samba - Feb 2012 - samba 3.5.6 as PDC & LDAP - roaming profile problem

Hi all;

for few weeks I'm trying to implement a new samba PDC server for my school.
It is based on debian squeeze and samba 3.5.6 with lDAP backend.
I was able to join a computer into domain, LDAP is working, mapping home
drive for users also.
It seems that almost all works good but with one exeption. The one thing
which is broken is roaming profile support.
When user is logging into domain windows (I tested win XP prof SP2 and win7
prof SP1) always said:
"Windows cannot locate the server copy of your roaming profile and is
attempting to log you on with your local profile. Changes to the profile
will not be copied to the server when you logoff. Possible causes of this
error include network problems or insufficient security rights. If this
problem persists, contact your network administrator.
DETAIL ? The network name cannot be found."
and
"Windows cannot find the local profile and is logging you on with a
temporary profile. Changes you make to this profile will be lost when you
log off."
It looks strange because when I put into netlogon share default profile
windows take it ( I see that background color in windows is the same like I
prevoiusly set into default profil), user is able to browse his profile
directory and create inside this dirs and files.In samba logs there are no
errors, I can see that /profile share is assigned into user.
On windows side in c:\windows\debug\userenv log there is:

USERENV(320.324) 18:58:22:898 DeleteProfileEx:  Failed to query profile
guid with error 2
USERENV(320.324) 18:58:34:758 GetUserGuid: Failed to get user guid with
1355.
USERENV(320.324) 18:58:34:758 GetUserGuid: Failed to get user guid with
1355.
USERENV(320.324) 18:58:34:804 CheckRoamingShareOwnership: owner is S-1-1-0!
USERENV(320.324) 18:58:34:804 IsCentralProfileReachable: Ownership check
failed with 8007051B
USERENV(320.324) 18:58:34:804 ReportError: Impersonating user.
USERENV(320.324) 18:58:36:429 GetUserGuid: Failed to get user guid with
1355.
USERENV(320.324) 18:58:36:445 ReportError: Impersonating user.
USERENV(320.324) 18:58:37:023 RecurseDirectory:
=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=modern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;tpc=development;ord=3934272159358786
is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
lokalne\Temporary Internet Files\Content.IE5\ARGDYVI1\, dest = C:\Documents
and Settings\TEMP.TESTADM\Ustawienia lokalne\Temporary Internet
Files\Content.IE5\ARGDYVI1\
USERENV(320.324) 18:58:37:039 RecurseDirectory:
=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=modern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;tpc=development;ord=3934272159358786
is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
lokalne\Temporary Internet Files\Content.IE5\61Y5M1K7\, dest = C:\Documents
and Settings\TEMP.TESTADM\Ustawienia lokalne\Temporary Internet
Files\Content.IE5\61Y5M1K7\
USERENV(320.324) 18:58:37:039 RecurseDirectory:
=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=modern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;tpc=development;ord=3934272159358786
is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
lokalne\Temporary Internet Files\Content.IE5\Q6DTJICU\, dest = C:\Documents
and Settings\TEMP.TESTADM\Ustawienia lokalne\Temporary Internet
Files\Content.IE5\Q6DTJICU\
USERENV(320.324) 18:58:37:054 RecurseDirectory:
=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=modern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;tpc=development;ord=3934272159358786
is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
lokalne\Temporary Internet Files\Content.IE5\I56DMBW1\, dest = C:\Documents
and Settings\TEMP.TESTADM\Ustawienia lokalne\Temporary Internet
Files\Content.IE5\I56DMBW1\
USERENV(320.324) 18:58:43:461 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(358.278) 18:58:43:633 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(358.278) 18:58:43:633 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(320.324) 18:58:43:648 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(320.2a0) 18:58:43:664 GetGPOInfo:  Local GPO's gpt.ini is not
accessible, assuming default state.
USERENV(550.6ac) 18:58:50:945 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(550.758) 18:58:50:992 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(320.f0) 18:58:58:758 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(77c.80) 19:04:24:414 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(320.324) 19:04:34:383 DeleteProfileEx:  Failed to query profile
guid with error 2
USERENV(320.324) 19:04:51:508 GetUserGuid: Failed to get user guid with
1355.
USERENV(320.324) 19:04:51:508 GetUserGuid: Failed to get user guid with
1355.
USERENV(320.324) 19:04:51:554 CheckRoamingShareOwnership: owner is S-1-1-0!
USERENV(320.324) 19:04:51:554 IsCentralProfileReachable: Ownership check
failed with 8007051B
USERENV(320.324) 19:04:51:554 ReportError: Impersonating user.
USERENV(320.324) 19:04:53:273 GetUserGuid: Failed to get user guid with
1355.
USERENV(320.324) 19:04:53:273 ReportError: Impersonating user.
USERENV(320.324) 19:04:53:883 RecurseDirectory:
=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=modern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;tpc=development;ord=3934272159358786
is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
lokalne\Temporary Internet Files\Content.IE5\ARGDYVI1\, dest = C:\Documents
and Settings\TEMP.TESTADM\Ustawienia

