Problems w/ roaming profiles & group policies: Samba 3.0.2 <-> WinXP Pro
Charles Lavin
I'm trying to get Samba 3.0.2 running on AIX 5.1 to act as a PDC for eight
Windows XP Pro machines, but things aren't working as expected. I've never
set up Samba as a PDC before, and no matter where I look for documentation
on this, I can't seem to find anything that helps.
1) I managed to get the PCs to join the Samba domain -- but only after
adding the machine accounts to Samba through smbpasswd. (I had wanted to use
pdbedit for all accounts, but as soon as I migrated the smbpasswd entries to
the tdbsam, I lost the ability to authenticate to the domain.) Do I need to
maintain both databases?
2) The PCs save their profiles back to the server on logoff (a painfully
slow process, BTW), but won't load someone else's profile. That is, I can
work on my machine, put stuff on the desktop, and log off. When I check the
Samba server, I can see the files I placed on my desktop in the profile
stored there. But when I log on at someone else's PC, I get a default
desktop.
3) I'm trying to set up a group policy, but so far I've been stuck making
profile changes locally at each machine using gpedit.msc. The Server Manager
and User Manager programs referred to in multiple places throughout the
Samba docs I've read (the ones downloaded from the Microsoft site) won't run
on Windows XP. First, I got an error about MSNET32.DLL missing. So I located
the DLL on a Windows 9x machine and copied it to the XP PC. Then, I started
getting errors about missing entry points in KERNEL32.DLL. How do I set up
and implement a group policy using Windows XP machines?
4) I'd like to get this working with a common and/or synchronized
login/password between the PCs and the Unix accounts, but I first want to
solve these other problems.
These are the permissions of the Samba server's profiles directory:
drwxr-srwt 9 root sys 512 Mar 16 11:47 /smb/profiles
The users in that profiles directory:
drwx------ 13 clara sys 512 Mar 16 15:21 clara
drwx------ 14 edsr sys 512 Mar 16 14:05 edsr
drwx------ 13 fred sys 512 Mar 16 16:15 fred
drwx------ 13 judy sys 512 Mar 16 14:06 judy
drwx------ 13 lissy sys 512 Mar 16 09:01 lissy
drwx------ 14 niki sys 512 Mar 16 16:16 niki
drwx------ 13 root sys 512 Mar 15 03:57 root
And the folders Windows places in each of these user profile directories
(using "fred" as an example):
drwx------ 4 fred system 512 Mar 16 11:54 Application Data
drwx------ 2 fred system 512 Mar 16 16:15 Cookies
drwx------ 2 fred system 512 Mar 16 16:15 Desktop
drwx------ 3 fred system 512 Mar 16 16:15 Favorites
drwx------ 6 fred system 1024 Mar 16 16:15 My Documents
-rw------- 1 fred system 786432 Mar 16 16:14 NTUSER.DAT
drwx------ 2 fred system 512 Mar 16 11:51 NetHood
drwx------ 2 fred system 512 Mar 16 11:51 PrintHood
drwx------ 2 fred system 512 Mar 16 16:15 Recent
drwx------ 2 fred system 512 Mar 16 16:15 SendTo
drwx------ 3 fred system 512 Mar 16 16:15 Start Menu
drwx------ 2 fred system 512 Mar 16 11:51 Templates
-rw------- 1 fred system 1024 Mar 16 16:13 ntuser.dat.LOG
-rw------- 1 fred system 270 Mar 16 16:16 ntuser.ini
And, finally, my smb.conf:
[global]
netbios name = spiegel1
server string = IBM server
workgroup = SPIEGEL
# domain / DC settings
preferred master = yes
domain master = yes
local master = yes
os level = 255
add machine script = mkuser -a pgrp='winpc' su='false' gecos='SMB Machine
Account %u' login='false' rlogin='false' %u
wins support = yes
# All our computers are Windows XP/2K
lanman auth = no
min protocol = NT1
lm announce = no
# logging options
log file = /var/log/samba.log
log level = 5
# logon / password settings
security = user
encrypt passwords = yes
domain logons = yes
passdb backend = tdbsam, smbpasswd
logon path = \\%N\profiles\%U
logon drive = H:
# logon home = \\homeserver\%u\winprofile
# logon script = logon.cmd
interfaces = 192.168.1.11/255.255.255.0 127.0.0.1
bind interfaces only = no
# We're (mostly) on a Local Area Network, so these settings are appropriate
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# Reduce the overhead that Samba uses to scan for timeouts
change notify timeout = 300
# Open files with no connections are closed after 15 minutes
deadtime = 15
# Files that have UNIX permissions that prohibit access are hidden from
users
hide unreadable = yes
[netlogon]
path = /smb/netlogon
read only = yes
browsable = no
write list = ntadmin
[profiles]
path = /smb/profiles
browsable = no
read only = no
create mask = 0600
directory mask = 0700
csc policy = disable
profile acls = yes
[homes]
read only = no
browsable = no
guest ok = no
map archive = yes
[shared]
read only = no
browsable = yes
path = /smb/shared
comment = Shared directory
Any help, suggestions, or directions to suitable documentation to help me
solve these problems would be greatly appreciated.
