charles
2009-Oct-19 19:25 UTC
[Samba] local copy microsoft/credentials directory profile redirection
hello, i've set up a domain controller to replace a production server. both servers use profile redirection for all user environment directories. my problem is that when logging onto the new domain and server, windows will create in the %userprofile% local directory an Application Directory containing Microsoft/Credentials/*SID*, although a copy exists on the server. this directory is used to store the user's network passwords. because a blank credential directory is created stored network passwords (explorer only) are not used. all other applications use the network copy of the directory (as they should). redirection is done through adm here are the pertinent settings: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders] "AppData"="%logonserver%\profiles\%username%\Application Data" "Cookies"="%logonserver%\profiles\%username%\Cookies" "Desktop"="%logonserver%\%username%\Desktop" "Personal"="%logonserver%\%username%\My Documents" "Local AppData"="%logonserver%\profiles\%username%\Local Settings\Application Data" "Cache"="c:\temp\users\%username%\Local Settings\Temporary Internet Files" "History"="c:\temp\users\%username%\Local Settings\History" "Local Settings"="c:\temp\users\%username%\Local Settings" the same client joined to current domain (with the same adm settings) will not reproduce un-desired behavior. does anyone have any suggestions, guesses, etc? clients: windows xp sp3 (offline files disabled; set to delete local copies of profiles at log off) os: ubuntu 9.04 server samba: 3.3.2-1ubuntu3.2 config: Server role: ROLE_DOMAIN_PDC [global] workgroup = domain-name server string = server-name passdb backend = ldapsam:ldap://127.0.0.1 passwd program = /usr/sbin/smbldap-passwd -u "%u" passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* log level = 5 vfs:0 smb:0 syslog = 0 log file = /var/log/samba/log.%h max log size = 10000000 max xmit = 65535 socket options = TCP_NODELAY SO_SNDBUF=1638400 SO_RCVBUF=1638400 SO_KEEPALIVE printcap name = cups show add printer wizard = No max stat cache size = 1024 add user script = /usr/sbin/smbldap-useradd -m "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u" logon script = logon.bat logon path = \\%N\hives\%U logon drive = " " domain logons = Yes os level = 65 preferred master = Yes domain master = Yes kernel oplocks = No ldap admin dn = cn=admin,dc=domain-name,dc=bz ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap suffix = dc=domain-name,dc=bz ldap ssl = no ldap user suffix = ou=Users utmp = Yes panic action = /usr/share/samba/panic-action %d cups options = raw case sensitive = No hide files = /desktop.ini/ [netlogon] path = /usershare/netlogon write list = jorge guest ok = Yes [hives] comment = Profile Hive Directory path = /userdata/hives/%a read only = No create mask = 0600 directory mask = 0700 browseable = No csc policy = disable oplocks = No level2 oplocks = No vfs objects = full_audit, recycle full_audit:priority = notice full_audit:facility = local5 full_audit:failure = connect mkdir rename unlink rmdir pwrite full_audit:success = connect disconnect mkdir rename unlink rmdir pwrite full_audit:prefix = %u|%S - %m|%I recycle:maxsize = 0 recycle:versions = yes recycle:touch = yes recycle:keeptree = yes recycle:repository = /userdata/user_trash/%U [profiles] comment = Profile Data Directory path = /userdata/profiles/%a read only = No create mask = 0600 directory mask = 0700 browseable = No csc policy = disable oplocks = No level2 oplocks = No [printers] comment = Printers path = /var/spool/samba admin users = @lpadmin write list = @lpadmin, root guest ok = Yes printable = Yes browseable = No [print$] comment = Printer Drivers path = /etc/samba/drivers admin users = @lpadmin write list = @lpadmin, root -- Charles Belmopan, Belize "... we just love cars and we love driving them!" http://www.cardomain.com/ride/2400106
charles
2009-Oct-21 19:16 UTC
[Samba] local copy microsoft/credentials directory profile redirection
