Re: [Samba] Roaming profiles in domain level
On Fri, Apr 29, 2005 at 07:20:49PM -0700, Li, Ying (ESG) wrote: > I've finally found out how to use roaming profiles in domain level. > > Samba2.2 and 3.0 always checks owner's ACL for profile directories. But > Samba returns correct owner ACL in a little bit different format with > Windows. For example: > Samba as profiles resource responses owner ACL for profile directory: > Owner: S-1-5-21-2951980089-3660375505-290094901-1224 > Revision: 1 > Num Auth: 5 > Authority: 5 > Sub-authorities: 21-2951980089-3660375505-290094901 > RID: 1224 > Windows as profiles resource responses owner ACL for profile directory: > Owner: S-1-5-21-2951980089 > Revision: 1 > Num Auth: 5 > Authority: 5 > Sub-authorities: 21-2951980089 > > Even profile's owner is a valid domain user with accessible permissions > on all files/directories in profile directory, Windows clients would > disallow to access to profiles, and terminate to send incoming requests > for loading profiles. Can you send me an ethereal capture trace showing this (from Windows). It looks very unusual to me. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Roaming profiles in domain level
I've finally found out how to use roaming profiles in domain level. Samba2.2 and 3.0 always checks owner's ACL for profile directories. But Samba returns correct owner ACL in a little bit different format with Windows. For example: Samba as profiles resource responses owner ACL for profile directory: Owner: S-1-5-21-2951980089-3660375505-290094901-1224 Revision: 1 Num Auth: 5 Authority: 5 Sub-authorities: 21-2951980089-3660375505-290094901 RID: 1224 Windows as profiles resource responses owner ACL for profile directory: Owner: S-1-5-21-2951980089 Revision: 1 Num Auth: 5 Authority: 5 Sub-authorities: 21-2951980089 Even profile's owner is a valid domain user with accessible permissions on all files/directories in profile directory, Windows clients would disallow to access to profiles, and terminate to send incoming requests for loading profiles. Since Windows 2K/XP clients have a registry value to control if to check owner ACL for profile directories. I used it to not check ownership. Go to Group policy/Local Computer Configuration/Administrative templates/System/Logon for Windows 2K/XP, and enable "Do not Check for User Ownership of Roaming Profiles Folders". The default value is "Not configured". This works to me. Thanks. -Ying -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Roaming profiles in domain level
Hi, In my case, profile directory was already owned by a domain user who has a local account for Samba. I can see the profile directory can be successfully opened and accessed from the log file. The problem seems Samba handled security descriptor request in different way with Windows. For example: 1) security_desc response is different with Windows. Flags:Canonicalized pathnames bit is not set. But Windows did. Flags2: unicode string bit, Error code type bit, Security Signatures, Extended Attributes are not set in Samba. But Windows did. In Secruity Descriptor, Samba responsed owner ACL and group ACL as well as NT User ACL. But Windows only simply responsed a ACL only for owner. 2) incoming requests after NT_QUERY_SECERITY_DESC request are different with Windows. If profiles are stored in a Windows domain member, incoming requests are close/NT_Create_AndXs/ReadAndXs for loading a profile. If profiles are stored to Samba. I only can see Close/Logoff/TreeDisconnect Requests. No loading profiles requests occurred from Windows client. So my case doesn't looks like profile owner issue. Could I ask you if you successfully use roaming profiles in Samba domain level? Is it 2.2 or 3.0? Thanks for your response. -Ying > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 28, 2005 10:50 PM > To: Li, Ying (ESG); samba@lists.samba.org > Subject: RE: [Samba] Roaming profiles in domain level > > Hi, > > Windows checks the security acl of a profile. > The