Samba and WinXP permissions

Posted on 2002-05-30
Last Modified: 2012-06-22
I am having a few problems that are driving me nuts.

I have a small LAN here at work consisting of a mix of win9x and XP work stations and a server with samba setup as a PDC.

The main programs that are being run are: ACT!, MS Office with Outlook as the mail client and Acrobat.

I have setup a few shares on the linux box so that if we need to update a file, it will only have to be done once and not go around every WS and change the file.  There are a few other shares setup for backup purposes and one so that we can keep the ACT! email attachments centralized.

I have tried to setup XP with roaming profiles, but have been unsuccessful.  I have ran the registry patch that comes with the latest version of samba and created the machine accounts, but to no avail.  I have given up on that project for now due to time constraints.  What I want to do is very'd think.

Problem arises with ACT! and outlook.  Outlook on it's own works fine, but ACT! relies on outlook to send/receive email.  Due to some permissions it won't work properly according to this document:

I have gone through step by step to no avail.  It won't even let me re-install the patch.  I keep getting the lovely "Contact your administrator" which is me btw.

I have setup the users in the adm group on the linux box, but that doesn't seem to work either.  

How do I allow the users to destroy their XP boxes with full access?  I am running TIGHT on time, so I gotta think of something, and this would probably work since XP complains about not having enough rights for this or that.  BTW in workgroup mode and on the Win9x stations this problem does not arise.  

Any ideas?
Question by:kannabis
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
  • 2
  • +3
LVL 16

Expert Comment

ID: 7047962
>Any ideas?

Dump XP, and install linux or 2000 on the old XP boxes (unless you can somehow justify to me why you need it - does it do something for you that 2000 or linux does not?).

I'm sure this is not what you wanted to hear - too bad you didn't tell your managers to just say no to XP before you installed it, or allowed them to order machines with it already installed.


Author Comment

ID: 7048164
I can't use linux for a few reasons, main one being that my boss is the type of person that doesn't like "networking" and thinks it's a scary concept.  The people I work with are not interested in doing anything other than a couple of tasks like Email, ACT!,MS Office, Outlook and Acrobat.

Linux would be too much of a project to pull on my boss to begin with, and second of all the users.  Besides I moved down to Playa Del Carmen for a number of reasons, and work long hours is very low on that list.

I will try 2000 again...I didn't get as far as ACT! + Outlook in a domain environment with it.

LVL 16

Expert Comment

ID: 7048456
I wish you good luck w/ 2000 - I didn't mean to suggest linux as a replacement for XP (unless you feel like reeeallly getting into some funky Terminal Services configs).  I *do * mean what I said about the dubious benefits of XP.  What functionality does it conatian beyond Win2000, besides fattening the pocketbooks of M$ execs?

Do yourself a favor, and stick w/ Win 2000 for another year or two (or at least until someone comes up with a good reason for running XP).  You will save cash on licenses, and on time spent by admin staff (yourself).

Just so you know, when a client of mine demands mickeysoft compliance, I recommend 2000 servers, w/ 98se or win2000 clients (98se saves significant $$ on client licenses), with a linux firewall, of course.

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 7057883
I have dumped XP for 2000 and it's not exactly working out peachy keen.  I have problems with different users ACT files overwriting each other.  WinXP seemed to handle the multiple login much better than 2000.  It seems that roaming profiles would solve all my problems, but here is the error that I get:

Windows cannot create profile directory \\server\Profiles\seb.pds.  You will be logged on with a local profile only. Changes to the profile will not be propagated to the server. Contact your network administrator.

If we can get this running, whoever helps me out will get all the points.

If need be I can post my smb.conf file


Author Comment

ID: 7057887
One more thing, I have also setup a win2000 server to see which one of these solutions would work first, so far no luck on the 2000 server either, if it's not thing it's the other.

LVL 16

Expert Comment

ID: 7058563
>If need be I can post my smb.conf file

Please do.  Also, what is the directory it is trying to create here: "\\server\Profiles\seb.pds"

I presume it is "Profiles", since "seb.pds" sounds like a filename to be (since microsoft generally likes spaces rather than .'s in directory names)

Does a "Profiles" share exist in smb.conf?  If so, what are the permissions on the actual directory referenced by the "Profiles" share?


Author Comment

ID: 7060378
Here is the smb.conf file

is is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#======================= Global Settings =====================================

# workgroup = NT-Domain-Name or Workgroup-Name
   workgroup = TCT

# server string is the equivalent of the NT Description field
   server string = HP Server

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
;   hosts allow = 192.168.1. 192.168.2. 127.

# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   printcap name = /etc/printcap
   load printers = yes

# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
;   printing = bsd

# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
;  guest account = pcguest

# this tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 50

# Security mode. Most people will want user level security. See
# security_level.txt for details.
   security = user
# Use password server option only with security = server
;   password server = <NT-Server-Name>

# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
;  password level = 8
;  username level = 8

# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
  encrypt passwords = yes
  smb passwd file = /etc/samba/smbpasswd

# The following are needed to allow password changing from Windows to
# update the Linux sytsem password also.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
#        the encrypted SMB passwords. They allow the Unix password
#        to be kept in sync with the SMB password.
;  unix password sync = Yes
;  passwd program = /usr/bin/passwd %u
;  passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*

# Unix users can map to different SMB User names
  username map = /etc/samba/smbusers

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /etc/samba/smb.conf.%m

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
;   interfaces =

# Configure remote browse list synchronisation here
#  request announcement to, or browse list sync from:
#      a specific host or from / to a whole subnet (see below)
;   remote browse sync =
# Cause this host to announce itself to local subnets here
;   remote announce =

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
;   local master = no

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
   os level = 65

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
   domain master = yes

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
   preferred master = yes

# Use only if you have an NT server on your network that has been
# configured at install time to be a primary domain controller.
;   domain controller = <NT-Domain-Controller-SMBName>

# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
   domain logons = yes

# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
#   logon script = %m.bat
# run a specific logon batch file per username
#   logon script = %U.bat

# Where to store roving profiles (only for Win95 and WinNT)
#        %L substitutes for this servers netbios name, %U is username
#        You must uncomment the [Profiles] share below
   logon path = \\%L\Profiles\%a\%U
   logon home = \\%L\%U\Profiles
   logon drive = h:
   logon script = %U.bat

# All NetBIOS names must be resolved to IP Addresses
# 'Name Resolve Order' allows the named resolution mechanism to be specified
# the default order is "host lmhosts wins bcast". "host" means use the unix
# system gethostbyname() function call that will use either /etc/hosts OR
# DNS or NIS depending on the settings of /etc/host.config, /etc/nsswitch.conf
# and the /etc/resolv.conf file. "host" therefore is system configuration
# dependant. This parameter is most often of use to prevent DNS lookups
# in order to resolve NetBIOS names to IP Addresses. Use with care!
# The example below excludes use of name resolution for machines that are NOT
# on the local network segment
# - OR - are not deliberately to be known via lmhosts or via WINS.
; name resolve order = wins lmhosts bcast

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
;   wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
#      Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one      WINS Server on the network. The default is NO.
;   wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
   dns proxy = no

# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
;  preserve case = no
;  short preserve case = no
# Default case is normally upper case for all DOS files
;  default case = lower
# Be very careful with case sensitivity - it can break things!
;  case sensitive = no

# This is the group definition for administrators

Domain Admin group = @adm

#============================ Share Definitions ==============================
   comment = Home Directories
   browseable = no
   writable = yes

# Un-comment the following and create the netlogon directory for Domain Logons
   comment = Network Logon Service
   path = /home/netlogon
   guest ok = yes
   writable = no
   share modes = no

# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
    comment = Roaming profiles directory
    path = /home/profiles
    read-only = no
    create mask = 0600
    directory mask = 0700

# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
   comment = All Printers
   path = /var/spool/samba
   browseable = no
# Set public = yes to allow user 'guest account' to print
   guest ok = no
   writable = no
   printable = yes

# This one is useful for people to share files
;   comment = Temporary file space
;   path = /tmp
;   read only = no
;   public = yes

# A publicly accessible directory, but read only, except for people in
# the "staff" group
;   comment = Public Stuff
;   path = /home/samba
;   public = yes
;   read only = yes
;   write list = @staff

# Other examples.
# A private printer, usable only by fred. Spool data will be placed in fred's
# home directory. Note that fred must have write access to the spool directory,
# wherever it is.
;   comment = Fred's Printer
;   valid users = fred
;   path = /homes/fred
;   printer = freds_printer
;   public = no
;   writable = no
;   printable = yes

# A private directory, usable only by fred. Note that fred requires write
# access to the directory.
;   comment = Fred's Service
;   path = /usr/somewhere/private
;   valid users = fred
;   public = no
;   writable = yes
;   printable = no

# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could
# also use the %u option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;  comment = PC Directories
;  path = /usr/pc/%m
;  public = no
;  writable = yes

# A publicly accessible directory, read/write to all users. Note that all files
# created in the directory by users will be owned by the default user, so
# any user with access can delete any other user's files. Obviously this
# directory must be writable by the default user. Another user could of course
# be specified, in which case all files would be owned by that user instead.
;   path = /usr/somewhere/else/public
;   public = yes
;   only guest = yes
;   writable = yes
;   printable = no