Here is my smb.conf

[global]
workgroup = TESTADM
netbios name = PDC-SRV
security = user
enable privileges = yes
server string = Samba Server %v
encrypt passwords = true
unix password sync = yes
ldap passwd sync = yes
passwd program = /usr/sbin/smbldap-passwd -u "%u"
passwd chat = "Changing *\nNew password*" %n\n "*Retype new
password*" %n\n"

log level = 3
syslog = 0
log file = /var/log/samba/%U_%I.log
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
unix charset = ISO8859-2
dos charset = CP852
logon script = %G.bat
logon drive = H:
        logon home         logon path =\\172.16.220.131\profiles\%U
domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
wins support = yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=admin,dc=slackware,dc=local
ldap suffix = dc=slackware,dc=local
        ldap group suffix = ou=groups
        ldap user suffix = ou=users
        ldap machine suffix = ou=Computers
#ldap idmap suffix = ou=Idmap
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        #ldap delete dn = Yes
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
admin users = domainadm
ldap ssl = no
host msdfs = no

# printers configuration
#printer admin = @"Print Operators"
load printers = Yes
create mask = 0640
directory mask = 0750
#force create mode = 0640
#force directory mode = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest ok = no
;guest account = nobody
;map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the profile folders:
preserve case = yes
short preserve case = yes
case sensitive = no

[netlogon]
path = /home/netlogon/
comment = Netwok Logon Service
browseable = No
writable = yes
writelist = @domainadm

[homes]
    comment = Home Directories
    path = /home/%U
    ;valid users = /home/%S
    read only = No
    browseable = No
    create mask = 0644
    directory mask = 0711
    ;admin users = piotrbrudny
    nt acl support = no


[profiles]
path = /profiles
read only = no
writable = yes
create mask = 0600
directory mask = 0700
browseable = No
guest ok = no
profile acls = no
;nt acl support = no
#a bylo acls=yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
valid users = %U @"Domain Admins" @users
map acl inherit = yes
[printers]
        comment = Network Printers
        #printer admin = @"Print Operators"
        guest ok = yes
        printable = yes
        path = /home/spool/
        browseable = No
        read only  = Yes
        printable = Yes
        print command = /usr/bin/lpr -P%p -r %s
        lpq command = /usr/bin/lpq -P%p
        lprm command = /usr/bin/lprm -P%p %j
        # print command = /usr/bin/lpr -U%U@%M -P%p -r %s
        # lpq command = /usr/bin/lpq -U%U@%M -P%p
        # lprm command = /usr/bin/lprm -U%U@%M -P%p %j
        # lppause command = /usr/sbin/lpc -U%U@%M hold %p %j
        # lpresume command = /usr/sbin/lpc -U%U@%M release %p %j
        # queuepause command = /usr/sbin/lpc -U%U@%M stop %p
        # queueresume command = /usr/sbin/lpc -U%U@%M start %p

[print$]
        path = /home/printers
        guest ok = No
        browseable = Yes
        read only = Yes
        valid users = @"Print Operators"
        write list = @"Print Operators"
        create mask = 0664
        directory mask = 0775

[public]
path = /tmp
guest ok = yes
browseable = Yes

and also some info about roaming profiles directory permissions

drwxrwxrwt 13 root root  4096 Feb 17 20:05 profiles

oot at debldap4:~# tree -p -g -u /profiles
/profiles
??? [drwx------ czarus   Domain U]  czarus
??? [drwx------ domainad domainad]  domainadm
??? [drwxrwxrwx jas      Domain A]  jas
??? [drwx------ root     root    ]  root
??? [drwx------ sambaroo Domain U]  sambaroot2
??? [drwx------ sambaroo Domain U]  sambaroot2.V2
??? [drwx------ sambaroo Domain U]  sambaroot3
??? [drwx------ sambaroo Domain U]  sambaroot3.V2
??? [drwx------ test2    Domain U]  test2
?   ??? [drwx------ test2    Domain U]  dfd
??? [drwx------ test5    domainad]  test5
??? [drwx------ test4    domainad]  %u

12 directories, 0 files

dirs in /profiles directory was created automatically during logon process.

I googled few days I tryed all what I can find but with no luck. It will be
great if somebody could help me with this because I have no idea what is a
root cause of my issue.

Hi all;

for few weeks I'm trying to implement a new samba PDC server for my school.
It is based on debian squeeze and samba 3.5.6 with lDAP backend.
I was able to join a computer into domain, LDAP is working, mapping home
drive for users also.
It seems that almost all works good but with one exeption. The one thing
which is broken is roaming profile support.
When user is logging into domain windows (I tested win XP prof SP2 and win7
prof SP1) always said:
"Windows cannot locate the server copy of your roaming profile and is
attempting to log you on with your local profile. Changes to the profile
will not be copied to the server when you logoff. Possible causes of this
error include network problems or insufficient security rights. If this
problem persists, contact your network administrator.
DETAIL ? The network name cannot be found."
and
"Windows cannot find the local profile and is logging you on with a
temporary profile. Changes you make to this profile will be lost when you
log off."
It looks strange because when I put into netlogon share default profile
windows take it ( I see that background color in windows is the same like I
prevoiusly set into default profil), user is able to browse his profile
directory and create inside this dirs and files.In samba logs there are no
errors, I can see that /profile share is assigned into user.
On windows side in c:\windows\debug\userenv log there is:

