# Roaming profile problem with LDAP backend Samba PDC



## Alfatrion (Aug 2, 2010)

I've setup a LDAP backend Samba PDC. I can gain access to shares and login with a user that is in LDAP, but have a prblem setting up the roaming profile stuff. I've been trying to solve this problem for some time now, and have tried everything I could think of, but without much luck. :x I keep getting the following error messages:

"Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Plausible causes of this error include network problem or insufficient security rights. If this problem persists, contact your network administrators. DETAILS - The network path was not found."

Followed by: "Windows cannot find the local profile and is logging on with a tempory profiles. Changes to this profile will be lost when you logoff."

Here is my smb.conf:


```
[global]
    security = user
    name resolve order = wins lmhosts hosts bcast
    deadtime = 15
    map to guest = Never
    csc policy = disable
    hosts allow = 127. 192.168.
    server string =
    workgroup = Nieuwegein
    time server = yes
    wins support = yes
    domain master = yes
    domain logons = yes
    encrypt passwords = yes
    local master = yes
    logon drive = Z:
    logon path = \\%L\profiles\%U
    preferred master = yes
    os level = 255
    encrypt passwords = yes
    passdb backend = ldapsam:ldap://localhost/
    enable privileges = Yes
    pam password change = yes
    passwd program = /usr/local/sbin/smbldap-passwd %u
    passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
    unix password sync = Yes
    ldap delete dn = Yes
    ldap ssl = Off
    ldap passwd sync = Yes
    ldap admin dn = cn=admin,dc=example,dc=nl
    ldap suffix = dc=example,dc=nl
    ldap group suffix = ou=Groups
    ldap idmap suffix = ou=Users
    ldap machine suffix = ou=Computers
    ldap user suffix = ou=Users
    idmap backend = ldap:ldap://localhost
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    add user script = /usr/local/sbin/smbldap-useradd -a -m "%u"
    delete user script = /usr/local/sbin/smbldap-userdel "%u"
    add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
    delete group script = /usr/local/sbin/smbldap-groupdel "%g"
    add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
    delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
    set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
    add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
    template homedir = /home/%U
    template shell = /bin/csh
    getwd cache = yes
    socket options = SO_KEEPALIVE TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=819
    use sendfile = yes # this enhances the speed of samba.
    mangle prefix = 6 # How to mangle Long Filenames in to 8.3 DOS
    log level = 1
    log file = /var/log/samba/log.%m
    max log size = 50
    syslog = 0

[template]
# edited out, has no path

[homes]
    comment = Home users
    inherit owner = yes
    dos filemode = yes
    writable = yes
    read list = @wheel @"Domain Admins"
    valid users = "%S"
    create mask = 0740
    directory mask = 0750
    aio read size = 16384

[netlogon]
    comment = Network Logon Service
    path = /disk/netlogon
    browseable = no
    read only = yes
    aio read size = 16384

[profiles]
    comment = Roaming Profiles Directory
    path = /disk/profiles
    administrative share = true
    browseable = no
    writable = yes
    create mask = 0600
    directory mask = 0700
    aio read size = 16384
    public = yes
    # The root preexec command performs:
    # mkdir -pm 750 /disk/profiles/%U-%a; chown %U /disk/profiles/%U-%a
    # I started off without this.
    root preexec = /root/sbin/profiles.sh %U %a

# edited out other shares
```

ldapsearch gives me


```
# tester, Users, example.nl
dn: uid=tester,ou=Users,dc=example,dc=nl
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: tester
sn: tester
givenName: tester
uid: tester
uidNumber: 10005
gidNumber: 513
homeDirectory: /home/tester
loginShell: /bin/sh
gecos: Tes ter
sambaLogonTime: 0
```

I can acces \\Server\profiles, \\Server\netlogon using my tester account. /etc/passwd contains no line with the user tester. And I can login under SSH with the tester account.

ll /disk/{netlogon,profiles} gives me:


```
drwxr-xr-x  2 root   wheel      512 Mar 16 11:09 netlogon/
drwxrwxrwt  2 root   wheel      512 Aug  2 12:41 profiles/
```


----------



## Alfatrion (Aug 3, 2010)

I've populated the LDAP with smbldap-populate -u 10000 -g 10000 -r 0000. I did notice various entries with out of range uid and gid number. nobody (uid 999 gid 514), domain admins (gid 512), domain users (gid 513), domain computers (gid 515), Administrator (gid 544), Account Operators (gid 548), Print Operators (gid 550), Backup Operators (gid 551), Replicators (gid 552)

