Solved

windows user profiles and logon scripts  for linux domain controller

Posted on 2007-12-04
21
1,063 Views
Last Modified: 2013-12-16
Dear Sir/Madam:

Linux working as samba domain controller but

1. when lgged in windows local windows profile is getting loaded how to  point this to linux server

2. how to place logon scripts in the /var/lib/samba/netlogon/scripts

please help me on this
0
Comment
Question by:D_wathi
  • 10
  • 10
21 Comments
 
LVL 14

Expert Comment

by:ygoutham
ID: 20402401
make sure that the following lines are there in your smb.conf file

                logon path = \\%L\Profiles\%U
      logon drive = P:    #you can choose any drive of your choice here
      logon home = \\%L\%U
      domain logons = Yes

once done , restart samba services and you should be done.

there should be a separate share name created with "Profiles"  in your shares section

mine is as follows:

[Profiles]
      path = /samba1/profiles
      read only = No
      browseable = No

0
 

Author Comment

by:D_wathi
ID: 20402577
thanks for the reply  , yes sir i have those lines in my smb.conf but when users login from the windows systems following are the error message

1. Your roaming profile is not available. You are logged on with the locally stored profile. Changes to the profile will not be copied to the server. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.



DETAIL - Access is denied.


2. Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.


for your reference the following is my config :

   [netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon/scripts
        admin users = ed, john, root
;       guest ok = yes
        guest ok = no
        browseable = no
;       writable = no
;       share modes = no

  [Profiles]
        comment = Roaming Profile Share
        path = /var/lib/samba/profiles
        read only = no
        guest ok = yes
        profile acls = yes
;       browseable = no
;       guest ok = yes


error  no 1

think access to the path /var/lib/samba/netlogon/scripts , what access to be set please suggest me.


error no2  , i have no idea



0
 
LVL 14

Expert Comment

by:ygoutham
ID: 20402601
the profiles share has to be set up as a complete 777 permission.  as in

chmod  777 /path/to/profiles

as the windows machine creates a new directory for every user who logs on to the domain in this particular shared folder, it has to be writeable to the entire world.  however, the individual username directories created there would be created as 700 in the user name.  therefore the access to the contents would not be visible to anyone other than the domain admin and the user himself.

have you checked whether /var/lib/samba/profiles has a 777 permission set to it
0
 

Author Comment

by:D_wathi
ID: 20402973
Thank you so much , then error no 2  ( if the permission is set to 777 the will the error 2 also will be solved for your reference err-2 is posted below

 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.


0
 

Author Comment

by:D_wathi
ID: 20403931
Sir, set the permissions as follows
# chmod 777 /var/lib/samba/profiles

still the same two error messages

1. Your roaming profile is not available. You are logged on with the locally stored profile. Changes to the profile will not be copied to the server. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.
DETAIL - Access is denied.
2. Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Please help to fix this.


0
 
LVL 14

Expert Comment

by:ygoutham
ID: 20409279
for what it is worth i am giving my smb.conf file which works in exactly the same way that you want it to work as

[global]
      workgroup = XXXXXX.COM
      netbios name = ZZZZZZZZ
      server string = samba server
      passdb backend = tdbsam
      username map = /etc/samba/smbusers
      log file = /var/log/samba/smbd.log
      max log size = 50
      socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
      add user script = /usr/sbin/useradd -m %u
      delete user script = /usr/sbin/userdel -r %u
      add group script = /usr/sbin/groupadd %g
      add user to group script = /usr/sbin/usermod -G %g %u
      add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false-M %u
      logon path = \\%L\Profiles\%U
      logon drive = P:
      logon home = \\%L\%U
      domain logons = Yes
      os level = 255
       interfaces = eth0 lo
       local master = Yes
      preferred master = Yes
      domain master = Yes
      wins support = Yes
      ldap ssl = no
      idmap uid = 10000-20000
      idmap gid = 10000-20000
      admin users = XXXXXX.com\root
      create mask = 0774
      hosts allow = 192.168.245.0/255.255.255.0

[homes]
      comment = Home Directories
      valid users = %S
      read only = No
      browseable = No

[printers]
      comment = All Printers
      path = /var/spool/samba
      printable = Yes
      browseable = No

[netlogon]
      comment = Network Logon Service
      path = /var/lib/samba/netlogon
      admin users = root, ygoutham
      guest ok = Yes
      browseable = No

[public]
      comment = Directory for general storage
      path = /samba1/public
      guest ok = Yes

[profiles]
      path = /samba1/profiles
      read only = No
      browseable = No
0
 

Author Comment

by:D_wathi
ID: 20409638
Thanks for the reply , sir root user with samba password is able to login without the following message
at login time:

Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

but all with all other samba users the above message appears at login

please help me.
0
 
LVL 14

Expert Comment

by:ygoutham
ID: 20409754
try changing the profiles path from /var directory to some other directory and see.  if not remove the machine from the domain and add it back to the domain with the root password.

now try logging with the username and password again to see if the profiles are getting created
0
 

Author Comment

by:D_wathi
ID: 20410154
Sir there is not problem in root login in the windows client machines after login can see the root directory which is created under /Documents and Settings/root

but when the other samba users login no such user nmae directory is created .

