[HOWTO] :: Implement Samba as your PDC

[Ateo]

NOTE: This HOWTO has been added to gentoo-wiki.com.

How to implement Samba as your PDC (Primary Domain Controller) for your domain
23 December 2004
Version 1.0

Disclaimer: This HOWTO has no guarantee. Use at your own risk. Back up any relevant data before proceding. If you break your system, it's up to you to fix it. Don't blame me (or the Gentoo forums) as I/we bear no responsibility if you are inept with simple procedures. Please read through this HOWTO prior to any attempt at installing your Samba PDC.

Resources:
O'Reilly - Using Samba -- This is a slightly outdated book but it's help is priceless.
samba.org -- Excellent resource for parameter definitions. Not a good resource to learn samba with.
Gentoo Forums Thread #1
Gentoo Forums Thread #2

Synopsis
This HOWTO was created because all of the resources that I encountered were either outdated or simply incorrect. This is my step by step outline that I used to successfully implement a Samba server as my PDC on my local network. This should work for anyone that attempts this implementation.

This HOWTO describes how to implement samba as your PDC so that a) users on your domain authenticate against a central domain controller and b) selected network drives are mapped on login. In addition, this will also explain how to implement a roaming profile. This HOWTO is practical only for domains which employ Windows 2000 professional workstations. I have not attempted nor tested against any other version of Windows. However, I know it can be done, just do some research.

What this HOWTO will do

1. Allow Windows 2000 clients to authenticate via your samba server
2. Provide mapped drives (based on logon scripts)
3. Execute a logon script
4. Enable use of roaming profiles

Roaming profiles defined: Windows 2000 supports roaming user profiles, which allow certificates to follow users no matter which computer they use to log on. When roaming profiles are enabled, user profiles, including issued certificates and private keys, are stored on the domain controller. The roaming profiles are downloaded to the computer during the logon process for the user.

What this HOWTO will not do

1. Allow Windows 9x/XP clients to authenticate via your samba server
2. Configure your Samba server for print sharing

To my knowledge, Win9x and Xp need different configuration (including registry hacks) thus this HOWTO does not detail configuration for said clients. Plus, who really uses 9x anymore? If you do, upgrade. However, I have been informed this HOWTO also works for 9x/XP workstations but I can't confirm that since neither of those versions of Windows exist on this network/domain.

If you wish to implement print sharing, follow this HOWTO and add only relevant printer information. Don't forget to add cups support when compiling samba.

Step by Step

1. Configure USE variable in /etc/make.conf
2. Install Samba (version 3.0.9 (portage version 3.0.9-r1) as of this writing)
3. Configure Samba
4. Configure Win2k workstations
5. More Samba configuration
6. Final steps

USE Flag configuration
These are the flags I've configured on my machine. Make sure that you enable pam (or kerberos/ldap depending on what auth method you wish to employ) and python, the rest are optional, depending on your needs. Enable cups for samba printer sharing.

Code: Select all

-acl -cups -debug -doc -kerberos -ldap* -libclamav -mysql -oav +pam -postgres +python -quotas +readline (-selinux) +winbind +xml +xml2

For those not using portage, this is the equivilent to compile time options.

Install Samba
Probably the easiest step. It is good practice to always do a pretend/verbose before installing any package. This way you know what is going to be installed (focusing on dependancies, if any). Kick back for a while as it takes about 15-30 minutes to install Samba, depending on hardware/optimizations. It'll take longer if any dependancies need to be installed.

Code: Select all

emerge sync
emerge samba -pv
emerge samba

Configure Samba
Now we venture into configuring samba. For some, this is easy, for others, it's a pain in the arse as it was for me but at least I learned.

The first file we need to edit is /etc/samba/smb.conf. So fire that up with your favorite text editor. The first section we will configure is the [global] services section, followed by [netlogon], [profiles], [homes] and other services sections. Please note that parameter values reflect my network. You'll need to change some values to meet your criteria.

The [global] service section
netbios name sets the NetBIOS name by which a Samba server is known. This is what you'll see in network neighborhood. workgroup controls what workgroup your server will appear to be in when queried by clients. server string controls what string will show up in the printer comment box in print manager and next to the IPC connection in net view.

