charles
2009-Oct-19 19:25 UTC
[Samba] local copy microsoft/credentials directory profile redirection
hello,
i've set up a domain controller to replace a production server.
both servers use profile redirection for all user environment directories.
my problem is that when logging onto the new domain and server, windows will
create in the %userprofile% local directory an Application Directory
containing Microsoft/Credentials/*SID*, although a copy exists on the
server.
this directory is used to store the user's network passwords.
because a blank credential directory is created stored network passwords
(explorer only) are not used. all other applications use the network copy of
the directory (as they should).
redirection is done through adm here are the pertinent settings:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User
Shell Folders]
"AppData"="%logonserver%\profiles\%username%\Application
Data"
"Cookies"="%logonserver%\profiles\%username%\Cookies"
"Desktop"="%logonserver%\%username%\Desktop"
"Personal"="%logonserver%\%username%\My Documents"
"Local AppData"="%logonserver%\profiles\%username%\Local
Settings\Application Data"
"Cache"="c:\temp\users\%username%\Local Settings\Temporary
Internet Files"
"History"="c:\temp\users\%username%\Local Settings\History"
"Local Settings"="c:\temp\users\%username%\Local Settings"
the same client joined to current domain (with the same adm settings) will
not reproduce un-desired behavior.
does anyone have any suggestions, guesses, etc?
clients: windows xp sp3 (offline files disabled; set to delete local copies
of profiles at log off)
os: ubuntu 9.04 server
samba: 3.3.2-1ubuntu3.2
config:
Server role:
ROLE_DOMAIN_PDC
[global]
workgroup = domain-name
server string = server-name
passdb backend = ldapsam:ldap://127.0.0.1
passwd program = /usr/sbin/smbldap-passwd -u "%u"
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
log level = 5 vfs:0 smb:0
syslog = 0
log file = /var/log/samba/log.%h
max log size = 10000000
max xmit = 65535
socket options = TCP_NODELAY SO_SNDBUF=1638400 SO_RCVBUF=1638400
SO_KEEPALIVE
printcap name = cups
show add printer wizard = No
max stat cache size = 1024
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
logon script = logon.bat
logon path = \\%N\hives\%U
logon drive = " "
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
kernel oplocks = No
ldap admin dn = cn=admin,dc=domain-name,dc=bz
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap suffix = dc=domain-name,dc=bz
ldap ssl = no
ldap user suffix = ou=Users
utmp = Yes
panic action = /usr/share/samba/panic-action %d
cups options = raw
case sensitive = No
hide files = /desktop.ini/
[netlogon]
path = /usershare/netlogon
write list = jorge
guest ok = Yes
[hives]
comment = Profile Hive Directory
path = /userdata/hives/%a
read only = No
create mask = 0600
directory mask = 0700
browseable = No
csc policy = disable
oplocks = No
level2 oplocks = No
vfs objects = full_audit, recycle
full_audit:priority = notice
full_audit:facility = local5
full_audit:failure = connect mkdir rename unlink rmdir pwrite
full_audit:success = connect disconnect mkdir rename unlink rmdir
pwrite
full_audit:prefix = %u|%S - %m|%I
recycle:maxsize = 0
recycle:versions = yes
recycle:touch = yes
recycle:keeptree = yes
recycle:repository = /userdata/user_trash/%U
[profiles]
comment = Profile Data Directory
path = /userdata/profiles/%a
read only = No
create mask = 0600
directory mask = 0700
browseable = No
csc policy = disable
oplocks = No
level2 oplocks = No
[printers]
comment = Printers
path = /var/spool/samba
admin users = @lpadmin
write list = @lpadmin, root
guest ok = Yes
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /etc/samba/drivers
admin users = @lpadmin
write list = @lpadmin, root
--
Charles
Belmopan, Belize
"... we just love cars and we love driving them!"