USERENV(320.324) 18:58:22:898 DeleteProfileEx:  Failed to query profile
guid with error 2
USERENV(320.324) 18:58:34:758 GetUserGuid: Failed to get user guid with
1355.
USERENV(320.324) 18:58:34:758 GetUserGuid: Failed to get user guid with
1355.
USERENV(320.324) 18:58:34:804 CheckRoamingShareOwnership: owner is S-1-1-0!
USERENV(320.324) 18:58:34:804 IsCentralProfileReachable: Ownership check
failed with 8007051B
USERENV(320.324) 18:58:34:804 ReportError: Impersonating user.
USERENV(320.324) 18:58:36:429 GetUserGuid: Failed to get user guid with
1355.
USERENV(320.324) 18:58:36:445 ReportError: Impersonating user.
USERENV(320.324) 18:58:37:023 RecurseDirectory:
=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=modern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;tpc=development;ord=3934272159358786
is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
lokalne\Temporary Internet Files\Content.IE5\ARGDYVI1\, dest = C:\Documents
and Settings\TEMP.TESTADM\Ustawienia lokalne\Temporary Internet
Files\Content.IE5\ARGDYVI1\
USERENV(320.324) 18:58:37:039 RecurseDirectory:
=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=modern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;tpc=development;ord=3934272159358786
is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
lokalne\Temporary Internet Files\Content.IE5\61Y5M1K7\, dest = C:\Documents
and Settings\TEMP.TESTADM\Ustawienia lokalne\Temporary Internet
Files\Content.IE5\61Y5M1K7\
USERENV(320.324) 18:58:37:039 RecurseDirectory:
=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=modern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;tpc=development;ord=3934272159358786
is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
lokalne\Temporary Internet Files\Content.IE5\Q6DTJICU\, dest = C:\Documents
and Settings\TEMP.TESTADM\Ustawienia lokalne\Temporary Internet
Files\Content.IE5\Q6DTJICU\
USERENV(320.324) 18:58:37:054 RecurseDirectory:
=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=modern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;tpc=development;ord=3934272159358786
is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
lokalne\Temporary Internet Files\Content.IE5\I56DMBW1\, dest = C:\Documents
and Settings\TEMP.TESTADM\Ustawienia lokalne\Temporary Internet
Files\Content.IE5\I56DMBW1\
USERENV(320.324) 18:58:43:461 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(358.278) 18:58:43:633 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(358.278) 18:58:43:633 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(320.324) 18:58:43:648 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(320.2a0) 18:58:43:664 GetGPOInfo:  Local GPO's gpt.ini is not
accessible, assuming default state.
USERENV(550.6ac) 18:58:50:945 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(550.758) 18:58:50:992 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(320.f0) 18:58:58:758 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(77c.80) 19:04:24:414 GetUserDNSDomainName:  MyGetUserNameEx failed
for NameDnsDomain style name with 1332
USERENV(320.324) 19:04:34:383 DeleteProfileEx:  Failed to query profile
guid with error 2
USERENV(320.324) 19:04:51:508 GetUserGuid: Failed to get user guid with
1355.
USERENV(320.324) 19:04:51:508 GetUserGuid: Failed to get user guid with
1355.
USERENV(320.324) 19:04:51:554 CheckRoamingShareOwnership: owner is S-1-1-0!
USERENV(320.324) 19:04:51:554 IsCentralProfileReachable: Ownership check
failed with 8007051B
USERENV(320.324) 19:04:51:554 ReportError: Impersonating user.
USERENV(320.324) 19:04:53:273 GetUserGuid: Failed to get user guid with
1355.
USERENV(320.324) 19:04:53:273 ReportError: Impersonating user.
USERENV(320.324) 19:04:53:883 RecurseDirectory:
=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=modern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;tpc=development;ord=3934272159358786
is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
lokalne\Temporary Internet Files\Content.IE5\ARGDYVI1\, dest = C:\Documents
and Settings\TEMP.TESTADM\Ustawienia

Here is my smb.conf

[global]
workgroup = TESTADM
netbios name = PDC-SRV
security = user
enable privileges = yes
server string = Samba Server %v
encrypt passwords = true
unix password sync = yes
ldap passwd sync = yes
passwd program = /usr/sbin/smbldap-passwd -u "%u"
passwd chat = "Changing *\nNew password*" %n\n "*Retype new
password*" %n\n"

log level = 3
syslog = 0
log file = /var/log/samba/%U_%I.log
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
unix charset = ISO8859-2
dos charset = CP852
logon script = %G.bat
logon drive = H:
        logon home         logon path =\\172.16.220.131\profiles\%U
domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
wins support = yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=admin,dc=slackware,dc=local
ldap suffix = dc=slackware,dc=local
        ldap group suffix = ou=groups
        ldap user suffix = ou=users
        ldap machine suffix = ou=Computers
#ldap idmap suffix = ou=Idmap
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        #ldap delete dn = Yes
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
admin users = domainadm
ldap ssl = no
host msdfs = no