Thanks,
CL
m.marien
"Charles Lavin" <x@x.x> wrote in message
news:lFZ5c.61103$p77....@bignews3.bellsouth.net...
> Hi --
>
> I'm trying to get Samba 3.0.2 running on AIX 5.1 to act as a PDC for eight
> Windows XP Pro machines, but things aren't working as expected. I've never
> set up Samba as a PDC before, and no matter where I look for documentation
> on this, I can't seem to find anything that helps.
>
> 1) I managed to get the PCs to join the Samba domain -- but only after
> adding the machine accounts to Samba through smbpasswd. (I had wanted to
use
> pdbedit for all accounts, but as soon as I migrated the smbpasswd entries
to
> the tdbsam, I lost the ability to authenticate to the domain.) Do I need
to
> maintain both databases?
>
Have you fixed the requiressignorseal on the XP systems ?
http://support.microsoft.com/default.aspx?scid=kb;en-us;318266
> 2) The PCs save their profiles back to the server on logoff (a painfully
> slow process, BTW), but won't load someone else's profile. That is, I can
> work on my machine, put stuff on the desktop, and log off. When I check
the
> Samba server, I can see the files I placed on my desktop in the profile
> stored there. But when I log on at someone else's PC, I get a default
> desktop.
>
> 3) I'm trying to set up a group policy, but so far I've been stuck making
> profile changes locally at each machine using gpedit.msc. The Server
Manager
> and User Manager programs referred to in multiple places throughout the
> Samba docs I've read (the ones downloaded from the Microsoft site) won't
run
> on Windows XP. First, I got an error about MSNET32.DLL missing. So I
located
> the DLL on a Windows 9x machine and copied it to the XP PC. Then, I
started
> getting errors about missing entry points in KERNEL32.DLL. How do I set up
> and implement a group policy using Windows XP machines?
>
You have to use the NT programs (User Manager for Domains). The ones you
have are for Win9X. They don't work on NT. If you can't find them on MS (I
couldn't just now) contact me: murray AT ...
Walter Mautner
> Hi --
>
> I'm trying to get Samba 3.0.2 running on AIX 5.1 to act as a PDC for eight
> Windows XP Pro machines, but things aren't working as expected. I've never
> set up Samba as a PDC before, and no matter where I look for documentation
> on this, I can't seem to find anything that helps.
>
> 1) I managed to get the PCs to join the Samba domain -- but only after
> adding the machine accounts to Samba through smbpasswd. (I had wanted to
> use pdbedit for all accounts, but as soon as I migrated the smbpasswd
> entries to the tdbsam, I lost the ability to authenticate to the domain.)
> Do I need to maintain both databases?
>
Actually if you specify tdbsam as "passdb backend" the "smbpasswd -a -m
machine" as well as the normal user commands will use the passdb.tdb
instead of the private/smbpasswd file. You can fine-tune with pdbedit, but
pdbedit is not made to create initial machine accounts.