user must be owner! > > Mit freundlichem Gruß, > > > > Dirk Laurenz > Systems Engineer > > Fujitsu Siemens Computers > S CE DE SE PS N/O > Sales Central Europe Deutschland > Professional Service Nord / Ost > > Hildesheimer Strasse 25 > 30880 Laatzen > Germany > > Telephone:+49 (511) 84 89 - 18 08 > Telefax: +49 (511) 84 89 - 25 18 08 > Mobile: +49 (170) 22 10 781 > Email:mailto:[EMAIL PROTECTED] > Internet: http://www.fujitsu-siemens.com > http://www.fujitsu-siemens.de/services/index.html > ** > * > > > -| -Original Message- > -| From: > -| [EMAIL PROTECTED] > -| rg > -| [mailto:[EMAIL PROTECTED] > -| .samba.org] On Behalf Of Li, Ying (ESG) > -| Sent: Friday, April 29, 2005 12:27 AM > -| To: samba@lists.samba.org > -| Subject: [Samba] Roaming profiles in domain level > -| > -| Hi Everyone, > -| > -| Does anybody use roaming profiles in domain level? > -| > -| I'm looking for helps for setting up Samba as a NT4 > domain member to > -| support roaming profiles for sharing during domain logon > of Windows > -| clients. I ran into the problems. log files couldn't show > specified > -| messages, except for BUFFER_TOO_SMALL. > -| > -| If a profile share directory is mounted on a Windows NT DC or a > -| Windows domain member, all Windows clients can successfully use > -| roaming profiles in that share during domain logon. If > the profile > -| share is mounted on a Samba server that is a NT4 domain > member, and > -| successfully joined to the domain, then all Windows > client can save > -| profiles to the share. But only Windows NT clients can > load roaming > -| profiles from Samba. > -| WinXP(SP1/SP2 > -| and Win2K(SP4) couldn't download roaming profiles from Samba > -| profiles share. > -| > -| I captured network traffics of domain logon for profiles > stored on > -| both Windows and Samba domain members. By comparing > behaviors, it > -| looks Samba couldn't handle the case well. I've tried both > -| Samba2.2.12 and samba3.0.7. All have the same problem. So I'm > -| looking for others' experiences, and see if Samba has > capability to > -| provide roaming profiles in domain level. > -| > -| I have all log files or ethereal log files. If needed, I > can send > -| to you as reference. Any hints or helps, it would be greatly > -| appreciated. > -| > -| Thanks in advance. > -| -Ying Li > -| > -| smb.conf > -| [global] > -| server string = Samba Serves as Roaming profiles > -| security = DOMAIN > -| workgroup = NT4_DOMAIN_NAME > -| password server = * > -| encrypt passwords = yes > -| log level = 10 > -| log file = /var/opt/samba/log.%m # followings for > Samba3.0 only > -| idmap uid = 1-2 > -| idmap gid = 1-2 > -| winbind use default domain = yes > -| winbind enum users = yes > -| winbind enum g
RE: [Samba] Roaming profiles in domain level
Hi, Windows checks the security acl of a profile. The user must be owner! Mit freundlichem Gruß, Dirk Laurenz Systems Engineer Fujitsu Siemens Computers S CE DE SE PS N/O Sales Central Europe Deutschland Professional Service Nord / Ost Hildesheimer Strasse 25 30880 Laatzen Germany Telephone: +49 (511) 84 89 - 18 08 Telefax:+49 (511) 84 89 - 25 18 08 Mobile: +49 (170) 22 10 781 Email: mailto:[EMAIL PROTECTED] Internet: http://www.fujitsu-siemens.com http://www.fujitsu-siemens.de/services/index.html *** -| -Original Message- -| From: -| [EMAIL PROTECTED] -| rg -| [mailto:[EMAIL PROTECTED] -| .samba.org] On Behalf Of Li, Ying (ESG) -| Sent: Friday, April 29, 2005 12:27 AM -| To: samba@lists.samba.org -| Subject: [Samba] Roaming profiles in domain level -| -| Hi Everyone, -| -| Does anybody use roaming profiles in domain level? -| -| I'm looking for helps for setting up Samba as a NT4 domain member to -| support roaming profiles for sharing during domain logon of Windows -| clients. I ran into the problems. log files couldn't show specified -| messages, except for BUFFER_TOO_SMALL. -| -| If a profile share directory is mounted on a Windows NT DC -| or a Windows -| domain member, all Windows clients