Code: Select all

  netbios name = shadow (choose your own name)
  workgroup = YOUR_DOMAIN
  server string = PDC [on Gentoo :: Samba server %v]

hosts allow is a comma, space, or tab delimited set of hosts which are permitted to access a service. security affects how clients respond to Samba and is one of the most important settings in the smb.conf file. encrypt passwords controls whether encrypted passwords will be negotiated with the client. socket options allows you to set socket options to be used when talking with the client. It is for performance fine tuning. If you find more/better options, I'd love to know of them. interfaces allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NBT traffic. bind interfaces allows the Samba admin to limit what interfaces on a machine will serve SMB requests.

Code: Select all

  hosts allow = 192.168.4.0/24 127.0.0.0/8
  security = user
  encrypt passwords = yes
  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
  interfaces = lo eth0
  bind interfaces only = yes

To make your Samba server the PDC, the following 4 parameters are required. Setting your OS level to 65 ensures your server WILL BE the PDC in a network where there are other DC. local master allows nmbd to try and become a local master browser on a subnet. os level controls what level Samba advertises itself as for browse elections. domain master enables WAN-wide browse list collation. Setting this option causes nmbd to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given workgroup. preferred master controls if nmbd is a preferred master browser for its workgroup.

Code: Select all

  local master = yes
  os level = 65
  domain master = yes
  preferred master = yes

null passwords allows or disallows client access to accounts that have null passwords. hide unreadable prevents clients from seeing the existance of files that cannot be read. hide dot files controls whether files starting with a dot appear as hidden files.

Code: Select all

  null passwords = no
  hide unreadable = yes
  hide dot files = yes

domain logons dictates whether the Samba server will serve Windows Domain logons for the workgroup it is in. logon script specifies the batch file (.bat) or NT command file (.cmd) to be downloaded and run on a machine when a user successfully logs in. logon path specifies the home directory where roaming profiles (NTuser.dat etc files for Windows NT) are stored. logon drive specifies the local path to which the home directory will be connected and is only used by NT Workstations. logon home specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC. Please note that variables %L and %U must be used. They defined the server name and username (respectively). You may specify any drive letter as log as it does not conflict with other drives on your Win2k client.

For logon script, I personally use a static file name. Using %U will require a batch file for each user as %U == the username establishing the connection.

Code: Select all

  domain logons = yes
  logon script = login.bat  OR %U.bat
  logon path = \\%L\profiles\%U
  logon drive = H:
  logon home = \\%L\%U\.9xprofile

wins support controls if the nmbd process in Samba will act as a WINS server. name resolve order s used by the programs in the Samba suite to determine what naming services to use and in what order to resolve host names to IP addresses. dns proxy Specifies that nmbd when acting as a WINS server and finding that a NetBIOS name has not been registered, should treat the NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name-querying client.

Code: Select all

  wins support = yes
  name resolve order = wins lmhosts hosts bcast
  dns proxy = no

time server determines if nmbd advertises itself as a time server to Windows clients. log file option allows you to override the name of the Samba log file (also known as the debug file). max log size specifies the max size the log file should grow to. smb passwd file sets the path to the encrypted smbpasswd file. By default the path to the smbpasswd file is compiled into Samba.

Code: Select all

  time server = yes
  log file = /var/log/samba3/log.%m
  max log size = 50
  # location to samba password file
  smb passwd file = /etc/samba/private/smbpasswd

The following are parameters to assist you in adding/deleting users/machines from a client. Please refer to the O'Reilly book listed in sources at the beginning of this HOWTO.

Code: Select all

  add user script = /usr/sbin/useradd -m %u
  delete user script = /usr/sbin/userdel -r %u
  add group script = /usr/sbin/groupadd %g
  delete group script = /usr/sbin/groupdel %g
  add user to group script = /usr/sbin/usermod -G %g %u
  add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u
  passwd program = /usr/bin/passwd %u
  passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \ "*Password changed*"

unix charset specifies the charset the unix machine Samba runs on uses. Samba needs to know this in order to be able to convert text to the charsets other SMB clients use.

Code: Select all

  unix charset = ISO8859-1

The [SHARE_NAME] services section
This section defines your shares. If you include a parameter within any one of these sections that is defined in the global section it will override the parameter in the global section. I'm not going to get into detail about each and every parameter here. The samba link provided above is a great resource for defining parameters. Use it!

netlogon is the service section of where your Default Profile (for new users) and your login script reside. Make sure the directory is owned and group owned by root and permissions are 755 (chmod -R 0755).