> Date: Mon, 19 Oct 2009 13:25:48 -0600 > Subject: [Samba] local copy microsoft/credentials directory profile > redirection > hello, > > i've set up a domain controller to replace a production server. > both servers use profile redirection for all user environment directories. > > my problem is that when logging onto the new domain and server, windows > will > create in the %userprofile% local directory an Application Directory > containing Microsoft/Credentials/*SID*, although a copy exists on the > server. > > this directory is used to store the user's network passwords. > > because a blank credential directory is created stored network passwords > (explorer only) are not used. all other applications use the network copy > of > the directory (as they should). > > redirection is done through adm here are the pertinent settings: > [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User > Shell Folders] > "AppData"="%logonserver%\profiles\%username%\Application Data" > "Cookies"="%logonserver%\profiles\%username%\Cookies" > "Desktop"="%logonserver%\%username%\Desktop" > "Personal"="%logonserver%\%username%\My Documents" > "Local AppData"="%logonserver%\profiles\%username%\Local > Settings\Application Data" > "Cache"="c:\temp\users\%username%\Local Settings\Temporary Internet Files" > "History"="c:\temp\users\%username%\Local Settings\History" > "Local Settings"="c:\temp\users\%username%\Local Settings" > > the same client joined to current domain (with the same adm settings) will > not reproduce un-desired behavior. > > does anyone have any suggestions, guesses, etc? > > > clients: windows xp sp3 (offline files disabled; set to delete local copies > of profiles at log off) > > os: ubuntu 9.04 server > > samba: 3.3.2-1ubuntu3.2 > > config: > > Server role: > ROLE_DOMAIN_PDC > [global] > workgroup = domain-name > server string = server-name > passdb backend = ldapsam:ldap://127.0.0.1 > passwd program = /usr/sbin/smbldap-passwd -u "%u" > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > *all*authentication*tokens*updated* > log level = 5 vfs:0 smb:0 > syslog = 0 > log file = /var/log/samba/log.%h > max log size = 10000000 > max xmit = 65535 > socket options = TCP_NODELAY SO_SNDBUF=1638400 SO_RCVBUF=1638400 > SO_KEEPALIVE > printcap name = cups > show add printer wizard = No > max stat cache size = 1024 > add user script = /usr/sbin/smbldap-useradd -m "%u" > delete user script = /usr/sbin/smbldap-userdel "%u" > add group script = /usr/sbin/smbldap-groupadd -p "%g" > add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" > "%g" > set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" > add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u" > logon script = logon.bat > logon path = \\%N\hives\%U > logon drive = " " > domain logons = Yes > os level = 65 > preferred master = Yes > domain master = Yes > kernel oplocks = No > ldap admin dn = cn=admin,dc=domain-name,dc=bz > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > ldap machine suffix = ou=Computers > ldap suffix = dc=domain-name,dc=bz > ldap ssl = no > ldap user suffix = ou=Users > utmp = Yes > panic action = /usr/share/samba/panic-action %d > cups options = raw > case sensitive = No > hide files = /desktop.ini/ > > [netlogon] > path = /usershare/netlogon > write list = jorge > guest ok = Yes > > [hives] > comment = Profile Hive Directory > path = /userdata/hives/%a > read only = No > create mask = 0600 > directory mask = 0700 > browseable = No > csc policy = disable > oplocks = No > level2 oplocks = No > vfs objects = full_audit, recycle > full_audit:priority = notice > full_audit:facility = local5 > full_audit:failure = connect mkdir rename unlink rmdir pwrite > full_audit:success = connect disconnect mkdir rename unlink rmdir > pwrite > full_audit:prefix = %u|%S - %m|%I > recycle:maxsize = 0 > recycle:versions = yes > recycle:touch = yes > recycle:keeptree = yes > recycle:repository = /userdata/user_trash/%U > > [profiles] > comment = Profile Data Directory > path = /userdata/profiles/%a > read only = No > create mask = 0600 > directory mask = 0700 > browseable = No > csc policy = disable > oplocks = No > level2 oplocks = No > > [printers] > comment = Printers > path = /var/spool/samba > admin users = @lpadmin > write list = @lpadmin, root > guest ok = Yes > printable = Yes > browseable = No > > [print$] > comment = Printer Drivers > path = /etc/samba/drivers > admin users = @lpadmin > write list = @lpadmin, root > -- > Charles > > Belmopan, Belize > > "... we just love cars and we love driving them!" > > http://www.cardomain.com/ride/2400106 > > > >solved. the problem was the use of the %logonserver% variable in my policy file. it appears that the variable is not yet resolvable at the time the logon process checks for the existence of a credential file. using the actual server-name for the AppData environment remedied the problem. good luck.
Possibly Parallel Threads
- ocfs2 with cman luster stack
- Machine choosing unexpected logonserver in multi-dc domain 4.2.1
- Problem with netlogon\logon.bat not mapping all drives
- Domain Logout, then domain login again, profile corrupt -> replaced by TEMP profile
- permission problem with vfs object recycle:directory_mode