Re: [solved] Re: Samba PDC roaming profiles problem
On Tue, Aug 03, 2010 at 02:43:24PM +0200, Alex de Kruijff typed: > > I solved it. Without LDAP one is able to use %L, %U and %a in the logon > path, but if one uses LDAP then this path is no longer processed by > Samba, but instead passed literally to Windows. So far my solution is to > change all LDAP entries. This also means I should name multiple servers > (on different networks) with the same hostname. Its a bit more limiting > the smb.conf, but it works. Ah, I see. Been there. Do you have the "logon path" etc options still in smb.conf or are you using ldap attributes (like sambaProfilePath, sambaHomeDrive) for each individual account? I found the latter to be more flexible in the long run (though a little harder to set up and administrate initially) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
[solved] Re: Samba PDC roaming profiles problem
Op 3-8-2010 14:35, Ruben de Groot schreef: On Tue, Aug 03, 2010 at 12:22:33PM +0200, Alex de Kruijff typed: I've enabled debugging in Windows Domain using: http://support.microsoft.com/default.aspx?scid=kb;en-us;221833 I find it strange that it first tries \\%L\profiles\testers. This is the log. USERENV(2ec.2f0) 12:08:35:468 LoadUserProfile: Entering, hToken = <0x960>, lpProfileInfo = 0x6e3e0 USERENV(2ec.2f0) 12:08:35:468 LoadUserProfile: [lot's of MS logs snipped] I really think these kind of logs could be much better analyzed at a samba or MS mailing list. cheers, Ruben Hi, I solved it. Without LDAP one is able to use %L, %U and %a in the logon path, but if one uses LDAP then this path is no longer processed by Samba, but instead passed literally to Windows. So far my solution is to change all LDAP entries. This also means I should name multiple servers (on different networks) with the same hostname. Its a bit more limiting the smb.conf, but it works. Yours, Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Samba PDC roaming profiles problem
On Tue, Aug 03, 2010 at 12:22:33PM +0200, Alex de Kruijff typed: > I've enabled debugging in Windows Domain using: > http://support.microsoft.com/default.aspx?scid=kb;en-us;221833 > > I find it strange that it first tries \\%L\profiles\testers. This is the > log. > > > USERENV(2ec.2f0) 12:08:35:468 LoadUserProfile: Entering, hToken = > > <0x960>, lpProfileInfo = 0x6e3e0 > USERENV(2ec.2f0) 12:08:35:468 LoadUserProfile: [lot's of MS logs snipped] I really think these kind of logs could be much better analyzed at a samba or MS mailing list. cheers, Ruben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Samba PDC roaming profiles problem
Op 2-8-2010 21:26, David N schreef: On 2 August 2010 21:32, Alex de Kruijff wrote: Hi, I've setup a LDAP backend Samba PDC. I can gain access to shares and login with a user that is in LDAP, but have a prblem setting up the roaming profile stuff. I've been trying to solve this problem for some time now, and have tried everything I could think of, but without much luck. I keep getting the following error messages: "Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Plausible causes of this error include network problem or insufficient security rights. If this problem persists, contact your network administrators. DETAILS - The network path was not found." Followed by: "Windows cannot find the local profile and is logging on with a tempory profiles. Changes to this profile will be lost when you logoff." Here is my smb.conf: [global] security = user name resolve order = wins lmhosts hosts bcast deadtime = 15 map to guest = Never csc policy = disable hosts allow = 127. 192.168. server string = workgroup = Nieuwegein time server = yes wins support = yes domain master = yes domain logons = yes encrypt passwords = yes local master = yes logon drive = Z: logon path = \\%L\profiles\%U preferred master = yes os level = 255 encrypt passwords = yes passdb backend = ldapsam:ldap://localhost/ enable privileges = Yes pam password change = yes passwd program = /usr/local/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* unix password sync = Yes ldap delete dn = Yes ldap ssl = Off ldap passwd sync = Yes ldap admin dn = cn=admin,dc=specialisterren,dc=nl ldap suffix = dc=specialisterren,dc=nl ldap group suffix = ou=Groups ldap idmap suffix = ou=Users ldap machine suffix = ou=Computers ldap user suffix = ou=Users idmap backend = ldap:ldap://localhost idmap uid = 1-2 idmap gid = 1-2 add user script = /usr/local/sbin/smbldap-useradd -a -m "%u" delete user script = /usr/local/sbin/smbldap-userdel "%u" add group script = /usr/local/sbin/smbldap-groupadd -p "%g" delete group script = /usr/local/sbin/smbldap-groupdel "%g" add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" add machine script = /usr/local/sbin/smbldap-useradd -w "%u" template homedir = /home/%U template shell = /bin/csh getwd cache = yes socket options = SO_KEEPALIVE TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=819 use sendfile = yes mangle prefix = 6 # How to mangle Long Filenames in to 8.3 DOS log level = 1 log file = /var/log/samba/log.%m max log size = 50 syslog = 0 [template] # edited out, has no path [homes] comment = Home users inherit owner = yes dos filemode = yes writable = yes read list = @wheel @"Domain Admins" valid users = "%S" create mask = 0740 directory mask = 0750 aio read size = 16384 [netlogon] comment = Network Logon Service path = /disk/netlogon browseable = no read only = yes aio read size = 16384 [profiles] comment = Roaming Profiles Directory path = /disk/profiles administrative share = true browseable = no writable = yes create mask = 0600 directory mask = 0700 aio read size = 16384 public = yes # The root preexec command performs: # mkdir -pm 750 /disk/profiles/%U-%a; chown %U /disk/profiles/%U-%a # I started off without this. root preexec = /root/sbin/profiles.sh %U %a # edited out other shares ldapsearch gives me: # tester, Users, specialisterren.nl dn: uid=tester,ou=Users,dc=specialisterren,dc=nl objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: tester sn: tester givenName: tester uid: tester uidNumber: 10005 gidNumber: 513 homeDirectory: /home/tester loginShell: /bin/sh gecos: Tes ter sambaLogonTime: 0 (Edited out the other stuff) I can acces \\Server\profiles, \\Server\netlogon using my tester account. /etc/passwd contains no line with the user tester. And I can login under SSH with the tester account. ll -d /disk/{netlogon,profiles}gives me: drwxr-xr-x 2 root wheel 512 Mar 16 11:09 /disk/netlogon/ drwxrwxrwt 2 root wheel 512 Aug 2 12:41 /disk/profiles/ Alex _
Re: Samba PDC roaming profiles problem
On 2 August 2010 21:32, Alex de Kruijff wrote: > Hi, > > I've setup a LDAP backend Samba PDC. I can gain access to shares and > > login with a user that is in LDAP, but have a prblem setting up the > roaming profile stuff. I've been trying to solve this problem for some > time now, and have tried everything I could think of, but without much > luck. I keep getting the following error messages: > > "Windows cannot locate the server copy of your roaming profile and is > attempting to log you on with your local profile. Changes to the profile > will not be copied to the server when you logoff. Plausible causes of > this error include network problem or insufficient security rights. If > this problem persists, contact your network administrators. DETAILS - > The network path was not found." > > Followed by: > > "Windows cannot find the local profile and is logging on with a tempory > profiles. Changes to this profile will be lost when you logoff." > > Here is my smb.conf: > >> [global] >> security = user >> name resolve order = wins lmhosts hosts bcast >> deadtime = 15 >> map to guest = Never >> csc policy = disable >> hosts allow = 127. 192.168. >> server string = >> workgroup = Nieuwegein >> time server = yes >> wins support = yes >> domain master = yes >> domain logons = yes >> encrypt passwords = yes >> local master = yes >> logon drive = Z: >> logon path = \\%L\profiles\%U >> preferred master = yes >> os level = 255 >> encrypt passwords = yes >> passdb backend = ldapsam:ldap://localhost/ >> enable privileges = Yes >> pam password change = yes >> passwd program = /usr/local/sbin/smbldap-passwd %u >> passwd chat = *New*password* %n\n *Retype*new*password* %n\n > > *all*authentication*tokens*updated* >> >> unix password sync = Yes >> ldap delete dn = Yes >> ldap ssl = Off >> ldap passwd sync = Yes >> ldap admin dn = cn=admin,dc=specialisterren,dc=nl >> ldap suffix = dc=specialisterren,dc=nl >> ldap group suffix = ou=Groups >> ldap idmap suffix = ou=Users >> ldap machine suffix = ou=Computers >> ldap user suffix = ou=Users >> idmap backend = ldap:ldap://localhost >> idmap uid = 1-2 >> idmap gid = 1-2 >> add user script = /usr/local/sbin/smbldap-useradd -a -m "%u" >> delete user script = /usr/local/sbin/smbldap-userdel "%u" >> add group script = /usr/local/sbin/smbldap-groupadd -p "%g" >> delete group script = /usr/local/sbin/smbldap-groupdel "%g" >> add user to group script = /usr/local/sbin/smbldap-groupmod -m > > "%u" "%g" >> >> delete user from group script = /usr/local/sbin/smbldap-groupmod > > -x "%u" "%g" >> >> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" > > "%u" >> >> add machine script = /usr/local/sbin/smbldap-useradd -w "%u" >> template homedir = /home/%U >> template shell = /bin/csh >> getwd cache = yes >> socket options = SO_KEEPALIVE TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=819 >> use sendfile = yes >> mangle prefix = 6 # How to mangle Long Filenames in to 8.3 DOS >> log level = 1 >> log file = /var/log/samba/log.%m >> max log size = 50 >> syslog = 0 >> >> [template] >> # edited out, has no path >> >> [homes] >> comment = Home users >> inherit owner = yes >> dos filemode = yes >> writable = yes >> read list = @wheel @"Domain Admins" >> valid users = "%S" >> create mask = 0740 >> directory mask = 0750 >> aio read size = 16384 >> >> [netlogon] >> comment = Network Logon Service >> path = /disk/netlogon >> browseable = no >> read only = yes >> aio read size = 16384 >> >> [profiles] >> comment = Roaming Profiles Directory >> path = /disk/profiles >> administrative share = true >> browseable = no >> writable = yes >> create mask = 0600 >> directory mask = 0700 >> aio read size = 16384 >> public = yes >> # The root preexec command performs: >> # mkdir -pm 750 /disk/profiles/%U-%a; chown %U /disk/profiles/%U-%a >> # I started off without this. >> root preexec = /root/sbin/profiles.sh %U %a >> >> # edited out other shares > > ldapsearch gives me: >> >> # tester, Users, specialisterren.nl >> dn: uid=tester,ou=Users,dc=specialisterren,dc=nl >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: inetOrgPerson >> objectClass: posixAccount >> objectClass: shadowAccount >> objectClass: sambaSamAccount >> cn: tester >> sn: tester >> givenName: tester >> uid: tester >> uidNumber: 10005 >> gidNumber: 513 >> homeDirectory: /home/tester >> loginShell: /bin/sh >> gecos: Tes ter >> sambaLogonTime: 0 > > (Edited out the other stuff) > > I can acces \\Server\profiles, \\Server\netlogon using my tester > account. /etc/passwd contains no line with the user tester. And I can > login under SSH with the tester account. >
Re: Samba PDC roaming profiles problem
Alex de Kruijff wrote: > Hi, > > I've setup a LDAP backend Samba PDC. I can gain access to shares and > > login with a user that is in LDAP, but have a prblem setting up the > roaming profile stuff. I've been trying to solve this problem for some > time now, and have tried everything I could think of, but without much > luck. I keep getting the following error messages: > > "Windows cannot locate the server copy of your roaming profile and is > attempting to log you on with your local profile. Changes to the profile > will not be copied to the server when you logoff. Plausible causes of > this error include network problem or insufficient security rights. If > this problem persists, contact your network administrators. DETAILS - > The network path was not found." > > Followed by: > > "Windows cannot find the local profile and is logging on with a tempory > profiles. Changes to this profile will be lost when you logoff." > Sorry - but I can't speak to anything about the LDAP setup as I probably don't know enough about it. One thing that strikes me though, is Windows uses DNS SRV records to locate services and populate variables. The naming scheme is fairly convoluted and Windows centric. On a Windows box use network monitor to capture what the box is trying to do. If you see it doing a lot of look ups for SRV records and failing it might be something to investigate. The network monitor version that ships with the desktop will only grab traffic for that particular machine, but is enough for the purpose. The version that comes with the server is able to promiscuously examine all traffic. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"