# [HOWTO] :: Implement Samba as your PDC

## Ateo

NOTE: This HOWTO has been added to gentoo-wiki.com. 

How to implement Samba as your PDC (Primary Domain Controller) for your domain

23 December 2004

Version 1.0

Disclaimer: This HOWTO has no guarantee. Use at your own risk. Back up any relevant data before proceding. If you break your system, it's up to you to fix it. Don't blame me (or the Gentoo forums) as I/we bear no responsibility if you are inept with simple procedures. Please read through this HOWTO prior to any attempt at installing your Samba PDC.

Resources:

O'Reilly - Using Samba -- This is a slightly outdated book but it's help is priceless.

samba.org -- Excellent resource for parameter definitions. Not a good resource to learn samba with.

Gentoo Forums Thread #1

Gentoo Forums Thread #2

Synopsis

This HOWTO was created because all of the resources that I encountered  were either outdated or simply incorrect. This is my step by step outline that I used to successfully implement a Samba server as my PDC on my local network. This should work for anyone that attempts this implementation.

This HOWTO describes how to implement samba as your PDC so that a) users on your domain authenticate against a central domain controller and b) selected network drives are mapped on login. In addition, this will also explain how to implement a roaming profile. This HOWTO is practical only for domains which employ Windows 2000 professional workstations. I have not attempted nor tested against any other version of Windows. However, I know it can be done, just do some research.

What this HOWTO will doAllow Windows 2000 clients to authenticate via your samba server

Provide mapped drives (based on logon scripts)

Execute a logon script

Enable use of roaming profiles

Roaming profiles defined: Windows 2000 supports roaming user profiles, which allow certificates to follow users no matter which computer they use to log on. When roaming profiles are enabled, user profiles, including issued certificates and private keys, are stored on the domain controller. The roaming profiles are downloaded to the computer during the logon process for the user.

What this HOWTO will not doAllow Windows 9x/XP clients to authenticate via your samba server

Configure your Samba server for print sharing

To my knowledge, Win9x and Xp need different configuration (including registry hacks) thus this HOWTO does not detail configuration for said clients. Plus, who really uses 9x anymore? If you do, upgrade. However, I have been informed this HOWTO also works for 9x/XP workstations but I can't confirm that since neither of those versions of Windows exist on this network/domain.

If you wish to implement print sharing, follow this HOWTO and add only relevant printer information. Don't forget to add cups support when compiling samba.

Step by StepConfigure USE variable in /etc/make.conf

Install Samba (version 3.0.9 (portage version 3.0.9-r1) as of this writing)

Configure Samba

Configure Win2k workstations

More Samba configuration

Final steps

USE Flag configuration

These are the flags I've configured on my machine. Make sure that you enable pam (or kerberos/ldap depending on what auth method you wish to employ) and python, the rest are optional, depending on your needs. Enable cups for samba printer sharing.

```
-acl -cups -debug -doc -kerberos -ldap* -libclamav -mysql -oav +pam -postgres +python -quotas +readline (-selinux) +winbind +xml +xml2
```

For those not using portage, this is the equivilent to compile time options.

Install Samba

Probably the easiest step. It is good practice to always do a pretend/verbose before installing any package. This way you know what is going to be installed (focusing on dependancies, if any). Kick back for a while as it takes about 15-30 minutes to install Samba, depending on hardware/optimizations. It'll take longer if any dependancies need to be installed.

```
emerge sync

emerge samba -pv

emerge samba
```

Configure Samba

Now we venture into configuring samba. For some, this is easy, for others, it's a pain in the arse as it was for me but at least I learned.

The first file we need to edit is /etc/samba/smb.conf. So fire that up with your favorite text editor. The first section we will configure is the [global] services section, followed by [netlogon], [profiles], [homes] and other services sections. Please note that parameter values reflect my network. You'll need to change some values to meet your criteria.

