Samba PDC - NT members receive temporary profile on login

Good morning,

We have Samba 4 running on SLES 11 SP3 as our primary domain controller for a Windows NT-based domain of mostly Windows 7 Professional machines.

Corruption of our SLES server necessitated the rebuilding of our controller this weekend, which was thankfully easy. We reinstalled SLES 11 SP3 and then copied over the /etc/passwd, /etc/group, /etc/samba/, and /var/lib/samba/netlogon/ directories and applied the appropriate permissions, and were able to get everything running.

Unfortunately, I’m now finding that users who log in after the rebuild receive one, sometimes two errors:

Error 1) "Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. This error may be caused by network problems or insufficient security rights.

[INDENT]DETAIL - The network name cannot be found."[/INDENT]

Error 2) “Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.”

In general, users who already have a profile on the machine receive Error 1, but users who log into a workstation for the first time receive Error 2.

We do not need to implement roaming profiles on our domain – local profiles do just fine for us.

Below are the contents of our smb.conf file:

[CODE][global]
netbios name = [redacted]
workgroup = [redacted]
map to guest = Bad User
passdb backend = smbpasswd
unix password sync = yes
add machine script = /usr/sbin/useradd -g ntadmin -c “NT Machine Account” -s /bin/false %u
domain logons = Yes
domain master = Yes
local master = Yes
os level = 64
preferred master = Yes
security = user
wins support = Yes
usershare max shares = 100
browseable = No
browsable = No
include = /etc/samba/dhcp.conf
usershare allow guests = No
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
encrypt passwords = Yes
smb passwd file = /etc/samba/smbpasswd
passwd program = /usr/bin/passwd %u
logon script = logon.bat
time server = Yes
name resolve order = wins bcast host lmhosts
recycle:keeptree = yes
recycle:repository = /shares/.recycle
recycle:versions = yes
vfs objects = recycle
ldap suffix =

##[profiles] - Intentionally commented out

comment = Network Profiles Service

path = %H

read only = No

create mask = 0600

directory mask = 0700

store dos attributes = Yes

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
read only = yes
write list = root[/CODE]

Any help would be appreciated!

Thanks,
Ted

teds,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

• Visit http://www.suse.com/support and search the knowledgebase and/or check all
  the other support options available.
• Open a service request: https://www.suse.com/support
• You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.suse.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot…

Good luck!

Your SUSE Forums Team
http://forums.suse.com

To anyone having the same issue as me after a migration –

I found the solution on my own. It turns out, I had copied the smb.conf file over and then launched samba, instead of the other way around – which caused some of my settings in samba to be overwritten when samba launched for the first time and injected its default settings into the .conf file. One of the settings it had wiped out was the “logon path” setting, which dictates where a domain user’s roaming profile data is to be kept on the local server.

All I needed to get the roaming profile problem fixed was to add “logon path =” to the end of the [global] section, intentionally leaving the argument blank, and that forced all domain accounts to use local profiles, which is what I wanted.

Good luck to anyone with the same issue!

Thanks for the feedback on your resolution; it will likely help others in
the future.

–
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…