# The following two entries demonstrate how to share a directory so that two
# users can place files there that will be owned by the specific users. In this
# setup, the directory should be writable by both users and should have the
# sticky bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;   comment = Mary's and Fred's stuff
;   path = /usr/somewhere/shared
;   valid users = mary fred
;   public = no
;   writable = yes
;   printable = no
;   create mask = 0765

      comment = Trans Caribbean Trust Files
      path = /data/tct
      public = yes
      browseable = yes

      comment = Default Directory For Useful Programs and Utilities
      path = /data/programs
      public = yes
      browseable = yes
      writeable = yes
      comment = Directory For ALL Data backups
      path = /data/backup
      writeable = yes
      comment = Any Drivers You Need Are Here
      path = /data/drivers
      public = yes
      comment = Store your music files here
      path = /data/music
      public = yes
      browseable = yes
      writeable = yes

      comment = Default email shares for Act
      path = /data/actemail
      public = no
      writeable = yes

directory permissions for the shares are as follows:
drwxr-xr-x   17 root     root         4096 May 17 18:25 .
drwxr-xr-x   21 root     root         4096 Jun  5 18:01 ..
drwx------    3 chris    chris        4096 May 17 18:25 chris
drwx------    3 dale     dale         4096 May 17 06:53 dale
drwx------    3 dan      dan          4096 May 17 06:53 dan
drwx------    7 guy      guy          4096 May 31 12:35 guy
drwx------    3 jack     jack         4096 May 17 06:53 jack
drwx------    3 kerry    kerry        4096 May 17 06:53 kerry
drwx------    2 root     root        16384 May 17 06:28 lost+found
drwxr-xr-x    2 root     root         4096 May 17 14:07 netlogon
drwx------   13 seb      seb          4096 Jun  6 16:31 seb
drwx------    4 stacey   stacey       4096 May 29 19:31 stacey
drwx------    3 steve    steve        4096 May 17 06:53 steve
drwx------    3 sue      sue          4096 May 17 06:53 sue
drwx------    7 ted      ted          4096 May 29 18:44 ted
drwx------    6 todd     todd         4096 May 22 11:30 todd
drwx------    3 yury     yury         4096 May 17 06:53 yury

I'm not sure what's going on here because there are some profile related files in the dirs for the users, but nothing seems to work.  I keep getting the "share not found" error

LVL 16

Expert Comment

ID: 7060514
   comment = Roaming profiles directory
   path = /home/profiles
   read-only = no
   create mask = 0600
   directory mask = 0700

You appear to be referencing a directory that does not exist - what happens when you create dir called /home/profiles?  You may have to set 770 permissions on it, and give it a group ownership of a group containing all your fileserver users.

Let me know how it goes - won't be back 'till tomorrow - it's my wedding anniversary.


Author Comment

ID: 7060874
happy anniversary!

Author Comment

ID: 7136359
Believe it or not I'm still screwing around with this setup.  I have no luck with the profiles on any system setup.  We're talking from WinME, 2000 to XP.  

I noticed the following error message when I login from the XP or 2000 clients "Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.  

DETAIL - The network name cannot be found. "

I have since enabled WINS support in Samba, added the name and IP of the server to the LMHOSTS file on XP and did the same for Samba, still no dice.  The name of the server is cleverly enough - server.  there is not a proper name since I was getting error messages from linux because it's not a "real" name.


LVL 14

Expert Comment

ID: 7153134
the wins server ip address should be set up in your WINS tab of your TCP/IP properties. You should do this on all your clients or set up a DHCP server.
LMHOSTS files are useless, and should be erased.

Author Comment

ID: 7155220
I placed the WINS info in the TCP/IP Tab of my clients, same error message.
LVL 14

Expert Comment

ID: 7155471
- could you verify if yout smb.conf contains something like this :

     wins support = yes
     name resolve order = wins lmhosts hosts bcast

- on your samba server, smbd and nmbd processes are running (ps aux|grep smbd) ?

- do you have dns enabled on your clients ? if so try to disable it.

- from one of your client if you do ping server, it works ?

- if it works, try to ping an other station of your network.

that's all. hope this helps !

Author Comment

ID: 7168324

I have all of the above functioning fine.

I have enabled the WINS support and name resolve in the smb.conf file.

I have dns enabled because without it I could not get internet traffic routed properly to my clients via the linksys box we're using.

pinging anyone from anywhere works fine.  I can ping server to WS, from WS to server, WS to WS etc,.

Expert Comment

ID: 9078475
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
Post your closing recommendations!  No comment means you don't care.
LVL 12

Expert Comment

ID: 10004282
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

PAQ - no points refunded

Please leave any comments here within the next seven days.

EE Cleanup Volunteer

Accepted Solution

Computer101 earned 0 total points
ID: 10034028
PAQed - no points refunded (of 200)

E-E Admin

Featured Post

Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question