> 2) The PCs save their profiles back to the server on logoff (a painfully
> slow process, BTW), but won't load someone else's profile. That is, I can
> work on my machine, put stuff on the desktop, and log off. When I check
> the Samba server, I can see the files I placed on my desktop in the
> profile stored there. But when I log on at someone else's PC, I get a
> default desktop.
>
That's normal for a first logon on a new box. Should work the 2nd or 3rd
time though, as registry and policy files get distributed.
...
> points in KERNEL32.DLL. How do I set up and implement a group policy using
> Windows XP machines?
>
Still poledit (version for NT/2K, on server/resourcekit cds or extractable
from NT-SP6) together with *.adm templates might work to create
ntconfig.pol files to place into the netlogon share.
> 4) I'd like to get this working with a common and/or synchronized
> login/password between the PCs and the Unix accounts, but I first want to
> solve these other problems.
>
Don't know if AIX 5.1 supports PAM, otherwise you have to do the sometimes
painful process of debugging the password chat (log level > 100).
...
> [global]
> netbios name = spiegel1
> server string = IBM server
> workgroup = SPIEGEL
>
> # domain / DC settings
> preferred master = yes
> domain master = yes
> local master = yes
> os level = 255
> add machine script = mkuser -a pgrp='winpc' su='false' gecos='SMB Machine
> Account %u' login='false' rlogin='false' %u
>
If you are uncertain if the script gets executed, use the full path to
"mkuser".
> wins support = yes
>
> # All our computers are Windows XP/2K
> lanman auth = no
Uncertain if that works for machine authentication when adding a new machine
to the domain.
> min protocol = NT1
> lm announce = no
>
> # logging options
> log file = /var/log/samba.log
> log level = 5
>
> # logon / password settings
> security = user
> encrypt passwords = yes
> domain logons = yes
> passdb backend = tdbsam, smbpasswd
passdb backend (G)
This option allows the administrator to chose which backends to retrieve and
store passwords with. This allows (for example) both smbpasswd and tdbsam
to be used without a recompile. Multiple backends can be specified,
separated by spaces. The backends will be searched in the order they are
specified. New users are always added to the first backend specified.
> logon path = \\%N\profiles\%U
> logon drive = H:
> # logon home = \\homeserver\%u\winprofile
> # logon script = logon.cmd
>
>
> interfaces = 192.168.1.11/255.255.255.0 127.0.0.1
> bind interfaces only = no
>
> # We're (mostly) on a Local Area Network, so these settings are
> # appropriate
> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> # Reduce the overhead that Samba uses to scan for timeouts
> change notify timeout = 300
> # Open files with no connections are closed after 15 minutes
> deadtime = 15
>
> # Files that have UNIX permissions that prohibit access are hidden from
> users
> hide unreadable = yes
>
>
> [netlogon]
> path = /smb/netlogon
> read only = yes
> browsable = no
> write list = ntadmin
>
> [profiles]
> path = /smb/profiles
Why not smb/profiles/%U ?
> browsable = no
> read only = no
> create mask = 0600
> directory mask = 0700
> csc policy = disable
> profile acls = yes
>
> [homes]
> read only = no
> browsable = no
> guest ok = no
> map archive = yes
>
> [shared]
> read only = no
> browsable = yes
> path = /smb/shared
> comment = Shared directory
>
>
> Any help, suggestions, or directions to suitable documentation to help me
> solve these problems would be greatly appreciated.
>
> Thanks,
> CL
--
Longhorn error#4711: TCPA / NGSCB VIOLATION: Microsoft optical mouse
detected penguin patterns on mousepad. Partition scan in progress
to remove offending incompatible products. Reactivate your MS software.
Linux woodpecker.homnet.at 2.6.3-3mdkpkt [LinuxCounter#295241]
Charles Lavin
CL
"m.marien" <mm AT RiverCityCanada DOT com> wrote in message
news:105hjra...@corp.supernews.com...