[Samba] Roaming profiles

Hi people. Im in need of help as far as roaming profiles are concerned.
Allow me as I know this issue has been discussed timelessly but let me just
ask it because I have been unable to get it to work.

My Samba + Ldap setup is fine and XP users can authenticate alright. Im
using samba 3.0.28. However when logging in for the first time, they get the
message;

Windows cannot locate a server copy.... -Access is denied

When logging off,

Windows cannot update your roaming profile... -Access is denied

I copied the profiles across from another server, so the first error does
not come up except for new users and the old profiles are mapped onto the
users machines just fine.

I think I've done everything for roaming profiles to work including

mkdir -p /var/lib/samba/profiles
chown root:users /var/lib/samba/profiles
chmod 2775 /var/lib/samba/profiles

chown -R user /var/lib/samba/profiles/user/

The samba logs don't show any errors.

Below is my smb.conf file
[global]
workgroup = EXAMPLE
netbios name = EXAMPLE_SERVER
server string = Samba Server Version %v
passdb backend = ldapsam:ldap://example.org/
log file = /var/log/samba/%m.log
max log size = 50
add user script = /usr/sbin/adduser -m "%u"
add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s
/bin/false -M %u
logon script = %u.bat
logon path = \\EXAMPLE_SERVER\profiles\%U
logon home = \\EXAMPLE_SERVER\%U
domain logons = Yes
domain master = Yes
ldap admin dn = "cn=config"
ldap group suffix = ou=groups
ldap machine suffix = ou=machines
ldap passwd sync = Yes
ldap suffix = dc=example,dc=org
ldap user suffix = ou=people
cups options = raw
[homes]
comment = Home Directories
validusers = %S
read only = No
browseable = No
writable = Yes
create mask= 0700
directory mask = 0700
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
share modes = No
guest ok = Yes
[profiles]
path = /var/lib/samba/profiles
read only = No
writable = Yes
profile acls = Yes
comment = User profiles
create mask = 0600
browsable = no
directory mask = 0700

My searches on the web have not helped much. I am running on a Red Hat like
system (CentOS 5).

Someone please help. I will be eternally grateful.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Hi

Remove the profile acls =yes
and add:

browseable = Yes
csc policy = disable
force user = %U
valid users = %U @"Domain Admins"


Louis


>-----Oorspronkelijk bericht-----
>Van: samba-bounces+belle=bazuin.nl@lists.samba.org
>[mailto:samba-bounces+belle=bazuin.nl@lists.samba.org] Namens
>Mugo Martin
>Verzonden: dinsdag 19 augustus 2008 14:19
>Aan: samba@lists.samba.org
>Onderwerp: [Samba] Roaming profiles
>
>Hi people. Im in need of help as far as roaming profiles are concerned.
>Allow me as I know this issue has been discussed timelessly
>but let me just
>ask it because I have been unable to get it to work.
>
>My Samba + Ldap setup is fine and XP users can authenticate alright. Im
>using samba 3.0.28. However when logging in for the first
>time, they get the
>message;
>
>Windows cannot locate a server copy.... -Access is denied
>
>When logging off,
>
>Windows cannot update your roaming profile... -Access is denied
>
>I copied the profiles across from another server, so the first
>error does
>not come up except for new users and the old profiles are
>mapped onto the
>users machines just fine.
>
>I think I've done everything for roaming profiles to work including
>
>mkdir -p /var/lib/samba/profiles
>chown root:users /var/lib/samba/profiles
>chmod 2775 /var/lib/samba/profiles
>
>chown -R user /var/lib/samba/profiles/user/
>
>The samba logs don't show any errors.
>
>Below is my smb.conf file
>[global]
> workgroup = EXAMPLE
> netbios name = EXAMPLE_SERVER
> server string = Samba Server Version %v
> passdb backend = ldapsam:ldap://example.org/
> log file = /var/log/samba/%m.log
> max log size = 50
> add user script = /usr/sbin/adduser -m "%u"
> add machine script = /usr/sbin/useradd -d
>/var/lib/nobody -g 100 -s
>/bin/false -M %u
> logon script = %u.bat
> logon path = \\EXAMPLE_SERVER\profiles\%U
> logon home = \\EXAMPLE_SERVER\%U
> domain logons = Yes
> domain master = Yes
> ldap admin dn = "cn=config"
> ldap group suffix = ou=groups
> ldap machine suffix = ou=machines
> ldap passwd sync = Yes
> ldap suffix = dc=example,dc=org
> ldap user suffix = ou=people
> cups options = raw
>[homes]
> comment = Home Directories
> validusers = %S
> read only = No
> browseable = No
> writable = Yes
> create mask= 0700
> directory mask = 0700
>[netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> share modes = No
> guest ok = Yes
>[profiles]
> path = /var/lib/samba/profiles
> read only = No
> writable = Yes
> profile acls = Yes
> comment = User profiles
> create mask = 0600
> browsable = no
> directory mask = 0700
>
>My searches on the web have not helped much. I am running on a
>Red Hat like
>system (CentOS 5).
>
>Someone please help. I will be eternally grateful.
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/listinfo/samba
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

