samba - Apr 2010 - Server-Profile only applied when domain user gets Admin privileges on WinXP

After upgrade from 3.0.x to 3.4.3 (on new hardware) profiles only apply when
the domain users are Members of the local WinXP admin group!? The Account
behaves like a guest account - Modifications can not be saved (e.g. the left
side of the XP/SP3 task menu remains empty, Control Panel can not be changed
to classic view, .).

 

No problems at all with profiles created unter samba version 3.4.3.

 

I extended smb.conf by "profile acl = yes" and "passdb backend =
smbpasswd"
(tdbsam did'nt change the behaviour) :

 

[global]

        server string = BDC

        log level = 1 passdb:5 auth:5 winbind:2

        workgroup = xyz

        printing = cups

        printcap name = cups

        printcap cache time = 750

        cups options = raw

        printer admin = @ntadmin, root, administrator

        username map = /etc/samba/smbusers

        map to guest = Bad User

#       include = /etc/samba/dhcp.conf

        logon path = \\%L\profiles\.msprofile

        logon drive = Z:

        security = user

        encrypt passwords = yes

        netbios name = svtest

        smb passwd file = /etc/samba/smbpasswd

        smb ports = 139

        passdb backend = smbpasswd

        passwd program = /usr/bin/passwd %u

        passwd chat = "New password:" %n "Re-enter new
password:" %n
"*Password changed*"

        passwd chat debug = Yes

        add user script = /usr/sbin/useradd -m %u

        delete user script = /usr/sbin/userdel -r %u

        add group script = /usr/sbin/groupadd %g

        delete group script = /usr/sbin/groupdel %g

        add user to group script = /usr/sbin/usermod -G %g %u

        add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody
-s /bin/false %m$

        logon script = %u.bat

        domain master = yes

        domain logons = yes

        local master = yes

        wins support = yes

        preferred master = yes

        os level = 65

        hide dot files = yes

        time server = yes

        max log size = 1000

        oplocks = yes

        fake oplocks = no

        read raw = yes

        write raw = yes

        socket options = TCP_NODELAY

        getwd cache = yes

        usershare allow guests = No

[homes]

        comment = Home Directories

        valid users = %S

        browseable = no

        read only = No

        inherit acls = Yes

        guest ok = no

        printable = no

[profiles]

        comment = Network Profiles Service

        path = %H

        read only = No

        store dos attributes = Yes

        create mask = 0660

        directory mask = 0770

        browseable = no

        guest ok = no

        printable = no

        profile acls = Yes

[users]

        comment = All users

        path = /data/home

        read only = No

        inherit acls = Yes

        veto files = /aquota.user/groups/shares/

        browseable = no

        guest ok = no

        printable = no

[netlogon]

        comment = Network Logon Service

        path = /data/netlogon

        read only = Yes

        browseable = no

        write list = @admin

        csc policy = disable

 

Did I miss something to make the server configuration compatibel with
version 3.4 or do I have to modify the content / ACLs of all existing
profiles?

 

---

Any help would be appreciated.

 

Richard Herrmann

Our problem was caused by a domain sid mismatch.

Fix: 

clone domain sid from source system 

net getdomainsid 

to target system 

net setdomainsid