The [global] service section

netbios name sets the NetBIOS name by which a Samba server is known. This is what you'll see in network neighborhood. workgroup controls what workgroup your server will appear to be in when queried by clients. server string controls what string will show up in the printer comment box in print manager and next to the IPC connection in net view.

```
  netbios name = shadow (choose your own name)

  workgroup = YOUR_DOMAIN

  server string = PDC [on Gentoo :: Samba server %v]
```

hosts allow is a comma, space, or tab delimited set of hosts which are permitted to access a service. security affects how clients respond to Samba and is one of the most important settings in the  smb.conf file. encrypt passwords controls whether encrypted passwords will be negotiated with the client. socket options allows you to set socket options to be used when talking with the client. It is for performance fine tuning. If you find more/better options, I'd love to know of them. interfaces allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NBT traffic. bind interfaces allows the Samba admin to limit what interfaces on a machine will serve SMB requests.

```
  hosts allow = 192.168.4.0/24 127.0.0.0/8

  security = user

  encrypt passwords = yes

  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

  interfaces = lo eth0

  bind interfaces only = yes
```

To make your Samba server the PDC, the following 4 parameters are required. Setting your OS level to 65 ensures your server WILL BE the PDC in a network where there are other DC. local master allows nmbd to try and become a local master browser on a subnet. os level controls what level Samba advertises itself as for browse elections. domain master enables WAN-wide browse list collation. Setting this option causes nmbd to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given workgroup. preferred master controls if nmbd is a preferred master browser for its workgroup.

```
  local master = yes

  os level = 65

  domain master = yes

  preferred master = yes
```

null passwords allows or disallows client access to accounts that have null passwords. hide unreadable prevents clients from seeing the existance of files that cannot be read. hide dot files controls whether files starting with a dot appear as hidden files.

```
  null passwords = no

  hide unreadable = yes

  hide dot files = yes
```

domain logons dictates whether the Samba server will serve Windows Domain logons for the  workgroup it is in. logon script specifies the batch file (.bat) or NT command file (.cmd) to be downloaded and run on a machine when a user successfully logs in. logon path specifies the home directory where roaming profiles (NTuser.dat etc files for Windows NT) are stored. logon drive specifies the local path to which the home directory will be connected and is only used by NT Workstations. logon home specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC. Please note that variables %L and %U must be used. They defined the server name and username (respectively). You may specify any drive letter as log as it does not conflict with other drives on your Win2k client.

For logon script, I personally use a static file name. Using %U will require a batch file for each user as %U == the username establishing the connection.

```

  domain logons = yes

  logon script = login.bat  OR %U.bat

  logon path = \\%L\profiles\%U

  logon drive = H:

  logon home = \\%L\%U\.9xprofile
```

wins support controls if the nmbd process in Samba will act as a WINS server. name resolve order s used by the programs in the Samba suite to determine what naming services to use and in what order to resolve host names to IP addresses. dns proxy Specifies that nmbd when acting as a WINS server and finding that a NetBIOS name has not been registered, should treat the NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name-querying client.

```

  wins support = yes

  name resolve order = wins lmhosts hosts bcast

  dns proxy = no
```

time server determines if nmbd advertises itself as a time server to Windows clients. log file option allows you to override the name of the Samba log file (also known as the debug file). max log size specifies the max size the log file should grow to. smb passwd file sets the path to the encrypted smbpasswd file. By default the path to the smbpasswd file is compiled into Samba.

```
  time server = yes

  log file = /var/log/samba3/log.%m

  max log size = 50

  # location to samba password file

  smb passwd file = /etc/samba/private/smbpasswd
```

The following are parameters to assist you in adding/deleting users/machines from a client. Please refer to the O'Reilly book listed in sources at the beginning of this HOWTO.

```

  add user script = /usr/sbin/useradd -m %u

  delete user script = /usr/sbin/userdel -r %u

  add group script = /usr/sbin/groupadd %g

  delete group script = /usr/sbin/groupdel %g

  add user to group script = /usr/sbin/usermod -G %g %u

  add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u

  passwd program = /usr/bin/passwd %u

  passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \ "*Password changed*"
```

unix charset specifies the charset the unix machine Samba runs on uses. Samba needs to know this in order to be able to convert text to the charsets other SMB clients use.

```
  unix charset = ISO8859-1
```