On 8/19/2008, L.P.H. van Belle (belle@bazuin.nl) wrote:
> Remove the profile acls =yes

???

Isn't this REQUIRED for the profiles share?

--

Best regards,

Charles
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

On Tuesday 19 August 2008 07:18:56 Mugo Martin wrote:
> Hi people. Im in need of help as far as roaming profiles are concerned.
> Allow me as I know this issue has been discussed timelessly but let me just
> ask it because I have been unable to get it to work.
>
> My Samba + Ldap setup is fine and XP users can authenticate alright. Im
> using samba 3.0.28. However when logging in for the first time, they get
> the message;
>
> Windows cannot locate a server copy.... -Access is denied
>
> When logging off,
>
> Windows cannot update your roaming profile... -Access is denied
>
> I copied the profiles across from another server, so the first error does
> not come up except for new users and the old profiles are mapped onto the
> users machines just fine.

Did you copy the domain SID from the old server to the new one?

- John T.

> I think I've done everything for roaming profiles to work including
>
> mkdir -p /var/lib/samba/profiles
> chown root:users /var/lib/samba/profiles
> chmod 2775 /var/lib/samba/profiles
>
> chown -R user /var/lib/samba/profiles/user/
>
> The samba logs don't show any errors.
>
> Below is my smb.conf file
> [global]
> workgroup = EXAMPLE
> netbios name = EXAMPLE_SERVER
> server string = Samba Server Version %v
> passdb backend = ldapsam:ldap://example.org/
> log file = /var/log/samba/%m.log
> max log size = 50
> add user script = /usr/sbin/adduser -m "%u"
> add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s
> /bin/false -M %u
> logon script = %u.bat
> logon path = \\EXAMPLE_SERVER\profiles\%U
> logon home = \\EXAMPLE_SERVER\%U
> domain logons = Yes
> domain master = Yes
> ldap admin dn = "cn=config"
> ldap group suffix = ou=groups
> ldap machine suffix = ou=machines
> ldap passwd sync = Yes
> ldap suffix = dc=example,dc=org
> ldap user suffix = ou=people
> cups options = raw
> [homes]
> comment = Home Directories
> validusers = %S
> read only = No
> browseable = No
> writable = Yes
> create mask= 0700
> directory mask = 0700
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> share modes = No
> guest ok = Yes
> [profiles]
> path = /var/lib/samba/profiles
> read only = No
> writable = Yes
> profile acls = Yes
> comment = User profiles
> create mask = 0600
> browsable = no
> directory mask = 0700
>
> My searches on the web have not helped much. I am running on a Red Hat like
> system (CentOS 5).
>
> Someone please help. I will be eternally grateful.



--
John H Terpstra

"Don't do as I do; Show me better!" - Anonymous.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

nope


>-----Oorspronkelijk bericht-----
>Van: Charles Marcus [mailto:CMarcus@media-brokers.com]
>Verzonden: dinsdag 19 augustus 2008 15:39
>Aan: L.P.H. van Belle
>CC: samba@lists.samba.org
>Onderwerp: Re: [Samba] Roaming profiles
>
>On 8/19/2008, L.P.H. van Belle (belle@bazuin.nl) wrote:
>> Remove the profile acls =yes
>
>???
>
>Isn't this REQUIRED for the profiles share?
>
>--
>
>Best regards,
>
>Charles
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Maybe you could provide a level 10 log of when the first error happens
(for a new user).

