Hi all, I have a BDC which uses the LDAP backend of my PDC. Unfortunately all the users who log-in in the morning and who are processed by this BDC, do not get their logon script executed. The BDC logs this error message: [2013/05/24 07:28:11.946577, 2] auth/auth.c:304(check_ntlm_password) check_ntlm_password: authentication for user [foobar] -> [foobar] -> [foobar] succeeded [2013/05/24 07:28:11.948108, 0] param/loadparm.c:8686(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/netlogon failed. File or directory not found [2013/05/24 07:28:12.976867, 0] param/loadparm.c:8686(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/netlogon failed. Access denied [2013/05/24 07:28:12.979372, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: foobar I did not understand, why the BDC looks for the netlogon at /var/lib/samba/usershares/netlogon so I double-checked my smb.conf, on both PDC and BDC. Here are the relevant option in smb.conf: ***PDC***smb.conf: [global] ... security = user passdb backend = ldapsam:ldap://172.16.0.1 logon script = %U.bat logon path = \\pdc\profiles\%U logon drive = U: domain logons = Yes preferred master = Yes local master = Yes domain master = Yes os level = 254 wins support = Yes ... [netlogon] comment = Logon batch path = /file01/netlogon write list = "@Domain Admins" [profiles] comment = Centralized Roaming Profiles path = /file01/profile read only = No browseable = No ***BDC***smb.conf: [global] ... security = user passdb backend = ldapsam:ldap://172.16.0.1/ logon script = \\pdc\netlogon\%U.bat logon path = \\pdc\profiles\%U logon drive = U: domain logons = Yes preferred master = No local master = No domain master = No os level = 20 password server = * ; wins server = 172.16.0.1 I realized that no [netlogon] and [profiles] share exist on the BDC. But there are no problems with profiles known for users who were handled by the BDC. Only logon scripts don't work? Is it possible that the option "logon script = " DOES NOT ALLOW the use of UNC path like I am using it? So this is the problem and samba falls back to the default path /var/lib/samba/usershares/netlogon and tries there to look for the logon script ??? If so, how should my [netlogon] share on the BDC look like? Do I have to rsync/copy the content of pdc://file01/netlogon to bdc:/somedir/netlogon and use following line on BDC's smb.conf? logon script = %U.bat [netlogon] comment = BDC Logon batch path = /somedir/netlogon write list = "@Domain Admins" Will that be enough or am I wrong? I would also like to know if I could use "os level = 0" on the BDC, because I don't need/want that the BDC handles domain logon procedures,that would be the easiest way in my case. Now you ask why the heck I need it to run as BDC :-) It's because I don't can use winbind on the BDC and I need the correct mappings for user/groups. And that's only possible either by using winbind on BDC and idmapping, or you run as BDC and it uses the locally managed database of the PDC. In my case it was really much more easy to use the BDC method, because if I would use winbind it will result in different ids (these of winbind idmapping ranges) and access would be denied to lots of my existing shares. So in result I would have to chmod all of my used dirs/paths which is a lot of work. That's why I choosed the much more easy way as a BDC. But that's not very important, I'd just like to know if "os level = 0" would be ok or cause some other troubles ? Any help and feedback really appreciated. Thanks to all Lucas
Gaiseric Vandal
2013-May-24 12:49 UTC
[Samba] BDC needs a [profile] and [netlogon] share ?
I looked through the smb.conf man page. It looks like "login script" should be relative to the netlogon directory. I would set up identical netlogon directories on both PDC and BDC. Bothe machines have the same login script parameter .e.g. logon script = %U.bat This means that you need to keep the login scripts in sync. If you update on the PDC, you should copy to the BDC netlogon directory. I don't use the login script param on my system. Instead, I use pdbedit to specify the login script used by each user. Each user uses the same login script any way so when I update it on the PDC I only have to replicate that one script to the other machines. It also makes it easy to have a test login script for one or two users only. Alternately, rather than having a separate login script for all users you could just have logon script = common.bat From a windows machine make sure you can see the netlogon share on each DC. On 05/24/13 06:55, ?icro MEGAS wrote:> Hi all, > > I have a BDC which uses the LDAP backend of my PDC. Unfortunately all the users who log-in in the morning and who are processed by this BDC, do not get their logon script executed. The BDC logs this error message: > > [2013/05/24 07:28:11.946577, 2] auth/auth.c:304(check_ntlm_password) > check_ntlm_password: authentication for user [foobar] -> [foobar] -> [foobar] succeeded > [2013/05/24 07:28:11.948108, 0] param/loadparm.c:8686(process_usershare_file) > process_usershare_file: stat of /var/lib/samba/usershares/netlogon failed. File or directory not found > [2013/05/24 07:28:12.976867, 0] param/loadparm.c:8686(process_usershare_file) > process_usershare_file: stat of /var/lib/samba/usershares/netlogon failed. Access denied > [2013/05/24 07:28:12.979372, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) > init_sam_from_ldap: Entry found for user: foobar > > I did not understand, why the BDC looks for the netlogon at /var/lib/samba/usershares/netlogon so I double-checked my smb.conf, on both PDC and BDC. Here are the relevant option in smb.conf: > > ***PDC***smb.conf: > [global] > ... > security = user > passdb backend = ldapsam:ldap://172.16.0.1 > logon script = %U.bat > logon path = \\pdc\profiles\%U > logon drive = U: > domain logons = Yes > preferred master = Yes > local master = Yes > domain master = Yes > os level = 254 > wins support = Yes > ... > > [netlogon] > comment = Logon batch > path = /file01/netlogon > write list = "@Domain Admins" > > [profiles] > comment = Centralized Roaming Profiles > path = /file01/profile > read only = No > browseable = No > > ***BDC***smb.conf: > [global] > ... > security = user > passdb backend = ldapsam:ldap://172.16.0.1/ > logon script = \\pdc\netlogon\%U.bat > logon path = \\pdc\profiles\%U > logon drive = U: > domain logons = Yes > preferred master = No > local master = No > domain master = No > os level = 20 > password server = * > ; wins server = 172.16.0.1 > > I realized that no [netlogon] and [profiles] share exist on the BDC. But there are no problems with profiles known for users who were handled by the BDC. Only logon scripts don't work? Is it possible that the option "logon script = " DOES NOT ALLOW the use of UNC path like I am using it? So this is the problem and samba falls back to the default path /var/lib/samba/usershares/netlogon and tries there to look for the logon script ??? > > If so, how should my [netlogon] share on the BDC look like? Do I have to rsync/copy the content of pdc://file01/netlogon to bdc:/somedir/netlogon and use following line on BDC's smb.conf? > > logon script = %U.bat > [netlogon] > comment = BDC Logon batch > path = /somedir/netlogon > write list = "@Domain Admins" > > Will that be enough or am I wrong? I would also like to know if I could use "os level = 0" on the BDC, because I don't need/want that the BDC handles domain logon procedures,that would be the easiest way in my case. Now you ask why the heck I need it to run as BDC :-) It's because I don't can use winbind on the BDC and I need the correct mappings for user/groups. And that's only possible either by using winbind on BDC and idmapping, or you run as BDC and it uses the locally managed database of the PDC. In my case it was really much more easy to use the BDC method, because if I would use winbind it will result in different ids (these of winbind idmapping ranges) and access would be denied to lots of my existing shares. So in result I would have to chmod all of my used dirs/paths which is a lot of work. That's why I choosed the much more easy way as a BDC. But that's not very important, I'd just like to know if "os level = 0" would be ok or cause some other troubles ? > > Any help and feedback really appreciated. Thanks to all > Lucas