Samba PDC roaming profiles problem
Alex de Kruijff
alexk at specialisterren.nl
Tue Aug 3 09:04:58 UTC 2010
Op 2-8-2010 21:26, David N schreef:
> On 2 August 2010 21:32, Alex de Kruijff<alexk at specialisterren.nl> wrote:
>
>> Hi,
>>
>> I've setup a LDAP backend Samba PDC. I can gain access to shares and
>>
>> login with a user that is in LDAP, but have a prblem setting up the
>> roaming profile stuff. I've been trying to solve this problem for some
>> time now, and have tried everything I could think of, but without much
>> luck. I keep getting the following error messages:
>>
>> "Windows cannot locate the server copy of your roaming profile and is
>> attempting to log you on with your local profile. Changes to the profile
>> will not be copied to the server when you logoff. Plausible causes of
>> this error include network problem or insufficient security rights. If
>> this problem persists, contact your network administrators. DETAILS -
>> The network path was not found."
>>
>> Followed by:
>>
>> "Windows cannot find the local profile and is logging on with a tempory
>> profiles. Changes to this profile will be lost when you logoff."
>>
>> Here is my smb.conf:
>>
>>
>>> [global]
>>> security = user
>>> name resolve order = wins lmhosts hosts bcast
>>> deadtime = 15
>>> map to guest = Never
>>> csc policy = disable
>>> hosts allow = 127. 192.168.
>>> server string =
>>> workgroup = Nieuwegein
>>> time server = yes
>>> wins support = yes
>>> domain master = yes
>>> domain logons = yes
>>> encrypt passwords = yes
>>> local master = yes
>>> logon drive = Z:
>>> logon path = \\%L\profiles\%U
>>> preferred master = yes
>>> os level = 255
>>> encrypt passwords = yes
>>> passdb backend = ldapsam:ldap://localhost/
>>> enable privileges = Yes
>>> pam password change = yes
>>> passwd program = /usr/local/sbin/smbldap-passwd %u
>>> passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>>>
>> *all*authentication*tokens*updated*
>>
>>> unix password sync = Yes
>>> ldap delete dn = Yes
>>> ldap ssl = Off
>>> ldap passwd sync = Yes
>>> ldap admin dn = cn=admin,dc=specialisterren,dc=nl
>>> ldap suffix = dc=specialisterren,dc=nl
>>> ldap group suffix = ou=Groups
>>> ldap idmap suffix = ou=Users
>>> ldap machine suffix = ou=Computers
>>> ldap user suffix = ou=Users
>>> idmap backend = ldap:ldap://localhost
>>> idmap uid = 10000-20000
>>> idmap gid = 10000-20000
>>> add user script = /usr/local/sbin/smbldap-useradd -a -m "%u"
>>> delete user script = /usr/local/sbin/smbldap-userdel "%u"
>>> add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>>> delete group script = /usr/local/sbin/smbldap-groupdel "%g"
>>> add user to group script = /usr/local/sbin/smbldap-groupmod -m
>>>
>> "%u" "%g"
>>
>>> delete user from group script = /usr/local/sbin/smbldap-groupmod
>>>
>> -x "%u" "%g"
>>
>>> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
>>>
>> "%u"
>>
>>> add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
>>> template homedir = /home/%U
>>> template shell = /bin/csh
>>> getwd cache = yes
>>> socket options = SO_KEEPALIVE TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=819
>>> use sendfile = yes
>>> mangle prefix = 6 # How to mangle Long Filenames in to 8.3 DOS
>>> log level = 1
>>> log file = /var/log/samba/log.%m
>>> max log size = 50
>>> syslog = 0
>>>
>>> [template]
>>> # edited out, has no path
>>>
>>> [homes]
>>> comment = Home users
>>> inherit owner = yes
>>> dos filemode = yes
>>> writable = yes
>>> read list = @wheel @"Domain Admins"
>>> valid users = "%S"
>>> create mask = 0740
>>> directory mask = 0750
>>> aio read size = 16384
>>>
>>> [netlogon]
>>> comment = Network Logon Service
>>> path = /disk/netlogon
>>> browseable = no
>>> read only = yes
>>> aio read size = 16384
>>>
>>> [profiles]
>>> comment = Roaming Profiles Directory
>>> path = /disk/profiles
>>> administrative share = true
>>> browseable = no
>>> writable = yes
>>> create mask = 0600
>>> directory mask = 0700
>>> aio read size = 16384
>>> public = yes
>>> # The root preexec command performs:
>>> # mkdir -pm 750 /disk/profiles/%U-%a; chown %U /disk/profiles/%U-%a
>>> # I started off without this.
>>> root preexec = /root/sbin/profiles.sh %U %a
>>>
>>> # edited out other shares
>>>
>> ldapsearch gives me:
>>
>>> # tester, Users, specialisterren.nl
>>> dn: uid=tester,ou=Users,dc=specialisterren,dc=nl
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: inetOrgPerson
>>> objectClass: posixAccount
>>> objectClass: shadowAccount
>>> objectClass: sambaSamAccount
>>> cn: tester
>>> sn: tester
>>> givenName: tester
>>> uid: tester
>>> uidNumber: 10005
>>> gidNumber: 513
>>> homeDirectory: /home/tester
>>> loginShell: /bin/sh
>>> gecos: Tes ter
>>> sambaLogonTime: 0
>>>
>> (Edited out the other stuff)
>>
>> I can acces \\Server\profiles, \\Server\netlogon using my tester
>> account. /etc/passwd contains no line with the user tester. And I can
>> login under SSH with the tester account.
