Go Premium for a chance to win a PS4. Enter to Win


Samba PDC: XP Roaming Profiles not working

Posted on 2004-09-23
Medium Priority
Last Modified: 2008-02-01
I have Samba "correctly" set up as a PDC... smb.conf to follow.

My Win98 and WinXP comps are using it correctly as a workgroup share server just fine.

But I need the security from domain logons, and scripting with roaming profiles...

so I have switched an XP comp to domain logon... and it works fine, I switched to roaming profiles and my user works fine... but anyother user or any new users are having problems:
1. Settings in MS products (IE for example) are not being saved (Proxy settings for example)
2. Start Bar settings are not being saved.
3. MS Office products ask for user name twice no matter how many times you have previously opend it.
4. MS Word cannot save files
5. Visual desktop settings are not being saved.

On the other hand things are working such as renaming and delteing files on the desktop, mapped drives, etc.

Note: The settings mentioned above do not save for a second, the moment you click ok to a settings change and then you re-open the settings dialog... the settings are "lost"/gone. This is not an issue of local profiles not being saved to the server.

I am GMT +6 so my response will take up to 12 hours.

Thank You
Question by:Namtrok
  • 3
  • 3

Author Comment

ID: 12131188
      load printers = No
      ldap ssl = no
      passwd chat = *New\spassword:* %n\n *Re-enter\snew\spassword:* %n\n *Password\schanged.* .
      logon drive = H:
      create mask = 0600
      domain master = Yes
      username map = /etc/samba/users.map
      encrypt passwords = yes
      time server = Yes
      logon home = \\job\homes
      passwd program = /usr/bin/passwd %u
      wins support = Yes
      dns proxy = No
      inherit permissions = Yes
      server string = %h
      logon script = allusers.bat
      dos charset = CP866
      unix password sync = yes
      workgroup = OFFICE
      logon path = \\job\profiles\%u
      os level = 45
      directory mask = 0700
      preferred master = Yes
      add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false -M %u
      log level = 5
      domain logons = Yes

      comment = Home Directories
      read only = No
      browseable = No

      path = /var/lib/samba/netlogon
      write list = root
      guest ok = Yes
      browseable = No
      locking = No

      path = /var/lib/samba/profiles
      read only = No
      guest ok = Yes
      profile acls = Yes

Expert Comment

ID: 12137663
I have a setup very similar to what you are attempting to do.  So I know that it can be done.

The roaming profiles that you have set up work basically like this:

* User logs on to domain
* User's profile, settings, etc are copied to the local workstation
* User does his thing on the Windows workstation and as far as the settings go, the Samba PDC is now out of the picture.  Sure, there can be problems if you are trying to save data to it, but those settings are part of the profile that gets dragged down.
* User signs off
* User's settings are sent back to the server.

Assuming that you haven't done anything other than set up a basic Samba PDC then the first time a user logs onto the domain his desktop is built from the windows sorkstation default, then saved back when he logs off.  So perhaps you can pursue things from that angle.

In the meantime, you may want to crank up your logging from within smb.conf and see if you can get any clues from it.

Expert Comment

ID: 12137704
One other thing -- here is my smb.conf.  This may help you, too.

   netbios name = VRECPDC
   workgroup = VREC
   passdb backend = tdbsam
   os level = 33
   preferred master = yes
   domain master = yes
   local master = yes
   security = user
   domain logons = yes
   logon path = \\%L\profiles\%U
   logon drive = Z:
   logon home = \\QVALLEY\%U
   logon script = %U.cmd
   remote announce =
#  wins server =
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   wins support = yes
   remote announce =
   username map = /var/samba/username.map
   add machine script = /usr/sbin/useradd -d /dev/null -s /sbin/nologin -g 100 -M %u
   time server = yes
#  log level = 1
   comment = Network Logon Service
   path = /var/samba/netlogon
   read only = yes
   write list = smbadm
   root preexec = /var/samba/netlogon/bld_netlogon %U %m
   root postexec =  /bin/rm -f /var/samba/netlogon/%U.cmd
   preexec = bash -c 'echo "%m" >> /tmp/netlogon.log";[ "%m" = "TSS40020" ] || /bin/sleep 60;cat /etc/motd | /usr/bin/smbclient -M %m -I %I -U Admin &'
   path = /var/samba/profiles/%a
   read only = no
   create mask = 0600
   directory mask = 0700
   browseable = no
   csc policy = disable
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Author Comment