The [SHARE_NAME] services section

This section defines your shares. If you include a parameter within any one of these sections that is defined in the global section it will override the parameter in the global section. I'm not going to get into detail about each and every parameter here. The samba link provided above is a great resource for defining parameters. Use it!

netlogon is the service section of where your Default Profile (for new users) and your login script reside. Make sure the directory is owned and group owned by root and permissions are 755 (chmod -R 0755).

```
[netlogon]

  path = /var/lib/samba/netlogon

  public = no

  writeable = no

  browseable = no
```

profiles is the service section for user roaming profiles. Make sure the directory proper is owned and group owned by root. Make sure its permission is 755 (chmod -R 0755). Inside this directory is where you user profiles are located. Make sure the user profile directories themselves are owned by the user and group owned by users. Make sure user directories permission are 770 (chmod -R 0770).

```
[profiles]

  path = /var/lib/samba/profiles

  browseable = no

  writeable = yes

  default case = lower

  preserve case = no

  short preserve case = no

  case sensitive = no

  hide files = /desktop.ini/ntuser.ini/NTUSER.*/

  write list = @smbusers @root

  create mode = 0600

  directory mode = 0700
```

homes defines the users home directory. Nothing special needs to be done to this directive or directory.

```
[homes]

  path = /home/%U

  browseable = no

  valid users = %S

  writable = yes

  guest ok = no

  inherit permissions = yes
```

public is an example of one of my shares. You can define as many as you want. You can name them whatever you want.

```
[public]

  comment = Public Stuff

  path = /public

  public = yes

  writeable = no

  browseable = yes

  write list = @users

```

Adding users to Samba

The drawback to using samba is that users have to be added twice. Once to your /etc/passwd and once to /etc/samba/private/smbpasswd. I'm going to assume you already have a regular daily user so I'm going to skip the "adduser" unix command. Obviously, and hopefully, root exists on your system. =)

Both of the following commands will prompt you for a password. My suggestion is keep your [Samba] root password that same as your [Unix] system root password. Applying the same to your user password. Keep things simple.

```
smbpasswd -a your_user

smbpasswd -a root
```

Configuring Windows 2000 clients

This is another simple step. Log into your Windows 2000 client locally as Administrator and add your client machine to your domain. This is achieved by right clicking My Computer => Properties => Network Identification => Properties button. You will be prompted for a username/password of an authorised domain user. You'll need to use your root account (the reason root was added to smbpasswd).

After changing your domain, you'll need to reboot (no surprise there). When it reboots, you'll have the fancy login screen with the nice little graphic instructing you to do a "ctrl-alt-del" to get to the actual login screen. If you only see fields for you username and password, click on the "Options" button and a domain dropdown will appear. Your choices should be "computer name\local" AND your new domain.

In order to employ roaming profiles, you need to establish a "Default Profile" on Samba. This requires you to copy the content of C:\Documents and Settings\Default Profile to your samba server. You will need to copy it into the directory specified in your [netlogon] service. This way your users will have a default profile to log into (assuming the usage of roaming profiles).

I suggest making sure the latest service pack is installed.

After adding the client to the domain and rebooting, lets leave this screen as is. We'll come back to it later.

More Samba Configuration

We're almost there.

This step maps your Windows groups to your Unix groups. This is an important step if you want admin rights on your Windows clients once you have logged onto the client authorizing against the PDC.