0
 
LVL 14

Expert Comment

by:ygoutham
ID: 20410163
have you set the other users username and password

smbpasswd -a username

the above command adds a password for the USERNAME to the samba password db file

if you do a

pdbedit -L

then it should show a list of all the users and groups in the samba server
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:D_wathi
ID: 20410248
yes sir

have created a samba users by using :
#pdbedit -a < username>
and issued the password

the same user iam able to login and access the home directoy in the samba domain controller but with the following message at the login :

" Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off."


also no username directory is created under /Documents and Settings/

please note :
for the root no problem at all logon happens without any message i mean the roaming profile is getting loaded from the samba domain and also root directory is created under the /Documents and Settings.

please help me .



0
 
LVL 14

Expert Comment

by:ygoutham
ID: 20410256
is the firewall and SELINUX running on the samba server??? what is the log file /var/log/smbd.log saying??? any help there?
0
 

Author Comment

by:D_wathi
ID: 20410394
Sir, iptable rules is opened for the samba also all the selinux policy is on for the samba:
[root@parrot ~]# getsebool -a | grep samba
samba_domain_controller --> on
samba_enable_home_dirs --> on
samba_export_all_ro --> on
samba_export_all_rw --> on
samba_share_nfs --> off
use_samba_home_dirs --> on

var/log/samba/smb.log :

smbd version 3.0.25b-1.el5_1.2 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2007
[2007/12/05 15:27:24, 0] param/loadparm.c:map_parameter(2765)
  Unknown parameter encountered: ", csc policy"
[2007/12/05 15:27:24, 0] param/loadparm.c:lp_do_parameter(3505)
  Ignoring unknown parameter ", csc policy"
[2007/12/05 15:27:32, 0] lib/util_sock.c:get_peer_addr(1232)
  getpeername failed. Error was Transport endpoint is not connected
[2007/12/05 15:28:08, 0] lib/util_sock.c:get_peer_addr(1232)
  getpeername failed. Error was Transport endpoint is not connected
[2007/12/05 15:41:22, 0] lib/util_sock.c:get_peer_addr(1232)
  getpeername failed. Error was Transport endpoint is not connected
[2007/12/05 16:09:09, 0] smbd/server.c:main(944)
  smbd version 3.0.25b-1.el5_1.2 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2007
[2007/12/05 16:09:09, 0] param/loadparm.c:map_parameter(2765)
  Unknown parameter encountered: ", csc policy"
[2007/12/05 16:09:09, 0] param/loadparm.c:lp_do_parameter(3505)
  Ignoring unknown parameter ", csc policy"
[2007/12/05 16:13:23, 0] smbd/server.c:main(944)
  smbd version 3.0.25b-1.el5_1.2 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2007
[2007/12/05 16:13:23, 0] param/loadparm.c:map_parameter(2765)
  Unknown parameter encountered: ", csc policy"
[2007/12/05 16:13:23, 0] param/loadparm.c:lp_do_parameter(3505)
  Ignoring unknown parameter ", csc policy"
[2007/12/05 16:15:35, 0] lib/util_sock.c:get_peer_addr(1232)
  getpeername failed. Error was Transport endpoint is not connected
[2007/12/05 16:15:35, 0] lib/util_sock.c:get_peer_addr(1232)
  getpeername failed. Error was Transport endpoint is not connected
[2007/12/05 16:23:04, 0] lib/util_sock.c:get_peer_addr(1232)
  getpeername failed. Error was Transport endpoint is not connected
[2007/12/05 16:23:04, 0] lib/util_sock.c:get_peer_addr(1232)
  getpeername failed. Error was Transport endpoint is not connected
[2007/12/05 16:23:53, 0] lib/util_sock.c:get_peer_addr(1232)
  getpeername failed. Error was Transport endpoint is not connected
[2007/12/05 16:23:53, 0] lib/util_sock.c:get_peer_addr(1232)
  getpeername failed. Error was Transport endpoint is not connected
                                                                                                           793,3         99%




0
 

Author Comment

by:D_wathi
ID: 20410416
Sir, for the ordinary users the following message appears in the windows client at the login :

Windows did not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Windows did not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrator's group must be the owner of the folder. Contact your network administrator.





0
 
LVL 14

Expert Comment

by:ygoutham
ID: 20410417
samba users password is set with the

smbpasswd -a username

can you try that one and let me know pls?
0
 
LVL 14

Expert Comment

by:ygoutham
ID: 20410426
if you access the server with the ip address from the windows clients

\\server.ip.address.here\profiles

are you able to see the folders inside that???? i think it is still the permissions which need to be set properly
0
 
LVL 14

Expert Comment

by:ygoutham
ID: 20410467
it seems like an error in the smb.conf file itself

run the command

testparm

it will tell you which line in the smb.conf is not done properly so that you can trouble shoot better.
0
 

Author Comment

by:D_wathi
ID: 20410487
Sir , i have used  passdb backend = tdbsam
hence created the samba users :
#pdbedit -a < username>
and issued the password

is it still required to create smbpasswd
by smbpasswd -a username

please tell me mean while i will check the permission again
0
 
LVL 14

Accepted Solution

by:
ygoutham earned 500 total points
ID: 20410495
i think both the options are right.  i always used to do a smbpasswd -a username when adding users into the domain.
0
 

Author Comment

by:D_wathi
ID: 20410511
Sir, also following is the permissionfor the
/var/lib/samba/profiles
[root@parrot samba]# ls -ld profiles/
drwxrwxrwx 5 root root 4096 Dec  4 17:59 profiles/
0
 

Expert Comment

by:tjd2
ID: 22359403
synch unix users and samba users might be good.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now