>>
>> ll -d /disk/{netlogon,profiles}gives me:
>> drwxr-xr-x 2 root wheel 512 Mar 16 11:09 /disk/netlogon/
>> drwxrwxrwt 2 root wheel 512 Aug 2 12:41 /disk/profiles/
>>
>> Alex
>>
>>
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>>
>>
> Have you installed /usr/ports/net/smbldap-tools/, although you dont
> need it, it helps when creating users.
>
> Do you have
> sambaProfilePath in your ldap?
>
> Regards
>
Hi David.
Yes, I've populated the LDAP with smbldap-populate -u 10000 -g 10000 -r
0000. I did notice various entries with out of range uid and gid number.
nobody (uid 999 gid 514), domain admins (gid 512), domain users (gid
513), domain computers (gid 515), Administrator (gid 544), Account
Operators (gid 548), Print Operators (gid 550), Backup Operators (gid
551), Replicators (gid 552).
> # pkg_info | grep ldap
> nss_ldap-1.264_3 RFC 2307 NSS module
> openldap-client-2.4.18 Open source LDAP client implementation
> openldap-server-2.4.18_1 Open source LDAP server implementation
> p5-perl-ldap-0.39 A Client interface to LDAP (includes Net::LDAP)
> pam_ldap-1.8.4_1 A pam module for authenticating with LDAP
> php5-ldap-5.2.11 The ldap shared extension for php
> phpldapadmin-1.2.0.3,1 A set of PHP-scripts to administer LDAP over
the web
> smbldap-tools-0.9.5 Samba-LDAP management and support tools
> # pkg_info | grep samba
> samba-3.3.8 A free SMB and CIFS client and server for UNIX
> samba-libsmbclient-3.0.37 Shared libs from the samba package
I see I left out half of the tester entry out ldap
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> displayName: tester
> sambaSID: S-1-5-21-914212253-3526360373-1445599473-21010
> sambaPrimaryGroupSID: S-1-5-21-914212253-3526360373-1445599473-513
> sambaProfilePath: \\%L\profiles\tester
> sambaHomePath: \\%L\homes\%u
> sambaHomeDrive: Z:
> sambaNTPassword: 588FEB889288FB953B5F094D47D1565C
> sambaPwdMustChange: 1284288886
> shadowLastChange: 14819
> shadowMax: 45
> sambaPasswordHistory:
0000000000000000000000000000000000000000000000000000000000000000
> sambaPwdLastSet: 1280752203
> sambaAcctFlags: [U ]
> userPassword:: e1NTSEF9dUMzUFFUcFEzNE5CT0ZCb1hZVytXTHROUEpEU2FpeHc=
Also I'm getting these error messages:
> # cat /var/log/samba/log.wb-NIEUWEGEIN
> [2010/08/03 10:46:11, 1]
rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(755)
> cli_pipe_validate_current_pdu: RPC fault code
DCERPC_FAULT_OP_RNG_ERROR received from host SERVER, pipe \lsarpc, fnum
0x7779!
> # cat /var/log/samba/log.winbindd
> [2010/08/03 10:45:39, 0] winbindd/winbindd.c:main(1126)
> winbindd version 3.3.8 started.
> Copyright Andrew Tridgell and the Samba Team 1992-2009
> [2010/08/03 10:45:39, 0]
winbindd/winbindd_cache.c:initialize_winbindd_cache(2577)
> initialize_winbindd_cache: clearing cache and re-creating with
version number 1
> [2010/08/03 10:46:11, 1]
rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(755)
> cli_pipe_validate_current_pdu: RPC fault code
DCERPC_FAULT_OP_RNG_ERROR received from host SERVER, pipe \lsarpc, fnum
0x777a!
> # cat /var/log/samba/log.winbindd-idmap
> [2010/08/03 10:45:39, 1] winbindd/idmap.c:idmap_init_passdb_domain(438)
> Could not init passdb idmap domain
> [2010/08/03 10:45:39, 0] winbindd/idmap.c:smb_register_idmap_alloc(201)
> idmap_alloc module ldap already registered!
> [2010/08/03 10:45:39, 0] winbindd/idmap.c:smb_register_idmap_alloc(201)
> idmap_alloc module tdb already registered!
> [2010/08/03 10:45:39, 0] winbindd/idmap.c:smb_register_idmap(149)
> Idmap module passdb already registered!
> [2010/08/03 10:45:39, 0] winbindd/idmap.c:smb_register_idmap(149)
> Idmap module nss already registered!
> [2010/08/03 10:45:39, 0]
winbindd/idmap_ldap.c:idmap_ldap_set_mapping(1449)
> ldap_set_mapping_internals: Failed to add S-1-5-32-546 to 11109
mapping [gidNumber]
> [2010/08/03 10:45:39, 0]
winbindd/idmap_ldap.c:idmap_ldap_set_mapping(1451)
> ldap_set_mapping_internals: Error was: (NULL) (Already exists)
> [2010/08/03 10:46:14, 1]
rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(755)
> cli_pipe_validate_current_pdu: RPC fault code
DCERPC_FAULT_OP_RNG_ERROR received from host SERVER, pipe \lsarpc, fnum
0x7779!
Alex
More information about the freebsd-questions
mailing list