First, view the list of Windows groups. This way you know what you're mapping.

```
root@shadow profiles # net groupmap list

System Operators (S-1-5-32-549) -> -1

Replicators (S-1-5-32-552) -> -1

Guests (S-1-5-32-546) -> -1

Domain Guests (S-1-5-21-3885047494-3765334852-1543503842-514) -> nobody

Domain Admins (S-1-5-21-3885047494-3765334852-1543503842-512) -> ntadmins

Power Users (S-1-5-32-547) -> -1

Print Operators (S-1-5-32-550) -> -1

Administrators (S-1-5-32-544) -> 1

Account Operators (S-1-5-32-548) -> -1

Domain Users (S-1-5-21-3885047494-3765334852-1543503842-513) -> users

Backup Operators (S-1-5-32-551) -> -1

Users (S-1-5-32-545) -> -1
```

As you can see, I've only mapped 3 groups as this is all that I require on my domain. Additionally, I created a Unix group called "ntadmins".

```
root@shadow profiles # groupadd ntadmins
```

After you create your required Unix groups, you need to map them to your Windows groups replacing the ntgroup value with a Windows group listed above and unixgroup is the Unix group you wish to map the Windows group to (remember, the Unix group must already exist).

```
root@shadow profiles # net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmins
```

You'll need to perform this command for each Unix group you wish to map.  You can now use your new groups for specific group parameters in either your global or service scopes (please review the O'Reilly book).

Final steps

Now that we are done with configuring Samba, let's start it and add it to your default run levels (or whatever run level you choose)

```
root@shadow profiles # /etc/init.d/samba start

root@shadow profiles # rc-update add samba default
```

At this point, you should be able to log into your domain using your username and password (not root). If you wish to use a roaming profile, you'll need to tell the client. This is done by right clicking My Computer => Properties => User Profiles. Select your user and "Change type".

Fin! Have a Godless day!  :Smile: 

Addition notes

There are a few things I'm unsure of.Can Samba be configured to automatically enforce roaming profiles or does this have to be done per client?

Even with the add user script parameter, how are users added from a Windows client?

Example login.bat script

```
echo Setting Current Time...

net time \\shadow /set /yes

echo Mapping Network Drives to Domain network server...

net use H: /HOME

net use X: \\shadow\public

net use Y: \\shadow\audio

net use Z: \\shadow\video
```

When mapping your home drive, please make sure the letter you specify in logon drive in your global service is the same as net use XXX: /HOME command (where XXX = drive letter). Also, please remember, this is the script I use. Change it to suite your needs.

Known Issues

It's been confirmed that wallpapers don't follow with roaming profiles. The wallpaper does load if already cached on the local computer. I'm not sure where the problem exists.

Change log

1.4 - Found some typos, fixed.

1.3 - Moved HOWTO to gentoo-wiki.com. This thread will no longer be updated.

1.2 - Updated note on USE flags

1.1 - Added known issues

1.0 - HOWTO createdLast edited by Ateo on Mon Apr 18, 2005 10:16 pm; edited 11 times in total

----------

## asiobob

Ive gotten it work with XP.

I found this post after I had hacked up a config file. I've shown it here, its very rough...and not in production use.

Whilst I have specified a logon script, I do not have one, however my home directory is mounted as Z:

```

[global]

workgroup = stmcprod

netbios name = FRODO

passdb backend = tdbsam

printcap name = cups

add user script = /usr/sbin/useradd -m %u

delete user script = /usr/sbin/userdel -r %u

add group script = /usr/sbin/groupadd %g

delete group script = /usr/sbin/groupdel %g

add user to group script = /usr/sbin/usermod -G %g %u

add machine script = /usr/sbin/useradd -s /bin/false \

-d /dev/null %u

# Note: The following specifies the default logon script.

# Per user logon scripts can be specified in the user account using pdbedit

logon script = scripts\logon.bat

# This sets the default profile path. Set per user paths with pdbedit

logon path = \\%L\Profiles\%U

logon drive = Z:

logon home = \\%L\%U

domain logons = Yes

os level = 35

preferred master = Yes

domain master = Yes

idmap uid = 15000-20000

idmap gid = 15000-20000

printing = cups

encrypt passwords = yes

  wins support = yes

    name resolve order = wins lmhosts hosts bcast

      dns proxy = no

[homes]

comment = Home Directories

valid users = %S

read only = No

browseable = No

[netlogon]

comment = Network Logon Service

path = /var/lib/samba/netlogon

admin users = root, sura

guest ok = Yes

browseable = No

# For profiles to work, create a user directory under the path

# shown. i.e., mkdir -p /var/lib/samba/profiles/maryo

[Profiles]

comment = Roaming Profile Share

path = /mnt/spd/ntprofiles

read only = No

profile acls = Yes