can successfully use -| roaming profiles -| in that share during domain logon. If the profile share is -| mounted on a -| Samba server that is a NT4 domain member, and successfully -| joined to the -| domain, then all Windows client can save profiles to the -| share. But only -| Windows NT clients can load roaming profiles from Samba. -| WinXP(SP1/SP2 -| and Win2K(SP4) couldn't download roaming profiles from -| Samba profiles -| share. -| -| I captured network traffics of domain logon for profiles -| stored on both -| Windows and Samba domain members. By comparing behaviors, -| it looks Samba -| couldn't handle the case well. I've tried both Samba2.2.12 and -| samba3.0.7. All have the same problem. So -| I'm looking for others' experiences, and see if Samba has -| capability to -| provide roaming profiles in domain level. -| -| I have all log files or ethereal log files. If needed, I -| can send to you -| as reference. Any hints or helps, it would be greatly appreciated. -| -| Thanks in advance. -| -Ying Li -| -| smb.conf -| [global] -| server string = Samba Serves as Roaming profiles -| security = DOMAIN -| workgroup = NT4_DOMAIN_NAME -| password server = * -| encrypt passwords = yes -| log level = 10 -| log file = /var/opt/samba/log.%m -| # followings for Samba3.0 only -| idmap uid = 1-2 -| idmap gid = 1-2 -| winbind use default domain = yes -| winbind enum users = yes -| winbind enum groups = yes -| winbind separator = ; -| [profiles] -| path = /profiles -| browseable = no -| guest ok = yes -| -| The directory /profiles is owned by root with 777 permission, and -| includes all directories for a profile saved by Windows. On -| Windows DC, -| setup profile path to \\sambaserver\profiles\username for all domain -| users. -| -- -| To unsubscribe from this list go to the following URL and read the -| instructions: https://lists.samba.org/mailman/listinfo/samba -| -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Roaming profiles in domain level
Hi Everyone, Does anybody use roaming profiles in domain level? I'm looking for helps for setting up Samba as a NT4 domain member to support roaming profiles for sharing during domain logon of Windows clients. I ran into the problems. log files couldn't show specified messages, except for BUFFER_TOO_SMALL. If a profile share directory is mounted on a Windows NT DC or a Windows domain member, all Windows clients can successfully use roaming profiles in that share during domain logon. If the profile share is mounted on a Samba server that is a NT4 domain member, and successfully joined to the domain, then all Windows client can save profiles to the share. But only Windows NT clients can load roaming profiles from Samba. WinXP(SP1/SP2 and Win2K(SP4) couldn't download roaming profiles from Samba profiles share. I captured network traffics of domain logon for profiles stored on both Windows and Samba domain members. By comparing behaviors, it looks Samba couldn't handle the case well. I've tried both Samba2.2.12 and samba3.0.7. All have the same problem. So I'm looking for others' experiences, and see if Samba has capability to provide roaming profiles in domain level. I have all log files or ethereal log files. If needed, I can send to you as reference. Any hints or helps, it would be greatly appreciated. Thanks in advance. -Ying Li smb.conf [global] server string = Samba Serves as Roaming profiles security = DOMAIN workgroup = NT4_DOMAIN_NAME password server = * encrypt passwords = yes log level = 10 log file = /var/opt/samba/log.%m # followings for Samba3.0 only idmap uid = 1-2 idmap gid = 1-2 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind separator = ; [profiles] path = /profiles browseable = no guest ok = yes The directory /profiles is owned by root with 777 permission, and includes all directories for a profile saved by Windows. On Windows DC, setup profile path to \\sambaserver\profiles\username for all domain users. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
