path = /var/lib/samba/netlogon
        guest ok = No
        nt acl support = No
        csc policy = disable

[profiles]
        path = /var/lib/samba/profiles
        read only = No
        create mask = 0777
        directory mask = 0777
        delete veto files = Yes
        veto files = /*.mp3/*.wma/
        browseable = No

[grants]
        path = /samba/grants
        valid users = @grants
        force group = grants
        read only = No
        create mask = 0770
        force create mode = 0770
        force security mode = 0777
        directory mask = 0770
        force directory mode = 0770
        nt acl support = No
        browseable = No
        csc policy = disable

[hankandcheri]
        path = /samba/hankandcheri
        valid users = @hankandcheri
        force group = hankandcheri
        read only = No
        create mask = 0777
        force create mode = 0777
        force security mode = 0777
        directory mask = 0777
        force directory mode = 0777
        nt acl support = No
        csc policy = disable

[newmuse]
        path = /samba/newmuse
        valid users = @newmuse
        force group = newmuse
        read only = No
        create mask = 0660
        force create mode = 0660
        force security mode = 0777
        directory mask = 0770
        force directory mode = 0770
        nt acl support = No
        csc policy = disable

[wpkg]
        comment = Windows Packager
        path = /samba/wpkg
        admin users = awilliam
        write list = awilliam
        force user = root
        read only = No
        browseable = No

[hholmes-recman]
        comment = hholmes on recman
        path = /samba/hholmes-recman
        valid users = root, hholmes
        force user = root
        read only = No
        create mask = 0770
        force create mode = 0770
        force security mode = 0777
        directory mask = 0770
        force directory mode = 0770
        nt acl support = No
        csc policy = disable

[is]
        path = /samba/is
        valid users = @is
        write list = @is
        force group = is
        read only = No
        create mask = 0777
        force create mode = 0777
        directory mask = 0777
        force directory mode = 0777
        guest ok = No
        nt acl support = No
        csc policy = disable

[hankandtrey]
        path = /samba/hankandtrey
        valid users = @hankandtrey
        force group = hankandtrey
        read only = No
        create mask = 0777
        force create mode = 0777
        force security mode = 0777
        directory mask = 0777
        force directory mode = 0777
        nt acl support = No
        csc policy = disable

[dfs]
        path = /samba/dfs
        valid users = @dfs
        force group = users
        read only = No
        nt acl support = No
        csc policy = disable

[home]
        path = /home
        valid users = @dfs
        force group = users
        read only = No
        create mask = 0777
        force create mode = 0777
        force security mode = 0777
        directory mask = 0777
        force directory mode = 0777
        nt acl support = No
        csc policy = disable

[root@roark mail]# ls -l /var/lib/samba/profiles/|grep gjones
drwxrwxrwx 11 gjones      users    4096 2008-12-10 19:01 gjones.V2

[root@roark mail]# ls -al /var/lib/samba/profiles/|grep .
total 280
drwxrwxrwx 44 root        users    4096 2008-11-25 18:04 .

[root@roark mail]# smbd -V
Version 3.0.33

[root@roark mail]# du -shc /var/lib/samba/profiles/gjones.V2/
90M     /var/lib/samba/profiles/gjones.V2/

> after many weeks of searching/trying, I still can't manage to get vista
to
> use/save roaming profiles with samba as PDC...
> It has apparently worked a few times in the beginning since the profiles 
> directories are populated.
> Could it be related to a Vista update or SP1?
Hi,

I tried to add those but it did not help...
       profile acls = Yes
       map acl inherit = Yes
       posix locking = No
       msdfs root = Yes

On Vista, I found
      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-...
which contains:
      CentralProfile = \\server\Profiles\user
      ProfilesImagePath = C:\Users\user

If I set this:
      ProfilesImagePath = \\server\Profiles\user
The profile is apparently saved on the server (I guess that means the problem is
on Vista's side).
The problem is that of course there is no local profile in case of a network
failure...
Any idea what could be wrong?
The system variable %USERPROFILE% is always C:\Users\user and not
\\server\Profiles\user
And the whole time, Vista never complains about being denied acces to the
network profile...
BTW, the latest samba version for my CentOS is 3.0.28-1

Thx,
JD