```

----------

## kupo

this has an easy fix

just add:

```

logon drive: H:

```

in [global]

----------

## asiobob

yeh I know that, I meant that its defined in the smb.conf not when hte script is run.

I'm working on a a few suggestions which I'll pass onto the author next year

----------

## GentooBox

Nice howto - I really needed this  :Smile: 

 *ASIO_BOB wrote:*   

> yeh I know that, I meant that its defined in the smb.conf not when hte script is run.
> 
> I'm working on a a few suggestions which I'll pass onto the author next year

 

Dont hold it back !  :Neutral:  come with it, i want it !  :Smile: 

----------

## Crimson Rider

I've been working with Samba PDC's for quite a while now, nice howto !

Does anyone know how to implement this with a LDAP backend ?

----------

## blackwhite

It is very helping.

How can I apply System Policies on XP clients? It is necessary for public computer lab. 

I use Poledit to setup System Policies, but it is just for NT style System Policies, does not fully support all XP System Policies.

----------

## blackwhite

 *Crimson Rider wrote:*   

> I've been working with Samba PDC's for quite a while now, nice howto !
> 
> Does anyone know how to implement this with a LDAP backend ?

 

You can read this 

http://hostopia.samba.org/samba/docs/man/Samba-Guide/

----------

## asiobob

I've implemented the recycle vfs module but the deleted files are not touched... ideas ?

see:

https://forums.gentoo.org/viewtopic.php?t=280734

----------

## whitetux

nice work, a very informative and consolidated how to!

----------

## daff

Very good HOWTO! Clear and to the point. If only you'd have posted it a few months earlier when I overhauled and reimplemented the domain servers in our company  :Smile: 

----------

## asiobob

wallpapers do follow if they are bmp.

If they are jpg for an example what happens is windows converts it to a bmp. Its that bmp that windows then display. Unfortauntely when windows converts the bmp it doesn't save it to the roaming profile hence hte problem.

So as a user if you convert the image to a bmp yourself or set a bmp in the first place then yeh it will work nicely

----------

## GentooBox

1: smbpasswd -la dont work, but smbpasswd -a does

2: I can confirm that if you follow the guide 100% then it also works with Windows XP

----------

## Ateo

 *GentooBox wrote:*   

> 1: smbpasswd -la dont work, but smbpasswd -a does
> 
> 2: I can confirm that if you follow the guide 100% then it also works with Windows XP

 

smbpasswd -la root is what I used to add root to samba. This did not work for you? smbpasswd -a <regular_user> is what you use to add regular users....

----------

## lokelo

 *Ateo wrote:*   

>  *GentooBox wrote:*   1: smbpasswd -la dont work, but smbpasswd -a does
> 
> 2: I can confirm that if you follow the guide 100% then it also works with Windows XP 
> 
> smbpasswd -la root is what I used to add root to samba. This did not work for you? smbpasswd -a <regular_user> is what you use to add regular users....

 

I just tried to use the 

```
smbpasswd -la root
```

 without success.  Should it perhaps be a capital L instead of lowercase?  Otherwise great howto.

----------

## batal

same here. -la dose not work. i used -a only instead. what should the parameter ´l´ do?

----------

## Ateo

Hmm.

Both of you are correct. I could almost swear I did smbpasswd -la <user> but after going over the smbpasswd man page, there is no -l option.. So, I've corrected the howto.

Thanks for the input.

----------

## Avathar

As im slightly new to Samba and its use in authentication in a network i will pop the first question of a pherhaps newbie character.

I have followed this HOWTO to the letter, samba itself is running fine and everything is setup on that end, this was from a very slim gentoo install, but now when ive come to the point where i want to add windows clients to the server ive gotten stuck and cant do just that, i pressume that in the network identification part you choose domain and not workgroup and done just that but get the following error.

 *Quote:*   

> The following error occured validating the name "nordic". 
> 
> This condition may be caused by a DNS lookup problem. 
> 
> For information about troubleshooting common DNS lookup problems, please see the following Microsoft Web site: 
> ...

 

My final question is then, does this HOWTO pressume you have BIND+DHCPD running on the server? If so should i configure that in any special way or is it just that i have missed something not so obvius in this HOWTO?

Its a windows 2000 server machine im trying to get into the SAMBA for authentication.

Thankful for any replies to this post.

edit: i know this is a kind of idiot post but still, ive attempted this a few times now and end up on the me being kicked in the nuts by this solution a few times allready.

----------

## Pubare

Could be wrong on some of this, but I don't think you have to have BIND or DHCP running.  Since it's a Win2k _server_ machine, make sure that it is NOT set to be a Domain Controller and make sure the functional level is mixed - otherwise it may try to be the ADS DC and not play nice with Samba.  If you don't have a DNS server running at all, you would at the least need it pointed to the Samba PDC for WINS with Netbios over TCP enabled - that should suffice for the name lookup (I think).  It should be able to at the least communicate with the Samba PDC in "workgroup" mode.  If not, make sure that Secure Channel and Digital Signing is not set to "always" in the Win2k security policy.  If it still won't talk to the Samba box as a workgroup / stand-alone member, not sure what to tell you....  If it will talk to the Samba box in workgroup mode, but can't join as a domain member, well, still not sure what to tell you...

Probably not much help, but at least a reminder of the basics.

----------

## darkphader

 *Ateo wrote:*   

> 
> 
> ```
> 
>   name resolve order = wins lmhosts hosts bcast
> ...

 

Typo: the value is "host" not "hosts". Should read:

```
name resolve order = wins lmhosts host bcast
```

Of course if you're not using an lmhosts file you should leave that value out. Also a different order may be more proper:

```
name resolve order = host wins bcast
```

 may work better in some cases.

Chris

----------

## RedJane

 *Ateo wrote:*   

> In order to employ roaming profiles, you need to establish a "Default Profile" on Samba. This requires you to copy the content of C:\Documents and Settings\Default Profile to your samba server. You will need to copy it into the directory specified in your [netlogon] service. This way your users will have a default profile to log into

 

THX for the howto... GREAT..., 

but I still have a small problem:

I need to copy the content of "C:\Documents and Settings\Default Profile", you mean "C:\Documents and Settings\Default User"?

If so,where exactly do I have to copy the conent of this map "C:\Documents and Settings\Default User" to? /var/lib/samba/profiles/username?

Cause I always get  a warning profile not found.

thx

----------

## Ejunkie

 *blackwhite wrote:*   

>  *Crimson Rider wrote:*   I've been working with Samba PDC's for quite a while now, nice howto !
> 
> Does anyone know how to implement this with a LDAP backend ? 
> 
> You can read this 
> ...

 

http://www.gentoo.org/doc/en/ldap-howto.xml

[url]http://gentoo-wiki.com/HOWTO_SAMBA-LDAP_Domain_Controller_(with_Real_Time_antivirus)#Introduction_to_this_HOWTO[/url]

and you have to set the "bind_policy" to "soft" else it won't work

 *RedJane wrote:*   

>  *Ateo wrote:*   In order to employ roaming profiles, you need to establish a "Default Profile" on Samba. This requires you to copy the content of C:\Documents and Settings\Default Profile to your samba server. You will need to copy it into the directory specified in your [netlogon] service. This way your users will have a default profile to log into 
> 
> THX for the howto... GREAT..., 
> 
> but I still have a small problem:
> ...