# printers configuration
#printer admin = @"Print Operators"
load printers = Yes
create mask = 0640
directory mask = 0750
#force create mode = 0640
#force directory mode = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest ok = no
;guest account = nobody
;map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the profile folders:
preserve case = yes
short preserve case = yes
case sensitive = no

[netlogon]
path = /home/netlogon/
comment = Netwok Logon Service
browseable = No
writable = yes
writelist = @domainadm

[homes]
    comment = Home Directories
    path = /home/%U
    ;valid users = /home/%S
    read only = No
    browseable = No
    create mask = 0644
    directory mask = 0711
    ;admin users = piotrbrudny
    nt acl support = no


[profiles]
path = /profiles
read only = no
writable = yes
create mask = 0600
directory mask = 0700
browseable = No
guest ok = no
profile acls = no
;nt acl support = no
#a bylo acls=yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
valid users = %U @"Domain Admins" @users
map acl inherit = yes
[printers]
        comment = Network Printers
        #printer admin = @"Print Operators"
        guest ok = yes
        printable = yes
        path = /home/spool/
        browseable = No
        read only  = Yes
        printable = Yes
        print command = /usr/bin/lpr -P%p -r %s
        lpq command = /usr/bin/lpq -P%p
        lprm command = /usr/bin/lprm -P%p %j
        # print command = /usr/bin/lpr -U%U@%M -P%p -r %s
        # lpq command = /usr/bin/lpq -U%U@%M -P%p
        # lprm command = /usr/bin/lprm -U%U@%M -P%p %j
        # lppause command = /usr/sbin/lpc -U%U@%M hold %p %j
        # lpresume command = /usr/sbin/lpc -U%U@%M release %p %j
        # queuepause command = /usr/sbin/lpc -U%U@%M stop %p
        # queueresume command = /usr/sbin/lpc -U%U@%M start %p

[print$]
        path = /home/printers
        guest ok = No
        browseable = Yes
        read only = Yes
        valid users = @"Print Operators"
        write list = @"Print Operators"
        create mask = 0664
        directory mask = 0775

[public]
path = /tmp
guest ok = yes
browseable = Yes

and also some info about roaming profiles directory permissions

drwxrwxrwt 13 root root  4096 Feb 17 20:05 profiles

oot at debldap4:~# tree -p -g -u /profiles
/profiles
??? [drwx------ czarus   Domain U]  czarus
??? [drwx------ domainad domainad]  domainadm
??? [drwxrwxrwx jas      Domain A]  jas
??? [drwx------ root     root    ]  root
??? [drwx------ sambaroo Domain U]  sambaroot2
??? [drwx------ sambaroo Domain U]  sambaroot2.V2
??? [drwx------ sambaroo Domain U]  sambaroot3
??? [drwx------ sambaroo Domain U]  sambaroot3.V2
??? [drwx------ test2    Domain U]  test2
?   ??? [drwx------ test2    Domain U]  dfd
??? [drwx------ test5    domainad]  test5
??? [drwx------ test4    domainad]  %u

12 directories, 0 files

dirs in /profiles directory was created automatically during logon process.

I googled few days I tryed all what I can find but with no luck. It will be
great if somebody could help me with this because I have no idea what is a
root cause of my issue.

Hi Steve

In my system I have following permissions;

/home 777
/home/netlogon/Default Profile 755

still not working :(


2012/2/24 steve <steve at steve-ss.com>
> [2012/02/24 17:50:50.931935, 2] smbd/open.c:633(open_file) jas opened file
> Default User/NTUSER.DAT read=Yes write=No (numopen=1)
>
> [2012/02/24 17:50:51.884020, 2] smbd/open.c:633(open_file) jas opened file
> Default User/ntuser.dat.LOG read=Yes write=No (numopen=2)
>
> [2012/02/24 17:50:51.905456, 2] smbd/open.c:633(open_file) jas opened file
> Default User/ntuser.ini read=Yes write=No (numopen=3)
>
> On those files I have:
>
> -rw-r--r-- 1 steve suseusers 786432 Feb 24 20:07 NTUSER.DAT
> -rw-r--r-- 1 steve suseusers    160 Feb 24 20:08 ntuser.ini
> and
> drwxr-xr-x
> on the folders.
>
> Any good?
>
> Steve
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: 
https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>

Hi
r u sure you are mapping the correct user? Is nscd turned off?
Cheers

On 02/26/2012 09:33 AM, Adam Sienkiewicz wrote:
> Hi Steve
>
> In my system I have following permissions;
>
> /home 777
> /home/netlogon/Default Profile 755
>
> still not working :(
>
>
> 2012/2/24 steve <steve at steve-ss.com <mailto:steve at
steve-ss.com>>
>
>     [2012/02/24 17:50:50.931935, 2] smbd/open.c:633(open_file) jas
>     opened file Default User/NTUSER.DAT read=Yes write=No (numopen=1)
>
>     [2012/02/24 17:50:51.884020, 2] smbd/open.c:633(open_file) jas
>     opened file Default User/ntuser.dat.LOG read=Yes write=No (numopen=2)
>
>     [2012/02/24 17:50:51.905456, 2] smbd/open.c:633(open_file) jas
>     opened file Default User/ntuser.ini read=Yes write=No (numopen=3)
>
>     On those files I have:
>
>     -rw-r--r-- 1 steve suseusers 786432 Feb 24 20:07 NTUSER.DAT
>     -rw-r--r-- 1 steve suseusers    160 Feb 24 20:08 ntuser.ini
>     and
>     drwxr-xr-x
>     on the folders.
>
>     Any good?
>
>     Steve
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>

Hi;

nscd is not installed in my system.
I thing mapping of users is correct. I can login into linux via ldap  using
account which caused problems with roaming profiles in samba ...


2012/2/26 steve <steve at steve-ss.com>
> Hi
> r u sure you are mapping the correct user? Is nscd turned off?
> Cheers
>
>
> On 02/26/2012 09:33 AM, Adam Sienkiewicz wrote:
>
>> Hi Steve
>>
>> In my system I have following permissions;
>>
>> /home 777
>> /home/netlogon/Default Profile 755
>>
>> still not working :(
>>
>>
>> 2012/2/24 steve <steve at steve-ss.com <mailto:steve at
steve-ss.com>>
>>
>>
>>    [2012/02/24 17:50:50.931935, 2] smbd/open.c:633(open_file) jas
>>    opened file Default User/NTUSER.DAT read=Yes write=No (numopen=1)
>>
>>    [2012/02/24 17:50:51.884020, 2] smbd/open.c:633(open_file) jas
>>    opened file Default User/ntuser.dat.LOG read=Yes write=No
(numopen=2)
>>
>>    [2012/02/24 17:50:51.905456, 2] smbd/open.c:633(open_file) jas
>>    opened file Default User/ntuser.ini read=Yes write=No (numopen=3)
>>
>>    On those files I have:
>>
>>    -rw-r--r-- 1 steve suseusers 786432 Feb 24 20:07 NTUSER.DAT
>>    -rw-r--r-- 1 steve suseusers    160 Feb 24 20:08 ntuser.ini
>>    and
>>    drwxr-xr-x
>>    on the folders.
>>
>>    Any good?
>>
>>    Steve
>>    --     To unsubscribe from this list go to the following URL and
read
>> the
>>    instructions:
https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>
>>
>>
>

Hi all;

I discovered thet from unknow reason %userprofile% varianle on both win xp
anf win 7 is empt. But why ???
LDAP ??

Have any seen those kind of issue ?

Cheers Adam

2012/2/27 Adam Sienkiewicz <adamsienkiewicz78 at gmail.com>
> Hi;
>
> nscd is not installed in my system.
> I thing mapping of users is correct. I can login into linux via ldap
>  using account which caused problems with roaming profiles in samba ...
>
>
> 2012/2/26 steve <steve at steve-ss.com>
>
>> Hi
>> r u sure you are mapping the correct user? Is nscd turned off?
>> Cheers
>>
>>
>> On 02/26/2012 09:33 AM, Adam Sienkiewicz wrote:
>>
>>> Hi Steve
>>>
>>> In my system I have following permissions;
>>>
>>> /home 777
>>> /home/netlogon/Default Profile 755
>>>
>>> still not working :(
>>>
>>>
>>> 2012/2/24 steve <steve at steve-ss.com <mailto:steve at
steve-ss.com>>
>>>
>>>
>>>    [2012/02/24 17:50:50.931935, 2] smbd/open.c:633(open_file) jas
>>>    opened file Default User/NTUSER.DAT read=Yes write=No
(numopen=1)
>>>
>>>    [2012/02/24 17:50:51.884020, 2] smbd/open.c:633(open_file) jas
>>>    opened file Default User/ntuser.dat.LOG read=Yes write=No
(numopen=2)
>>>
>>>    [2012/02/24 17:50:51.905456, 2] smbd/open.c:633(open_file) jas
>>>    opened file Default User/ntuser.ini read=Yes write=No
(numopen=3)
>>>
>>>    On those files I have:
>>>
>>>    -rw-r--r-- 1 steve suseusers 786432 Feb 24 20:07 NTUSER.DAT
>>>    -rw-r--r-- 1 steve suseusers    160 Feb 24 20:08 ntuser.ini
>>>    and
>>>    drwxr-xr-x
>>>    on the folders.
>>>
>>>    Any good?
>>>
>>>    Steve
>>>    --     To unsubscribe from this list go to the following URL and
read
>>> the
>>>    instructions:
https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>
>>>
>>>
>>
>

Hi again

Seems to be solved now - I changed Do not check owner of roaming profile in
gpedit.msc on win xp and win7 and now is working but loading of roaminf
profile in win7 is very slow.
I will try to do some tuning this.

Anyway thanks for help for all !!!

2012/2/27 Adam Sienkiewicz <adamsienkiewicz78 at gmail.com>
> Hi all;
>
> I discovered thet from unknow reason %userprofile% varianle on both win xp
> anf win 7 is empt. But why ???
> LDAP ??
>
> Have any seen those kind of issue ?
>
> Cheers Adam
>
> 2012/2/27 Adam Sienkiewicz <adamsienkiewicz78 at gmail.com>
>
>> Hi;
>>
>> nscd is not installed in my system.
>> I thing mapping of users is correct. I can login into linux via ldap
>>  using account which caused problems with roaming profiles in samba ...
>>
>>
>> 2012/2/26 steve <steve at steve-ss.com>
>>
>>> Hi
>>> r u sure you are mapping the correct user? Is nscd turned off?
>>> Cheers
>>>
>>>
>>> On 02/26/2012 09:33 AM, Adam Sienkiewicz wrote:
>>>
>>>> Hi Steve
>>>>
>>>> In my system I have following permissions;
>>>>
>>>> /home 777
>>>> /home/netlogon/Default Profile 755
>>>>
>>>> still not working :(
>>>>
>>>>
>>>> 2012/2/24 steve <steve at steve-ss.com <mailto:steve at
steve-ss.com>>
>>>>
>>>>
>>>>    [2012/02/24 17:50:50.931935, 2] smbd/open.c:633(open_file)
jas
>>>>    opened file Default User/NTUSER.DAT read=Yes write=No
(numopen=1)
>>>>
>>>>    [2012/02/24 17:50:51.884020, 2] smbd/open.c:633(open_file)
jas
>>>>    opened file Default User/ntuser.dat.LOG read=Yes write=No
(numopen=2)
>>>>
>>>>    [2012/02/24 17:50:51.905456, 2] smbd/open.c:633(open_file)
jas
>>>>    opened file Default User/ntuser.ini read=Yes write=No
(numopen=3)
>>>>
>>>>    On those files I have:
>>>>
>>>>    -rw-r--r-- 1 steve suseusers 786432 Feb 24 20:07 NTUSER.DAT
>>>>    -rw-r--r-- 1 steve suseusers    160 Feb 24 20:08 ntuser.ini
>>>>    and
>>>>    drwxr-xr-x
>>>>    on the folders.
>>>>
>>>>    Any good?
>>>>
>>>>    Steve
>>>>    --     To unsubscribe from this list go to the following URL
and
>>>> read the
>>>>    instructions:
https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>>
>>>>
>>>>
>>>
>>
>

Hai, 

First, cleanup your profile before making it your default profile. 
this (  Ustawienia Lokalne\Temporary Internet Files\Content.IE5\ARGDYVI1 ) 
should not be there, there should not be any "Temp" folder.
Second, your profiles doesn't look right. 

this is mine and this is working:  ( adjust your path to : path = /profiles ) 
set the initial rights on /profiles to 777 
new folders are created with the right rights.
[profiles]
        path = /home/samba/profiles
        comment = Profiel omgeving
        read only = no
        create mask = 0600
        directory mask = 0700
        browseable = Yes
        guest ok = Yes
        csc policy = disable
        force user = %U
        # next line allows administrator to access all profiles
        valid users = %U @"Domain Admins"



