Hosting Win2000 Profiles on a Samba Server

[patrickbeyer]

Hi all

I'm running a Samba PDC in my school lab, I have set it up and can join clients to the domain succesfully, I'm currently trying to get the roaming profiles to work off of my Server

my problem is that when my windows client logs on it comes up with an
error message:

Windows cannot create profile directory:
var\lib\samba\profiles\default.pds
and is using the local profile, and it wont be able to save setting back
to the server on logout

What could be causing this problem?

Thanks for your help
Regards
Pat

[Roxoff]

Make sure your samba PDC machine has a 'Profiles' and 'Netlogon' directory declared in your smb.conf, something like this (although your paths could be elsewhere):

Code:

[netlogon]
  path = /home/samba/netlogon
  guest ok = yes
  locking = no
  browseable = no
  read only = yes
  write list = @Domain Admins

[Profiles]
  path = /home/samba/profiles
  browseable = no
  guest ok = yes
  writeable = yes
  create mask = 0640
  directory mask = 0740

Make sure your netlogon and profiles directories exist:

Code:

# cd /home/samba
# mkdir profiles
# chgrp users profiles
# mkdir netlogon
# chgrp users netlogon

Make sure all your users are in the 'users' group (in /etc/group or in NIS or LDAP or wherever your user info is stored).

Inside the 'profiles' directory create a directory for each user, and set it to be owned by that user and in the group 'users' (e.g. chown <user>.users <user>).

Put any logon scripts in 'netlogon/scripts', and use that directory to configure the way windows logs onto the domain.

[patrickbeyer]

Hi its me again

The previous info worked like a charm, but now I can only logon from one machine, I can join PC's to the domain but they wont log on, it just keeps saying username and password is incorrect, but I have retyped it over and over, so it's definately not incorrect, I've also checked caps lock.

On one of the machines it says that the domain cannot be located, I asume this is a network hardware error.

Thanks for the help

Cheers
Pat

[Roxoff]

Seems like something has gone wrong with your password mechanism, you didn't change anything by accident while making the above changes to your smb.conf did you?

Check that you're using encrypted passwords, that you're using identical usernames or correctly mapped usernames between the unix world and the windows world, that each user has a password correctly inserted in the smb password file (add them with 'smbpasswd -a <user>' if they aren't), that the users are correctly inserted into the 'users' group using their unix username and that you've restarted samba again after making any changes to the config.

Oh, and that last error looks like a network hardware problem to me too, maybe a loose cable or summat.

[patrickbeyer]

Hi again

I have my clients connecting nicely now, downloading profiles and everything.

This is my new hurdle: I have managed to setup and restrict access to control panel, and certain programs, I used win control to achieve this, but how can I transfer those same restrictions to my roaming profiles on the server, are the restrictions in fact in the profile, I'm not sure about this one any help would be greatly appreciated

Thanks again
Pat

[Roxoff]

I believe this is done with the policy manager from a windows machine on the domain logged in with administrator privilege.

Do a google for windows server tools, it should throw up the links you need. I must stress that while I have such tools on my system at home (I'm at work right now) I dont use them, I dont need to worry too much about restricting access to the control panel for the kids, and unix permissions keeps them out of areas where I dont want stuff broken.

[patrickbeyer]

Hi its me again with another trivial question.

At the moment any user on my domain can logon simultaneously from any workstation in the lab, I would like to restrict the users to only one machine at a time. (a simple example is: I want to avoid a case where user "psmith" can be logged in twice from different machines)

Please can you help

Thanks
Pat

[Roxoff]

Hmmm, I'm not aware of any way to do this. Does the policy manager not let you configure this kinda thing? You're getting waaay out of my territory though as a Linux admin.

You find that imposing this becomes overly restrictive in practice; a user may log on and begin working then suffer a machine crash. The server may think they're still logged on while they're trying to log on again, either at a different machine or even the same machine.

[patrickbeyer]

How can I limit the size of my users individual home directories?

[Roxoff]

The simple way is to put the home directories on a seperate partition, and install quota support. I've not used quotas before, but from what I've read they're dead easy. Take a quick google into the subject.