 

you have to copy "C:\Documents and Settings\Default User" to the netlogon folder on the pdc. and then it shoud work.

nice work what i dont get is why you dont use the acl flag.Last edited by Ejunkie on Fri Nov 03, 2006 4:12 pm; edited 1 time in total

----------

## mudrii

Grate How-to just start thinking seriously to move PD do Linux  :Wink: 

----------

## JROCK2004

 *Ejunkie wrote:*   

>  *blackwhite wrote:*    *Crimson Rider wrote:*   I've been working with Samba PDC's for quite a while now, nice howto !
> 
> Does anyone know how to implement this with a LDAP backend ? 
> 
> You can read this 
> ...

 

Do you have to create a dir in netlogin for the username?

----------

## Ejunkie

 *JROCK2004 wrote:*   

>  *Ejunkie wrote:*    *blackwhite wrote:*    *Crimson Rider wrote:*   I've been working with Samba PDC's for quite a while now, nice howto !
> 
> Does anyone know how to implement this with a LDAP backend ? 
> 
> You can read this 
> ...

 

there shoud be a dir called netlogon this dir must be shared as netlogon, this dir is for logon scripts and the default user, the default user is the default profile that is given to new users.

----------

## JROCK2004

ok so as root just cp the contents inside the default folder from windows into /var/lib/samba/netlogon/   ???? do I haveto chmod the folder?

----------

## Ejunkie

it has to be world readable and executable but not world writeble

----------

## JROCK2004

ok right now it is drwxr-xr-x

----------

## Ejunkie

 *JROCK2004 wrote:*   

> ok right now it is drwxr-xr-x

 

oke and from the samba point of view the share shoud be an public share.

----------

## JROCK2004

but still will not create or load profile

----------

## JROCK2004

ok now it stopped complaining about it but now it will not write profile because of security. Any other ides? Do you guys need me to post anything?

----------

## Ejunkie

 *JROCK2004 wrote:*   

> ok now it stopped complaining about it but now it will not write profile because of security. Any other ides? Do you guys need me to post anything?

 

could you post your config file ?

----------

## JROCK2004

ok I rebooted server and pc and now working better. it is saving the prfoles. it still complains that the pc does not have a local profile. I think I can fix that.

Now is this the right area to discuss how to get windows to use the printer? Windows can see it but it is complaining about drivers. PSC 1610v. It wants drivers. Thanks

----------

## dahoste

Hello, I was going to post this as its own thread, but since it's samba/PDC related (and I originally heavily leveraged the HOWTO), I figured I'd start here.

I'm hoping someone has some insight into the following problem that I've recently encountered:

Basically, winxp seems to be creating roaming  profiles that are incompatible with itself.  I've got two sets of winxp clients, which I'll call 'new' and 'old'.  Profiles created (and perfectly usable) by the old clients don't work  on the new clients, and profiles created (and usable) by the new clients won't work on the old clients.  The catch is that as far as I can tell, I've  configured the old clients and the new clients in exactly the same way.  It may be that I've neglected to do something on the new clients that I did on the old.  I didn't religiously document the process of configuring them, but I only remember doing the registry tweak and the gpedit.msc tweak.

More detail:

I've had a samba/ldap PDC running successfully for quite some time now (6+ months).  Users can login to the domain, profiles are loaded and saved correctly to the PDC server, home drives are mapped correctly, the logon.bat is executed.  Everything working great.  But I just setup two new winxp machines (sp2, fully updated, etc..) and while I can login as any of the domain users, neither machine successfully loads the user's roaming profile.  But it doesn't complain about anything either!  The weird thing is that some desktop configuration stuff just plain doesn't work.  For instance, any attempt to enable the quicklaunch menu on the taskbar is ignored (quicklaunch is enabled in the roaming profile).  Ditto for enabling 'auto-hide' for the task bar.  Also, I can change theme attributes for the desktop (background color, etc..) and they'll act like they've changed, but won't persist across a login/logout -- and yet there are no complaints about the profile when I log out, implying that winxp was able to save them to the PDC server just fine. 