Code: Select all

[netlogon]
  path = /var/lib/samba/netlogon
  public = no
  writeable = no
  browseable = no

profiles is the service section for user roaming profiles. Make sure the directory proper is owned and group owned by root. Make sure its permission is 755 (chmod -R 0755). Inside this directory is where you user profiles are located. Make sure the user profile directories themselves are owned by the user and group owned by users. Make sure user directories permission are 770 (chmod -R 0770).

Code: Select all

[profiles]
  path = /var/lib/samba/profiles
  browseable = no
  writeable = yes
  default case = lower
  preserve case = no
  short preserve case = no
  case sensitive = no
  hide files = /desktop.ini/ntuser.ini/NTUSER.*/
  write list = @smbusers @root
  create mode = 0600
  directory mode = 0700

homes defines the users home directory. Nothing special needs to be done to this directive or directory.

Code: Select all

[homes]
  path = /home/%U
  browseable = no
  valid users = %S
  writable = yes
  guest ok = no
  inherit permissions = yes

public is an example of one of my shares. You can define as many as you want. You can name them whatever you want.

Code: Select all

[public]
  comment = Public Stuff
  path = /public
  public = yes
  writeable = no
  browseable = yes
  write list = @users

Adding users to Samba
The drawback to using samba is that users have to be added twice. Once to your /etc/passwd and once to /etc/samba/private/smbpasswd. I'm going to assume you already have a regular daily user so I'm going to skip the "adduser" unix command. Obviously, and hopefully, root exists on your system. =)

Both of the following commands will prompt you for a password. My suggestion is keep your [Samba] root password that same as your [Unix] system root password. Applying the same to your user password. Keep things simple.

Code: Select all

smbpasswd -a your_user
smbpasswd -a root

Configuring Windows 2000 clients
This is another simple step. Log into your Windows 2000 client locally as Administrator and add your client machine to your domain. This is achieved by right clicking My Computer => Properties => Network Identification => Properties button. You will be prompted for a username/password of an authorised domain user. You'll need to use your root account (the reason root was added to smbpasswd).

After changing your domain, you'll need to reboot (no surprise there). When it reboots, you'll have the fancy login screen with the nice little graphic instructing you to do a "ctrl-alt-del" to get to the actual login screen. If you only see fields for you username and password, click on the "Options" button and a domain dropdown will appear. Your choices should be "computer name\local" AND your new domain.

In order to employ roaming profiles, you need to establish a "Default Profile" on Samba. This requires you to copy the content of C:\Documents and Settings\Default Profile to your samba server. You will need to copy it into the directory specified in your [netlogon] service. This way your users will have a default profile to log into (assuming the usage of roaming profiles).

I suggest making sure the latest service pack is installed.

After adding the client to the domain and rebooting, lets leave this screen as is. We'll come back to it later.

More Samba Configuration
We're almost there.

This step maps your Windows groups to your Unix groups. This is an important step if you want admin rights on your Windows clients once you have logged onto the client authorizing against the PDC.

First, view the list of Windows groups. This way you know what you're mapping.

Code: Select all

root@shadow profiles # net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Guests (S-1-5-21-3885047494-3765334852-1543503842-514) -> nobody
Domain Admins (S-1-5-21-3885047494-3765334852-1543503842-512) -> ntadmins
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> 1
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-3885047494-3765334852-1543503842-513) -> users

Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

As you can see, I've only mapped 3 groups as this is all that I require on my domain. Additionally, I created a Unix group called "ntadmins".

Code: Select all

root@shadow profiles # groupadd ntadmins

After you create your required Unix groups, you need to map them to your Windows groups replacing the ntgroup value with a Windows group listed above and unixgroup is the Unix group you wish to map the Windows group to (remember, the Unix group must already exist).

Code: Select all

root@shadow profiles # net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmins

You'll need to perform this command for each Unix group you wish to map. You can now use your new groups for specific group parameters in either your global or service scopes (please review the O'Reilly book).

Final steps
Now that we are done with configuring Samba, let's start it and add it to your default run levels (or whatever run level you choose)

Code: Select all

root@shadow profiles # /etc/init.d/samba start
root@shadow profiles # rc-update add samba default

At this point, you should be able to log into your domain using your username and password (not root). If you wish to use a roaming profile, you'll need to tell the client. This is done by right clicking My Computer => Properties => User Profiles. Select your user and "Change type".

Fin! Have a Godless day!

Addition notes
There are a few things I'm unsure of.