>-----Oorspronkelijk bericht-----
>Van: adamsienkiewicz78 at gmail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Adam Sienkiewicz
>Verzonden: 2012-02-22 00:15
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] samba 3.5.6 as PDC & LDAP - roaming profile problem
>
>Hi all;
>
>for few weeks I'm trying to implement a new samba PDC server 
>for my school.
>It is based on debian squeeze and samba 3.5.6 with lDAP backend.
>I was able to join a computer into domain, LDAP is working, 
>mapping home
>drive for users also.
>It seems that almost all works good but with one exeption. The 
>one thing
>which is broken is roaming profile support.
>When user is logging into domain windows (I tested win XP prof 
>SP2 and win7
>prof SP1) always said:
>"Windows cannot locate the server copy of your roaming profile and is
>attempting to log you on with your local profile. Changes to 
>the profile
>will not be copied to the server when you logoff. Possible 
>causes of this
>error include network problems or insufficient security rights. If this
>problem persists, contact your network administrator.
>DETAIL ? The network name cannot be found."
>and
>"Windows cannot find the local profile and is logging you on with a
>temporary profile. Changes you make to this profile will be 
>lost when you
>log off."
>It looks strange because when I put into netlogon share default profile
>windows take it ( I see that background color in windows is 
>the same like I
>prevoiusly set into default profil), user is able to browse his profile
>directory and create inside this dirs and files.In samba logs 
>there are no
>errors, I can see that /profile share is assigned into user.
>On windows side in c:\windows\debug\userenv log there is:
>
>USERENV(320.324) 18:58:22:898 DeleteProfileEx:  Failed to query profile
>guid with error 2
>USERENV(320.324) 18:58:34:758 GetUserGuid: Failed to get user guid with
>1355.
>USERENV(320.324) 18:58:34:758 GetUserGuid: Failed to get user guid with
>1355.
>USERENV(320.324) 18:58:34:804 CheckRoamingShareOwnership: 
>owner is S-1-1-0!
>USERENV(320.324) 18:58:34:804 IsCentralProfileReachable: 
>Ownership check
>failed with 8007051B
>USERENV(320.324) 18:58:34:804 ReportError: Impersonating user.
>USERENV(320.324) 18:58:36:429 GetUserGuid: Failed to get user guid with
>1355.
>USERENV(320.324) 18:58:36:445 ReportError: Impersonating user.
>USERENV(320.324) 18:58:37:023 RecurseDirectory:
>=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=m
>odern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;t
>pc=development;ord=3934272159358786
>is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
>lokalne\Temporary Internet Files\Content.IE5\ARGDYVI1\, dest = 
>C:\Documents
>and Settings\TEMP.TESTADM\Ustawienia lokalne\Temporary Internet
>Files\Content.IE5\ARGDYVI1\
>USERENV(320.324) 18:58:37:039 RecurseDirectory:
>=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=m
>odern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;t
>pc=development;ord=3934272159358786
>is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
>lokalne\Temporary Internet Files\Content.IE5\61Y5M1K7\, dest = 
>C:\Documents
>and Settings\TEMP.TESTADM\Ustawienia lokalne\Temporary Internet
>Files\Content.IE5\61Y5M1K7\
>USERENV(320.324) 18:58:37:039 RecurseDirectory:
>=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=m
>odern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;t
>pc=development;ord=3934272159358786
>is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
>lokalne\Temporary Internet Files\Content.IE5\Q6DTJICU\, dest = 
>C:\Documents
>and Settings\TEMP.TESTADM\Ustawienia lokalne\Temporary Internet
>Files\Content.IE5\Q6DTJICU\
>USERENV(320.324) 18:58:37:054 RecurseDirectory:
>=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=m
>odern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;t
>pc=development;ord=3934272159358786
>is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
>lokalne\Temporary Internet Files\Content.IE5\I56DMBW1\, dest = 
>C:\Documents
>and Settings\TEMP.TESTADM\Ustawienia lokalne\Temporary Internet
>Files\Content.IE5\I56DMBW1\
>USERENV(320.324) 18:58:43:461 GetUserDNSDomainName:  
>MyGetUserNameEx failed
>for NameDnsDomain style name with 1332
>USERENV(358.278) 18:58:43:633 GetUserDNSDomainName:  
>MyGetUserNameEx failed
>for NameDnsDomain style name with 1332
>USERENV(358.278) 18:58:43:633 GetUserDNSDomainName:  
>MyGetUserNameEx failed
>for NameDnsDomain style name with 1332
>USERENV(320.324) 18:58:43:648 GetUserDNSDomainName:  
>MyGetUserNameEx failed
>for NameDnsDomain style name with 1332
>USERENV(320.2a0) 18:58:43:664 GetGPOInfo:  Local GPO's gpt.ini is not
>accessible, assuming default state.
>USERENV(550.6ac) 18:58:50:945 GetUserDNSDomainName:  
>MyGetUserNameEx failed
>for NameDnsDomain style name with 1332
>USERENV(550.758) 18:58:50:992 GetUserDNSDomainName:  
>MyGetUserNameEx failed
>for NameDnsDomain style name with 1332
>USERENV(320.f0) 18:58:58:758 GetUserDNSDomainName:  
>MyGetUserNameEx failed
>for NameDnsDomain style name with 1332
>USERENV(77c.80) 19:04:24:414 GetUserDNSDomainName:  
>MyGetUserNameEx failed
>for NameDnsDomain style name with 1332
>USERENV(320.324) 19:04:34:383 DeleteProfileEx:  Failed to query profile
>guid with error 2
>USERENV(320.324) 19:04:51:508 GetUserGuid: Failed to get user guid with
>1355.
>USERENV(320.324) 19:04:51:508 GetUserGuid: Failed to get user guid with
>1355.
>USERENV(320.324) 19:04:51:554 CheckRoamingShareOwnership: 
>owner is S-1-1-0!
>USERENV(320.324) 19:04:51:554 IsCentralProfileReachable: 
>Ownership check
>failed with 8007051B
>USERENV(320.324) 19:04:51:554 ReportError: Impersonating user.
>USERENV(320.324) 19:04:53:273 GetUserGuid: Failed to get user guid with