I've applied the 'signorseal' registry hack to all winxp clients. I've also used gpedit.msc to enable 'Do not check for user ownership of Roaming Profile Folders'.  So as far as I know, I've established the same config on all of my winxp clients.  But the new ones are misbehaving.  Or, rather, it's more accurate to say that the new ones and the old ones aren't playing nice together, when it comes to creating/saving/loading the roaming profiles.

I created a brand new user (on the linux side via smbldap-useradd), and logged in as that user on the new winxp clients.  A new roaming profile is created and works perfectly.  That same (new) user does not have its profile loaded correctly on an existing (old) winxp client. No complaints from winxp, mind you, it just doesn't provide a fully functional desktop after login.  It took a really long time to login the first time with the new user on an old client, but the login happens very quickly on subsequent tries.  Logoff is quick, with no error messages about anything.  This is precisely the same behavior I see when logging in as an 'old' user on a 'new' client.

Needless to say, I'm using the same samba PDC for the whole thing. It's samba v3.0.24.

Here's the profiles section from my smb.conf:

```
[profiles]

path = /var/lib/samba/profiles

browseable = no

writeable = yes

create mask = 0600

directory mask = 0700

profile acls = yes

csc policy = disable

hide files = /desktop.ini/ntuser.ini/NTUSER.*/
```

Any help with this would be greatly appreciated!

thanks!

----------

## darkphader

 *dahoste wrote:*   

> I've applied the 'signorseal' registry hack to all winxp clients.

 

You didn't mention your Samba version but for any modern version of Samba the signorseal reghack is not needed. I don't know if it will hurt but it certainly isn't necessary. Make sure you're running the latest Samba release then try removing and re-joining the systems to the domain. Try boosting Samba's log level to get more info.

Chris

----------

## dahoste

I'm using samba v3.0.24 (I mentioned that towards the bottom of the first post).

I did revert the 'signorseal' registry value, though it seems to have had no effect at all.

I started a thread for this issue on the official samba mailing list:

http://lists.samba.org/archive/samba/2007-February/129773.html

So far, nothing satisfactory to report, but I've included a lot more detail on what I've tried and what behavior I'm seeing.

Still hoping someone can suggest a nice fix for this.

cheers,

-David

----------

## Sedrik

Hi all

I'm having trouble adding a machine to my domain. It complains that it can't find the user I tell it to add the machine with  :Sad:  (yes, i'm using root)

Any pointers, will post smb.conf if needed.

----------

## Sedrik

Disregard my last post, I solved that problem. Now another one has arrised.

I want new files that are created from a client to be created with full group permissions and the group to be either users or styrelsen.

I add users as normal with useradd (useradd -m -G <users,styrelsen and anything else that is wanted> -s /bin/bash username).

Now when I tried to add the test user, user I did

useradd -m -G users -s/bin/bash user and he got the groups users and user.

Creating new files gives me this result  :Sad: 

```
ls -l /UTN/gemensamttest/

total 0

-rwxr--r-- 1 user  user      0 Jul 31 13:58 Ny(tt) Textdokument (2).txt

-rwxr--r-- 1 user  user      0 Jul 31 13:54 Ny(tt) Textdokument.txt

-rwxr--r-- 1 admin styrelsen 0 Jul 31 13:51 users.txt
```

So two questions, how do I create a user such that either users or styrelsen becomes the main group (sorry bad terminology) that is the group wich is listed by ls.

and secondly how do I change the default permissions of the files that are created? I would like them to be 0770 or something.

Thanks  :Smile: 

----------