ID: 12140118
Thanks blk,

evrything except one aspect seems to be working... lets take your list:
* User logs on to domain
* User's profile, settings, etc are copied to the local workstation
* User does his thing on the Windows workstation and as far as the settings go, the Samba PDC is now out of the picture.  Sure, there can be problems if you are trying to save data to it, but those settings are part of the profile that gets dragged down.
* User signs off
* User's settings are sent back to the server.

*the logon is going well
*the profile is copied to the workstation well
*user can NOT do his thing (change settings)
*the user sign's off
*the user profile MIGHT be saving to the server... I assume they will be if the user can change them!

so are you saying... that this is simply not a samba setting problem at all? I looked at your .conf file and thoguht I didn't have any problems with my settings...  I added two lines to my profiles share even though they are in the globals section I thought ... well stranger things have happened..
lines added:
   create mask = 0600
   directory mask = 0700

Now reads:
     path = /var/lib/samba/profiles
     read only = No
     create mask = 0600
     directory mask = 0700
     guest ok = Yes
     profile acls = Yes

So to summerize, the problem is (you're suggesting) specific to the workstation settings..?

Also another problem since you mentioned it in your answer... (I'm adding points to the question)

I log on as a new user (in the domain but has no profile) and I get this error message (to follow) so when I browse to the profile share I and try to create a folder it says I do not have permissions to do that... here's the error message received @ logon...

Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.  

DETAIL - Access is denied.

so now two problems:
#1 Profile settings are not being saved (and all the impact that has... which is described above)
#2 Users without folders in the profiles share do not have access to create a folder there...

Perhaps if the second one is solved it will solve the first problem?

Accepted Solution

blkline earned 2000 total points
ID: 12144694
Here are the permissions I use:

[root@vrecpdc /]# ll /var/samba
total 32
drwxr-xr-x    4 root     root         4096 Jun 22 18:57 backups
drwxr-xr-x    4 root     root         4096 May  6 17:16 downloads
drwxr-xr-x    2 root     root         4096 Mar 22  2004 home
lrwxrwxrwx    1 root     root           15 Mar 22  2004 log -> /var/log/samba/
drwxr-xr-x    4 root     root         4096 Aug 23 15:22 misc
drwxr-xr-x    2 root     root         4096 Sep 24 10:45 netlogon
drwxrwxrwx    5 root     root         4096 Aug 10 16:46 profiles
drwxrwxrwx   10 root     root         4096 Sep 21 14:33 share
-rw-r--r--    1 root     root           14 Mar 22  2004 username.map

Next level down in profiles:[root@vrecpdc profiles]# ll
total 12
drwxrwxrwx   26 root     root         4096 Sep 21 11:16 Win2K
drwxrwxrwx    6 root     root         4096 Aug 24 14:05 WinNT
drwxrwxrwx   51 root     root         4096 Sep 23 14:45 WinXP

Then, my profile directory under WinXP:
drwx------   15 klinebl  users        4096 Sep 23 18:16 klinebl

Since it is the user profile on the Samba PDC that is used the permissions on the directories in which you store their profiles must be read/write for them.



Author Comment

ID: 12450675
It was all about Permissions in the profile folder, I made the profile folder itself drwxrwxrwx and it fixed it all!

Thanks Barry, sorry it took so long for me to get back to you!

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses
Course of the Month11 days, 18 hours left to enroll

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question