I've installed this:

```
# pkg_info | grep ldap
nss_ldap-1.264_3    RFC 2307 NSS module
openldap-client-2.4.18 Open source LDAP client implementation
openldap-server-2.4.18_1 Open source LDAP server implementation
p5-perl-ldap-0.39   A Client interface to LDAP (includes Net::LDAP)
pam_ldap-1.8.4_1    A pam module for authenticating with LDAP
php5-ldap-5.2.11    The ldap shared extension for php
phpldapadmin-1.2.0.3,1 A set of PHP-scripts to administer LDAP over the web
smbldap-tools-0.9.5 Samba-LDAP management and support tools

# pkg_info | grep samba
samba-3.3.8         A free SMB and CIFS client and server for UNIX
samba-libsmbclient-3.0.37 Shared libs from the samba package
```

Here are logs with errors.


```
# cat /var/log/samba/log.wb-NIEUWEGEIN
[2010/08/03 10:46:11,  1] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(755)
  cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from host SERVER, pipe \lsarpc, fnum 0x7779!

# cat /var/log/samba/log.winbindd
[2010/08/03 10:45:39,  0] winbindd/winbindd.c:main(1126)
  winbindd version 3.3.8 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2009
[2010/08/03 10:45:39,  0] winbindd/winbindd_cache.c:initialize_winbindd_cache(2577)
  initialize_winbindd_cache: clearing cache and re-creating with version number 1
[2010/08/03 10:46:11,  1] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(755)
  cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from host SERVER, pipe \lsarpc, fnum 0x777a!

# cat /var/log/samba/log.winbindd-idmap
[2010/08/03 10:45:39,  1] winbindd/idmap.c:idmap_init_passdb_domain(438)
  Could not init passdb idmap domain
[2010/08/03 10:45:39,  0] winbindd/idmap.c:smb_register_idmap_alloc(201)
  idmap_alloc module ldap already registered!
[2010/08/03 10:45:39,  0] winbindd/idmap.c:smb_register_idmap_alloc(201)
  idmap_alloc module tdb already registered!
[2010/08/03 10:45:39,  0] winbindd/idmap.c:smb_register_idmap(149)
  Idmap module passdb already registered!
[2010/08/03 10:45:39,  0] winbindd/idmap.c:smb_register_idmap(149)
  Idmap module nss already registered!
[2010/08/03 10:45:39,  0] winbindd/idmap_ldap.c:idmap_ldap_set_mapping(1449)
  ldap_set_mapping_internals: Failed to add S-1-5-32-546 to 11109 mapping [gidNumber]
[2010/08/03 10:45:39,  0] winbindd/idmap_ldap.c:idmap_ldap_set_mapping(1451)
  ldap_set_mapping_internals: Error was: (NULL) (Already exists)
[2010/08/03 10:46:14,  1] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(755)
  cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from host SERVER, pipe \lsarpc, fnum 0x7779!
```


I've left out half of the tester entry in ldap.


```
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: tester
sambaSID: S-1-5-21-914212253-3526360373-1445599473-21010
sambaPrimaryGroupSID: S-1-5-21-914212253-3526360373-1445599473-513
sambaProfilePath: \\%L\profiles\tester
sambaHomePath: \\%L\homes\%u
sambaHomeDrive: Z:
sambaNTPassword: 588FEB889288FB953B5F094D47D1565C
sambaPwdMustChange: 1284288886
shadowLastChange: 14819
shadowMax: 45
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
 00000000
sambaPwdLastSet: 1280752203
sambaAcctFlags: [U          ]
userPassword:: e1NTSEF9dUMzUFFUcFEzNE5CT0ZCb1hZVytXTHROUEpEU2FpeHc=
```


/var/messages shows:
Aug  3 09:16:55 Server slapd[983]: nss_ldap: could not search LDAP server - Server is unavailable

But it works. Searching on the internet told me this last message was bogus.


----------



## Alfatrion (Aug 3, 2010)

I've enabled debugging in Windows Domain using:
http://support.microsoft.com/default.aspx?scid=kb;en-us;221833

I find it strange that it first tries \\%L\profiles\testers. This is the log. 


```
USERENV(2ec.2f0) 12:08:35:468 LoadUserProfile: Entering, hToken = 

<0x960>, lpProfileInfo = 0x6e3e0
USERENV(2ec.2f0) 12:08:35:468 LoadUserProfile: 

lpProfileInfo->dwFlags = <0x0>
USERENV(2ec.2f0) 12:08:35:468 LoadUserProfile: 

lpProfileInfo->lpUserName = <tester>
USERENV(2ec.2f0) 12:08:35:484 LoadUserProfile: 

lpProfileInfo->lpProfilePath = <[B]\\%L\profiles\tester[/B]>
USERENV(2ec.2f0) 12:08:35:484 LoadUserProfile: 

lpProfileInfo->lpDefaultPath = <\\SERVER\netlogon\Default User>
USERENV(2ec.2f0) 12:08:35:484 LoadUserProfile: NULL server name
USERENV(2ec.2f0) 12:08:35:484 LoadUserProfile: In console winlogon 

process
USERENV(2ec.2f0) 12:08:35:484 In LoadUserProfileP
USERENV(2ec.2f0) 12:08:35:500 

=========================================================

Rested edited out.
```


----------