Are all your users member of the group "users" ?
Are all the underlying directories (/var /var/lib /var/lib/samba ...) set
with at least the o+x permission on the file system ?

François

> Hi people. Im in need of help as far as roaming profiles are concerned.
> Allow me as I know this issue has been discussed timelessly but let me
> just
> ask it because I have been unable to get it to work.
>
> My Samba + Ldap setup is fine and XP users can authenticate alright. Im
> using samba 3.0.28. However when logging in for the first time, they get
> the
> message;
>
> Windows cannot locate a server copy.... -Access is denied
>
> When logging off,
>
> Windows cannot update your roaming profile... -Access is denied
>
> I copied the profiles across from another server, so the first error does
> not come up except for new users and the old profiles are mapped onto the
> users machines just fine.
>
> I think I've done everything for roaming profiles to work including
>
> mkdir -p /var/lib/samba/profiles
> chown root:users /var/lib/samba/profiles
> chmod 2775 /var/lib/samba/profiles
>
> chown -R user /var/lib/samba/profiles/user/
>
> The samba logs don't show any errors.
>
> Below is my smb.conf file
> [global]
> workgroup = EXAMPLE
> netbios name = EXAMPLE_SERVER
> server string = Samba Server Version %v
> passdb backend = ldapsam:ldap://example.org/
> log file = /var/log/samba/%m.log
> max log size = 50
> add user script = /usr/sbin/adduser -m "%u"
> add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100
> -s
> /bin/false -M %u
> logon script = %u.bat
> logon path = \\EXAMPLE_SERVER\profiles\%U
> logon home = \\EXAMPLE_SERVER\%U
> domain logons = Yes
> domain master = Yes
> ldap admin dn = "cn=config"
> ldap group suffix = ou=groups
> ldap machine suffix = ou=machines
> ldap passwd sync = Yes
> ldap suffix = dc=example,dc=org
> ldap user suffix = ou=people
> cups options = raw
> [homes]
> comment = Home Directories
> validusers = %S
> read only = No
> browseable = No
> writable = Yes
> create mask= 0700
> directory mask = 0700
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> share modes = No
> guest ok = Yes
> [profiles]
> path = /var/lib/samba/profiles
> read only = No
> writable = Yes
> profile acls = Yes
> comment = User profiles
> create mask = 0600
> browsable = no
> directory mask = 0700
>
> My searches on the web have not helped much. I am running on a Red Hat
> like
> system (CentOS 5).
>
> Someone please help. I will be eternally grateful.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>


--


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Hi all, thanks for your replies

I got the profiles to work, did not remove the

profile acls = Yes

line. This is my profiles section;

[profiles]
comment = User profiles
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
valid users = %U
force user = %U

That together with the other mentioned configs and commands.
Added a line not in the Samba 3.0.28 master configuration files however.
Dont know whether this is right.

John, the SIDs are different and I had to use this guide to migrate them
because the UIDs and passwords are different on either server.

http://lists.samba.org/archive/samba...er/115326.html

ps: My setup (CentOS 5.1, Samba 3.0.28, Openldap 2.x.x)

Best regards,
Martin.

On Tue, Aug 19, 2008 at 5:59 PM, <devel@thom.fr.eu.org> wrote:

> Maybe you could provide a level 10 log of when the first error happens
> (for a new user).
>
> Are all your users member of the group "users" ?
> Are all the underlying directories (/var /var/lib /var/lib/samba ...) set
> with at least the o+x permission on the file system ?
>
> François
>
> > Hi people. Im in need of help as far as roaming profiles are concerned.
> > Allow me as I know this issue has been discussed timelessly but let me
> > just
> > ask it because I have been unable to get it to work.
> >
> > My Samba + Ldap setup is fine and XP users can authenticate alright. Im
> > using samba 3.0.28. However when logging in for the first time, they get
> > the
> > message;
> >
> > Windows cannot locate a server copy.... -Access is denied
> >
> > When logging off,
> >
> > Windows cannot update your roaming profile... -Access is denied
> >
> > I copied the profiles across from another server, so the first error does
> > not come up except for new users and the old profiles are mapped onto the
> > users machines just fine.
> >
> > I think I've done everything for roaming profiles to work including
> >
> > mkdir -p /var/lib/samba/profiles
> > chown root:users /var/lib/samba/profiles
> > chmod 2775 /var/lib/samba/profiles
> >
> > chown -R user /var/lib/samba/profiles/user/
> >
> > The samba logs don't show any errors.
> >
> > Below is my smb.conf file
> > [global]
> > workgroup = EXAMPLE
> > netbios name = EXAMPLE_SERVER
> > server string = Samba Server Version %v
> > passdb backend = ldapsam:ldap://example.org/
> > log file = /var/log/samba/%m.log
> > max log size = 50
> > add user script = /usr/sbin/adduser -m "%u"
> > add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100
> > -s
> > /bin/false -M %u
> > logon script = %u.bat
> > logon path = \\EXAMPLE_SERVER\profiles\%U
> > logon home = \\EXAMPLE_SERVER\%U
> > domain logons = Yes
> > domain master = Yes
> > ldap admin dn = "cn=config"
> > ldap group suffix = ou=groups
> > ldap machine suffix = ou=machines
> > ldap passwd sync = Yes
> > ldap suffix = dc=example,dc=org
> > ldap user suffix = ou=people
> > cups options = raw
> > [homes]
> > comment = Home Directories
> > validusers = %S
> > read only = No
> > browseable = No
> > writable = Yes
> > create mask= 0700
> > directory mask = 0700
> > [netlogon]
> > comment = Network Logon Service
> > path = /var/lib/samba/netlogon
> > share modes = No
> > guest ok = Yes
> > [profiles]
> > path = /var/lib/samba/profiles
> > read only = No
> > writable = Yes
> > profile acls = Yes
> > comment = User profiles
> > create mask = 0600
> > browsable = no
> > directory mask = 0700
> >
> > My searches on the web have not helped much. I am running on a Red Hat
> > like
> > system (CentOS 5).
> >
> > Someone please help. I will be eternally grateful.
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/listinfo/samba
> >
>
>
> --
>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

On Wed, 20 Aug 2008, Mugo Martin might have said:

> Hi all, thanks for your replies
>
> I got the profiles to work, did not remove the
>
> profile acls = Yes
>
> line. This is my profiles section;
>
> [profiles]
> comment = User profiles
> path = /var/lib/samba/profiles
> read only = No
> profile acls = Yes
> valid users = %U
> force user = %U

I added the 'profile acls = Yes' to my /etc/samba/smb.conf, ran
'testparm', then 'service smb condrestart'. All seemed ok, so I
logged out of my xp work station, booted the work station, and logged
back in. When logging in I get the error that my roaming profile is not
valid/available. The detail says 'the specified network name is no longer
available.' So I reversed the change, bounced samba again (the service,
not the box), logged out of xp, booted, and logged back in and got the
same error.

Any ideas what's going on?

Mike
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

On Fri, 22 Aug 2008, Mike Eggleston might have said:

> On Wed, 20 Aug 2008, Mugo Martin might have said:
>
> > Hi all, thanks for your replies
> >
> > I got the profiles to work, did not remove the
> >
> > profile acls = Yes
> >
> > line. This is my profiles section;
> >
> > [profiles]
> > comment = User profiles
> > path = /var/lib/samba/profiles
> > read only = No
> > profile acls = Yes
> > valid users = %U
> > force user = %U
>
> I added the 'profile acls = Yes' to my /etc/samba/smb.conf, ran
> 'testparm', then 'service smb condrestart'. All seemed ok, so I
> logged out of my xp work station, booted the work station, and logged
> back in. When logging in I get the error that my roaming profile is not
> valid/available. The detail says 'the specified network name is no longer
> available.' So I reversed the change, bounced samba again (the service,
> not the box), logged out of xp, booted, and logged back in and got the
> same error.
>
> Any ideas what's going on?
>
> Mike