http://www.cardomain.com/ride/2400106
charles
2009-Oct-21 19:16 UTC
[Samba] local copy microsoft/credentials directory profile redirection
> Date: Mon, 19 Oct 2009 13:25:48 -0600 > Subject: [Samba] local copy microsoft/credentials directory profile > redirection > hello, > > i've set up a domain controller to replace a production server. > both servers use profile redirection for all user environment directories. > > my problem is that when logging onto the new domain and server, windows > will > create in the %userprofile% local directory an Application Directory > containing Microsoft/Credentials/*SID*, although a copy exists on the > server. > > this directory is used to store the user's network passwords. > > because a blank credential directory is created stored network passwords > (explorer only) are not used. all other applications use the network copy > of > the directory (as they should). > > redirection is done through adm here are the pertinent settings: > [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User > Shell Folders] > "AppData"="%logonserver%\profiles\%username%\Application Data" > "Cookies"="%logonserver%\profiles\%username%\Cookies" > "Desktop"="%logonserver%\%username%\Desktop" > "Personal"="%logonserver%\%username%\My Documents" > "Local AppData"="%logonserver%\profiles\%username%\Local > Settings\Application Data" > "Cache"="c:\temp\users\%username%\Local Settings\Temporary Internet Files" > "History"="c:\temp\users\%username%\Local Settings\History" > "Local Settings"="c:\temp\users\%username%\Local Settings" > > the same client joined to current domain (with the same adm settings) will > not reproduce un-desired behavior. > > does anyone have any suggestions, guesses, etc? > > > clients: windows xp sp3 (offline files disabled; set to delete local copies > of profiles at log off) > > os: ubuntu 9.04 server > > samba: 3.3.2-1ubuntu3.2 > > config: > > Server role: > ROLE_DOMAIN_PDC > [global] > workgroup = domain-name > server string = server-name > passdb backend = ldapsam:ldap://127.0.0.1 > passwd program = /usr/sbin/smbldap-passwd -u "%u" > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > *all*authentication*tokens*updated* > log level = 5 vfs:0 smb:0 > syslog = 0 > log file = /var/log/samba/log.%h > max log size = 10000000 > max xmit = 65535 > socket options = TCP_NODELAY SO_SNDBUF=1638400 SO_RCVBUF=1638400 > SO_KEEPALIVE > printcap name = cups > show add printer wizard = No > max stat cache size = 1024 > add user script = /usr/sbin/smbldap-useradd -m "%u" > delete user script = /usr/sbin/smbldap-userdel "%u" > add group script = /usr/sbin/smbldap-groupadd -p "%g" > add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" > "%g" > set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" > add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u" > logon script = logon.bat > logon path = \\%N\hives\%U > logon drive = " " > domain logons = Yes > os level = 65 > preferred master = Yes > domain master = Yes > kernel oplocks = No > ldap admin dn = cn=admin,dc=domain-name,dc=bz > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > ldap machine suffix = ou=Computers > ldap suffix = dc=domain-name,dc=bz > ldap ssl = no > ldap user suffix = ou=Users > utmp = Yes > panic action = /usr/share/samba/panic-action %d > cups options = raw > case sensitive = No > hide files = /desktop.ini/ > > [netlogon] > path = /usershare/netlogon > write list = jorge > guest ok = Yes > > [hives] > comment = Profile Hive Directory > path = /userdata/hives/%a > read only = No > create mask = 0600 > directory mask = 0700 > browseable = No > csc policy = disable > oplocks = No > level2 oplocks = No > vfs objects = full_audit, recycle > full_audit:priority = notice > full_audit:facility = local5 > full_audit:failure = connect mkdir rename unlink rmdir pwrite > full_audit:success = connect disconnect mkdir rename unlink rmdir > pwrite > full_audit:prefix = %u|%S - %m|%I > recycle:maxsize = 0 > recycle:versions = yes > recycle:touch = yes > recycle:keeptree = yes > recycle:repository = /userdata/user_trash/%U > > [profiles] > comment = Profile Data Directory > path = /userdata/profiles/%a > read only = No > create mask = 0600 > directory mask = 0700 > browseable = No > csc policy = disable > oplocks = No > level2 oplocks = No > > [printers] > comment = Printers > path = /var/spool/samba > admin users = @lpadmin > write list = @lpadmin, root > guest ok = Yes > printable = Yes > browseable = No > > [print$] > comment = Printer Drivers > path = /etc/samba/drivers > admin users = @lpadmin > write list = @lpadmin, root > -- > Charles > > Belmopan, Belize > > "... we just love cars and we love driving them!" > > http://www.cardomain.com/ride/2400106 > > > >solved. the problem was the use of the %logonserver% variable in my policy file. it appears that the variable is not yet resolvable at the time the logon process checks for the existence of a credential file. using the actual server-name for the AppData environment remedied the problem. good luck.
Reasonably Related Threads
- ocfs2 with cman luster stack
- Machine choosing unexpected logonserver in multi-dc domain 4.2.1
- Problem with netlogon\logon.bat not mapping all drives
- Domain Logout, then domain login again, profile corrupt -> replaced by TEMP profile
- permission problem with vfs object recycle:directory_mode