>1355.
>USERENV(320.324) 19:04:53:273 ReportError: Impersonating user.
>USERENV(320.324) 19:04:53:883 RecurseDirectory:
>=mswin_all32bit;tpc=os_groups;tpc=mswin_2000;tpc=mswin_xp;tpc=m
>odern_oses;tpc=Delphi;tpc=winnt;tpc=win95;tpc=linux;tpc=posix;t
>pc=development;ord=3934272159358786
>is too long. src = \\PDC-SRV\netlogon\Default User\Ustawienia
>lokalne\Temporary Internet Files\Content.IE5\ARGDYVI1\, dest = 
>C:\Documents
>and Settings\TEMP.TESTADM\Ustawienia
>
>Here is my smb.conf
>
>[global]
>workgroup = TESTADM
>netbios name = PDC-SRV
>security = user
>enable privileges = yes
>server string = Samba Server %v
>encrypt passwords = true
>unix password sync = yes
>ldap passwd sync = yes
>passwd program = /usr/sbin/smbldap-passwd -u "%u"
>passwd chat = "Changing *\nNew password*" %n\n "*Retype new 
>password*" %n\n"
>
>log level = 3
>syslog = 0
>log file = /var/log/samba/%U_%I.log
>max log size = 100000
>time server = Yes
>socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>mangling method = hash2
>unix charset = ISO8859-2
>dos charset = CP852
>logon script = %G.bat
>logon drive = H:
>        logon home >        logon path =\\172.16.220.131\profiles\%U  
>domain logons = Yes
>domain master = Yes
>os level = 65
>preferred master = Yes
>wins support = yes
>passdb backend = ldapsam:ldap://127.0.0.1/
>ldap admin dn = cn=admin,dc=slackware,dc=local
>ldap suffix = dc=slackware,dc=local
>        ldap group suffix = ou=groups
>        ldap user suffix = ou=users
>        ldap machine suffix = ou=Computers
>#ldap idmap suffix = ou=Idmap
>        add user script = /usr/sbin/smbldap-useradd -m "%u"
>        #ldap delete dn = Yes
>        delete user script = /usr/sbin/smbldap-userdel "%u"
>        add machine script = /usr/sbin/smbldap-useradd -t 0 -w
"%u"
>        add group script = /usr/sbin/smbldap-groupadd -p "%g"
>        delete group script = /usr/sbin/smbldap-groupdel "%g"
>        add user to group script = /usr/sbin/smbldap-groupmod 
>-m "%u" "%g"
>        delete user from group script = 
>/usr/sbin/smbldap-groupmod -x "%u"
>"%g"
>set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
>admin users = domainadm
>ldap ssl = no
>host msdfs = no
>
># printers configuration
>#printer admin = @"Print Operators"
>load printers = Yes
>create mask = 0640
>directory mask = 0750
>#force create mode = 0640
>#force directory mode = 0750
>nt acl support = No
>printing = cups
>printcap name = cups
>deadtime = 10
>guest ok = no
>;guest account = nobody
>;map to guest = Bad User
>dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
>show add printer wizard = yes
>; to maintain capital letters in shortcuts in any of the 
>profile folders:
>preserve case = yes
>short preserve case = yes
>case sensitive = no
>
>[netlogon]
>path = /home/netlogon/
>comment = Netwok Logon Service
>browseable = No
>writable = yes
>writelist = @domainadm
>
>[homes]
>    comment = Home Directories
>    path = /home/%U
>    ;valid users = /home/%S
>    read only = No
>    browseable = No
>    create mask = 0644
>    directory mask = 0711
>    ;admin users = piotrbrudny
>    nt acl support = no
>
>
>[profiles]
>path = /profiles
>read only = no
>writable = yes
>create mask = 0600
>directory mask = 0700
>browseable = No
>guest ok = no
>profile acls = no
>;nt acl support = no
>#a bylo acls=yes
>csc policy = disable
># next line is a great way to secure the profiles
>force user = %U
>valid users = %U @"Domain Admins" @users
>map acl inherit = yes
>[printers]
>        comment = Network Printers
>        #printer admin = @"Print Operators"
>        guest ok = yes
>        printable = yes
>        path = /home/spool/
>        browseable = No
>        read only  = Yes
>        printable = Yes
>        print command = /usr/bin/lpr -P%p -r %s
>        lpq command = /usr/bin/lpq -P%p
>        lprm command = /usr/bin/lprm -P%p %j
>        # print command = /usr/bin/lpr -U%U@%M -P%p -r %s
>        # lpq command = /usr/bin/lpq -U%U@%M -P%p
>        # lprm command = /usr/bin/lprm -U%U@%M -P%p %j
>        # lppause command = /usr/sbin/lpc -U%U@%M hold %p %j
>        # lpresume command = /usr/sbin/lpc -U%U@%M release %p %j
>        # queuepause command = /usr/sbin/lpc -U%U@%M stop %p
>        # queueresume command = /usr/sbin/lpc -U%U@%M start %p
>
>[print$]
>        path = /home/printers
>        guest ok = No
>        browseable = Yes
>        read only = Yes
>        valid users = @"Print Operators"
>        write list = @"Print Operators"
>        create mask = 0664
>        directory mask = 0775
>
>[public]
>path = /tmp
>guest ok = yes
>browseable = Yes
>
>and also some info about roaming profiles directory permissions
>
>drwxrwxrwt 13 root root  4096 Feb 17 20:05 profiles
>
>oot at debldap4:~# tree -p -g -u /profiles
>/profiles
>????????? [drwx------ czarus   Domain U]  czarus
>????????? [drwx------ domainad domainad]  domainadm
>????????? [drwxrwxrwx jas      Domain A]  jas
>????????? [drwx------ root     root    ]  root
>????????? [drwx------ sambaroo Domain U]  sambaroot2
>????????? [drwx------ sambaroo Domain U]  sambaroot2.V2
>????????? [drwx------ sambaroo Domain U]  sambaroot3
>????????? [drwx------ sambaroo Domain U]  sambaroot3.V2
>????????? [drwx------ test2    Domain U]  test2
>???   ????????? [drwx------ test2    Domain U]  dfd
>????????? [drwx------ test5    domainad]  test5
>????????? [drwx------ test4    domainad]  %u
>
>12 directories, 0 files
>
>dirs in /profiles directory was created automatically during 
>logon process.
>
>I googled few days I tryed all what I can find but with no 
>luck. It will be
>great if somebody could help me with this because I have no 
>idea what is a
>root cause of my issue.
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>