Forgot:

Fedora Core 5, latest patches

Samba:
[mikee@elo ~]$ rpm -qa | grep samba
samba-client-3.0.24-7.fc5
system-config-samba-1.2.34-1
samba-swat-3.0.24-7.fc5
samba-common-3.0.24-7.fc5
samba-3.0.24-7.fc5

LDAP:
[mikee@elo ~]$ rpm -qa | grep ldap
openldap-clients-2.3.30-2.fc5
openldap-2.3.30-2.fc5
ldapjdk-4.17-1jpp_3fc.1.1
openldap-servers-2.3.30-2.fc5
nss_ldap-249-1
python-ldap-2.0.6-5.2.1
cyrus-sasl-ldap-2.1.21-10
openldap-devel-2.3.30-2.fc5
smbldap-tools-0.9.2-3.fc5
mod_authz_ldap-0.26-6.2.1

Mike
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

yes, turn off Pofile acls,

and if that does not work try,
enable the group policies for "Do not check for user ownership of Roaming
Profile Folders" and "Add the Administrator security group to the roaming
user profile share" policy using "Start" menu -> "Run", enter "gpedit.msc"
-> under "Computer Configuration" -> "Administrative Templates" -> "System"
-> "User Profiles" and enabling these two properties.


/snap from man smb.conf

profile acls (S)
This boolean parameter was added to fix the problems that
people have been having with storing user profiles on Samba shares from
Windows
2000 or Windows XP clients. New versions of Windows 2000 or
Windows XP service packs do security ACL checking on the owner and ability
to
write of the profile directory stored on a local workstation
when copied from a Samba share.

When not in domain mode with winbindd then the security info
copied onto the local workstation has no meaning to the logged in user (SID)
on
that workstation so the profile storing fails. Adding
this parameter onto a share used for profile storage changes two things
about the
returned Windows ACL. Firstly it changes the owner and group
owner of all reported files and directories to be
BUILTIN\Administrators,
BUILTIN\Users respectively (SIDs S-1-5-32-544,
S-1-5-32-545). Secondly it adds an ACE entry of "Full Control" to the SID
BUILTIN\Users to
every returned ACL. This will allow any Windows 2000 or XP
workstation user to access the profile.

Note that if you have multiple users logging on to a
workstation then in order to prevent them from being able to access each
others profiles
you must remove the "Bypass traverse checking" advanced user
right. This will prevent access to other users profile directories as the
top
level profile directory (named after the user) is created by
the workstation profile code and has an ACL restricting entry to the
directory
tree to the owning user.

===>>> Default: profile acls = no

Louis



>-----Oorspronkelijk bericht-----
>Van: samba-bounces+belle=bazuin.nl@lists.samba.org
>[mailto:samba-bounces+belle=bazuin.nl@lists.samba.org] Namens
>Mike Eggleston
>Verzonden: vrijdag 22 augustus 2008 16:19
>Aan: Mugo Martin
>CC: samba@lists.samba.org
>Onderwerp: Re: [Samba] Roaming profiles
>
>On Wed, 20 Aug 2008, Mugo Martin might have said:
>
>> Hi all, thanks for your replies
>>
>> I got the profiles to work, did not remove the
>>
>> profile acls = Yes
>>
>> line. This is my profiles section;
>>
>> [profiles]
>> comment = User profiles
>> path = /var/lib/samba/profiles
>> read only = No
>> profile acls = Yes
>> valid users = %U
>> force user = %U
>
>I added the 'profile acls = Yes' to my /etc/samba/smb.conf, ran
>'testparm', then 'service smb condrestart'. All seemed ok, so I
>logged out of my xp work station, booted the work station, and logged
>back in. When logging in I get the error that my roaming
>profile is not
>valid/available. The detail says 'the specified network name
>is no longer
>available.' So I reversed the change, bounced samba again (the service,
>not the box), logged out of xp, booted, and logged back in and got the
>same error.
>
>Any ideas what's going on?
>
>Mike
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/listinfo/samba
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba