Re: [solved] Re: Samba PDC roaming profiles problem
On Tue, Aug 03, 2010 at 02:43:24PM +0200, Alex de Kruijff typed: > > I solved it. Without LDAP one is able to use %L, %U and %a in the logon > path, but if one uses LDAP then this path is no longer processed by > Samba, but instead passed literally to Windows. So far my solution is to > change all LDAP entries. This also means I should name multiple servers > (on different networks) with the same hostname. Its a bit more limiting > the smb.conf, but it works. Ah, I see. Been there. Do you have the "logon path" etc options still in smb.conf or are you using ldap attributes (like sambaProfilePath, sambaHomeDrive) for each individual account? I found the latter to be more flexible in the long run (though a little harder to set up and administrate initially) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
[solved] Re: Samba PDC roaming profiles problem
Op 3-8-2010 14:35, Ruben de Groot schreef: On Tue, Aug 03, 2010 at 12:22:33PM +0200, Alex de Kruijff typed: I've enabled debugging in Windows Domain using: http://support.microsoft.com/default.aspx?scid=kb;en-us;221833 I find it strange that it first tries \\%L\profiles\testers. This is the log. USERENV(2ec.2f0) 12:08:35:468 LoadUserProfile: Entering, hToken = <0x960>, lpProfileInfo = 0x6e3e0 USERENV(2ec.2f0) 12:08:35:468 LoadUserProfile: [lot's of MS logs snipped] I really think these kind of logs could be much better analyzed at a samba or MS mailing list. cheers, Ruben Hi, I solved it. Without LDAP one is able to use %L, %U and %a in the logon path, but if one uses LDAP then this path is no longer processed by Samba, but instead passed literally to Windows. So far my solution is to change all LDAP entries. This also means I should name multiple servers (on different networks) with the same hostname. Its a bit more limiting the smb.conf, but it works. Yours, Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Samba PDC roaming profiles problem
On Tue, Aug 03, 2010 at 12:22:33PM +0200, Alex de Kruijff typed: > I've enabled debugging in Windows Domain using: > http://support.microsoft.com/default.aspx?scid=kb;en-us;221833 > > I find it strange that it first tries \\%L\profiles\testers. This is the > log. > > > USERENV(2ec.2f0) 12:08:35:468 LoadUserProfile: Entering, hToken = > > <0x960>, lpProfileInfo = 0x6e3e0 > USERENV(2ec.2f0) 12:08:35:468 LoadUserProfile: [lot's of MS logs snipped] I really think these kind of logs could be much better analyzed at a samba or MS mailing list. cheers, Ruben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Samba PDC roaming profiles problem
Op 2-8-2010 21:26, David N schreef:
On 2 August 2010 21:32, Alex de Kruijff wrote:
Hi,
I've setup a LDAP backend Samba PDC. I can gain access to shares and
login with a user that is in LDAP, but have a prblem setting up the
roaming profile stuff. I've been trying to solve this problem for some
time now, and have tried everything I could think of, but without much
luck. I keep getting the following error messages:
"Windows cannot locate the server copy of your roaming profile and is
attempting to log you on with your local profile. Changes to the profile
will not be copied to the server when you logoff. Plausible causes of
this error include network problem or insufficient security rights. If
this problem persists, contact your network administrators. DETAILS -
The network path was not found."
Followed by:
"Windows cannot find the local profile and is logging on with a tempory
profiles. Changes to this profile will be lost when you logoff."
Here is my smb.conf:
[global]
security = user
name resolve order = wins lmhosts hosts bcast
deadtime = 15
map to guest = Never
csc policy = disable
hosts allow = 127. 192.168.
server string =
workgroup = Nieuwegein
time server = yes
wins support = yes
domain master = yes
domain logons = yes
encrypt passwords = yes
local master = yes
logon drive = Z:
logon path = \\%L\profiles\%U
preferred master = yes
os level = 255
encrypt passwords = yes
passdb backend = ldapsam:ldap://localhost/
enable privileges = Yes
pam password change = yes
passwd program = /usr/local/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
unix password sync = Yes
ldap delete dn = Yes
ldap ssl = Off
ldap passwd sync = Yes
ldap admin dn = cn=admin,dc=specialisterren,dc=nl
ldap suffix = dc=specialisterren,dc=nl
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
idmap backend = ldap:ldap://localhost
idmap uid = 1-2
idmap gid = 1-2
add user script = /usr/local/sbin/smbldap-useradd -a -m "%u"
delete user script = /usr/local/sbin/smbldap-userdel "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m
"%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod
-x "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
"%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
template homedir = /home/%U
template shell = /bin/csh
getwd cache = yes
socket options = SO_KEEPALIVE TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=819
use sendfile = yes
mangle prefix = 6 # How to mangle Long Filenames in to 8.3 DOS
log level = 1
log file = /var/log/samba/log.%m
max log size = 50
syslog = 0
[template]
# edited out, has no path
[homes]
comment = Home users
inherit owner = yes
dos filemode = yes
writable = yes
read list = @wheel @"Domain Admins"
valid users = "%S"
create mask = 0740
directory mask = 0750
aio read size = 16384
[netlogon]
comment = Network Logon Service
path = /disk/netlogon
browseable = no
read only = yes
aio read size = 16384
[profiles]
comment = Roaming Profiles Directory
path = /disk/profiles
administrative share = true
browseable = no
writable = yes
create mask = 0600
directory mask = 0700
aio read size = 16384
public = yes
# The root preexec command performs:
# mkdir -pm 750 /disk/profiles/%U-%a; chown %U /disk/profiles/%U-%a
# I started off without this.
root preexec = /root/sbin/profiles.sh %U %a
# edited out other shares
ldapsearch gives me:
# tester, Users, specialisterren.nl
dn: uid=tester,ou=Users,dc=specialisterren,dc=nl
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: tester
sn: tester
givenName: tester
uid: tester
uidNumber: 10005
gidNumber: 513
homeDirectory: /home/tester
loginShell: /bin/sh
gecos: Tes ter
sambaLogonTime: 0
(Edited out the other stuff)
I can acces \\Server\profiles, \\Server\netlogon using my tester
account. /etc/passwd contains no line with the user tester. And I can
login under SSH with the tester account.
ll -d /disk/{netlogon,profiles}gives me:
drwxr-xr-x 2 root wheel 512 Mar 16 11:09 /disk/netlogon/
drwxrwxrwt 2 root wheel 512 Aug 2 12:41 /disk/profiles/
Alex
_
Re: Samba PDC roaming profiles problem
On 2 August 2010 21:32, Alex de Kruijff wrote: > Hi, > > I've setup a LDAP backend Samba PDC. I can gain access to shares and > > login with a user that is in LDAP, but have a prblem setting up the > roaming profile stuff. I've been trying to solve this problem for some > time now, and have tried everything I could think of, but without much > luck. I keep getting the following error messages: > > "Windows cannot locate the server copy of your roaming profile and is > attempting to log you on with your local profile. Changes to the profile > will not be copied to the server when you logoff. Plausible causes of > this error include network problem or insufficient security rights. If > this problem persists, contact your network administrators. DETAILS - > The network path was not found." > > Followed by: > > "Windows cannot find the local profile and is logging on with a tempory > profiles. Changes to this profile will be lost when you logoff." > > Here is my smb.conf: > >> [global] >> security = user >> name resolve order = wins lmhosts hosts bcast >> deadtime = 15 >> map to guest = Never >> csc policy = disable >> hosts allow = 127. 192.168. >> server string = >> workgroup = Nieuwegein >> time server = yes >> wins support = yes >> domain master = yes >> domain logons = yes >> encrypt passwords = yes >> local master = yes >> logon drive = Z: >> logon path = \\%L\profiles\%U >> preferred master = yes >> os level = 255 >> encrypt passwords = yes >> passdb backend = ldapsam:ldap://localhost/ >> enable privileges = Yes >> pam password change = yes >> passwd program = /usr/local/sbin/smbldap-passwd %u >> passwd chat = *New*password* %n\n *Retype*new*password* %n\n > > *all*authentication*tokens*updated* >> >> unix password sync = Yes >> ldap delete dn = Yes >> ldap ssl = Off >> ldap passwd sync = Yes >> ldap admin dn = cn=admin,dc=specialisterren,dc=nl >> ldap suffix = dc=specialisterren,dc=nl >> ldap group suffix = ou=Groups >> ldap idmap suffix = ou=Users >> ldap machine suffix = ou=Computers >> ldap user suffix = ou=Users >> idmap backend = ldap:ldap://localhost >> idmap uid = 1-2 >> idmap gid = 1-2 >> add user script = /usr/local/sbin/smbldap-useradd -a -m "%u" >> delete user script = /usr/local/sbin/smbldap-userdel "%u" >> add group script = /usr/local/sbin/smbldap-groupadd -p "%g" >> delete group script = /usr/local/sbin/smbldap-groupdel "%g" >> add user to group script = /usr/local/sbin/smbldap-groupmod -m > > "%u" "%g" >> >> delete user from group script = /usr/local/sbin/smbldap-groupmod > > -x "%u" "%g" >> >> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" > > "%u" >> >> add machine script = /usr/local/sbin/smbldap-useradd -w "%u" >> template homedir = /home/%U >> template shell = /bin/csh >> getwd cache = yes >> socket options = SO_KEEPALIVE TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=819 >> use sendfile = yes >> mangle prefix = 6 # How to mangle Long Filenames in to 8.3 DOS >> log level = 1 >> log file = /var/log/samba/log.%m >> max log size = 50 >> syslog = 0 >> >> [template] >> # edited out, has no path >> >> [homes] >> comment = Home users >> inherit owner = yes >> dos filemode = yes >> writable = yes >> read list = @wheel @"Domain Admins" >> valid users = "%S" >> create mask = 0740 >> directory mask = 0750 >> aio read size = 16384 >> >> [netlogon] >> comment = Network Logon Service >> path = /disk/netlogon >> browseable = no >> read only = yes >> aio read size = 16384 >> >> [profiles] >> comment = Roaming Profiles Directory >> path = /disk/profiles >> administrative share = true >> browseable = no >> writable = yes >> create mask = 0600 >> directory mask = 0700 >> aio read size = 16384 >> public = yes >> # The root preexec command performs: >> # mkdir -pm 750 /disk/profiles/%U-%a; chown %U /disk/profiles/%U-%a >> # I started off without this. >> root preexec = /root/sbin/profiles.sh %U %a >> >> # edited out other shares > > ldapsearch gives me: >> >> # tester, Users, specialisterren.nl >> dn: uid=tester,ou=Users,dc=specialisterren,dc=nl >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: inetOrgPerson >> objectClass: posixAccount >> objectClass: shadowAccount >> objectClass: sambaSamAccount >> cn: tester >> sn: tester >> givenName: tester >> uid: tester >> uidNumber: 10005 >> gidNumber: 513 >> homeDirectory: /home/tester >> loginShell: /bin/sh >> gecos: Tes ter >> sambaLogonTime: 0 > > (Edited out the other stuff) > > I can acces \\Server\profiles, \\Server\netlogon using my tester > account. /etc/passwd contains no line with the user tester. And I can > login under SSH with the tester account. >
Re: Samba PDC roaming profiles problem
Alex de Kruijff wrote: > Hi, > > I've setup a LDAP backend Samba PDC. I can gain access to shares and > > login with a user that is in LDAP, but have a prblem setting up the > roaming profile stuff. I've been trying to solve this problem for some > time now, and have tried everything I could think of, but without much > luck. I keep getting the following error messages: > > "Windows cannot locate the server copy of your roaming profile and is > attempting to log you on with your local profile. Changes to the profile > will not be copied to the server when you logoff. Plausible causes of > this error include network problem or insufficient security rights. If > this problem persists, contact your network administrators. DETAILS - > The network path was not found." > > Followed by: > > "Windows cannot find the local profile and is logging on with a tempory > profiles. Changes to this profile will be lost when you logoff." > Sorry - but I can't speak to anything about the LDAP setup as I probably don't know enough about it. One thing that strikes me though, is Windows uses DNS SRV records to locate services and populate variables. The naming scheme is fairly convoluted and Windows centric. On a Windows box use network monitor to capture what the box is trying to do. If you see it doing a lot of look ups for SRV records and failing it might be something to investigate. The network monitor version that ships with the desktop will only grab traffic for that particular machine, but is enough for the purpose. The version that comes with the server is able to promiscuously examine all traffic. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