1. Can Samba be configured to automatically enforce roaming profiles or does this have to be done per client?
2. Even with the add user script parameter, how are users added from a Windows client?

Example login.bat script

Code: Select all

echo Setting Current Time...
net time \\shadow /set /yes

echo Mapping Network Drives to Domain network server...
net use H: /HOME
net use X: \\shadow\public
net use Y: \\shadow\audio
net use Z: \\shadow\video

When mapping your home drive, please make sure the letter you specify in logon drive in your global service is the same as net use XXX: /HOME command (where XXX = drive letter). Also, please remember, this is the script I use. Change it to suite your needs.

Known Issues
It's been confirmed that wallpapers don't follow with roaming profiles. The wallpaper does load if already cached on the local computer. I'm not sure where the problem exists.

Change log
1.4 - Found some typos, fixed.
1.3 - Moved HOWTO to gentoo-wiki.com. This thread will no longer be updated.
1.2 - Updated note on USE flags
1.1 - Added known issues
1.0 - HOWTO created

[asiobob]

Ive gotten it work with XP.
I found this post after I had hacked up a config file. I've shown it here, its very rough...and not in production use.

Whilst I have specified a logon script, I do not have one, however my home directory is mounted as Z:

Code: Select all

[global]
workgroup = stmcprod
netbios name = FRODO
passdb backend = tdbsam
printcap name = cups
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/useradd -s /bin/false \
-d /dev/null %u
# Note: The following specifies the default logon script.
# Per user logon scripts can be specified in the user account using pdbedit
logon script = scripts\logon.bat
# This sets the default profile path. Set per user paths with pdbedit
logon path = \\%L\Profiles\%U
logon drive = Z:
logon home = \\%L\%U
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000
printing = cups
encrypt passwords = yes


  wins support = yes
    name resolve order = wins lmhosts hosts bcast
      dns proxy = no
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
admin users = root, sura
guest ok = Yes
browseable = No
# For profiles to work, create a user directory under the path
# shown. i.e., mkdir -p /var/lib/samba/profiles/maryo
[Profiles]
comment = Roaming Profile Share
path = /mnt/spd/ntprofiles
read only = No
profile acls = Yes

[kupo]

this has an easy fix
just add:

Code: Select all

logon drive: H:

in [global]

[asiobob]

yeh I know that, I meant that its defined in the smb.conf not when hte script is run.

I'm working on a a few suggestions which I'll pass onto the author next year

[GentooBox]

Nice howto - I really needed this

yeh I know that, I meant that its defined in the smb.conf not when hte script is run.

I'm working on a a few suggestions which I'll pass onto the author next year

Dont hold it back ! come with it, i want it !

[Crimson Rider]

I've been working with Samba PDC's for quite a while now, nice howto !

Does anyone know how to implement this with a LDAP backend ?

[blackwhite]

It is very helping.
How can I apply System Policies on XP clients? It is necessary for public computer lab.
I use Poledit to setup System Policies, but it is just for NT style System Policies, does not fully support all XP System Policies.

[blackwhite]

I've been working with Samba PDC's for quite a while now, nice howto !

Does anyone know how to implement this with a LDAP backend ?

You can read this
http://hostopia.samba.org/samba/docs/man/Samba-Guide/

[asiobob]

I've implemented the recycle vfs module but the deleted files are not touched... ideas ?

see:
http://forums.gentoo.org/viewtopic.php?t=280734

[whitetux]

nice work, a very informative and consolidated how to!

[daff]

Very good HOWTO! Clear and to the point. If only you'd have posted it a few months earlier when I overhauled and reimplemented the domain servers in our company

[asiobob]

wallpapers do follow if they are bmp.
If they are jpg for an example what happens is windows converts it to a bmp. Its that bmp that windows then display. Unfortauntely when windows converts the bmp it doesn't save it to the roaming profile hence hte problem.

So as a user if you convert the image to a bmp yourself or set a bmp in the first place then yeh it will work nicely

[GentooBox]

1: smbpasswd -la dont work, but smbpasswd -a does
2: I can confirm that if you follow the guide 100% then it also works with Windows XP

[Ateo]

1: smbpasswd -la dont work, but smbpasswd -a does
2: I can confirm that if you follow the guide 100% then it also works with Windows XP

smbpasswd -la root is what I used to add root to samba. This did not work for you? smbpasswd -a <regular_user> is what you use to add regular users....

[lokelo]

1: smbpasswd -la dont work, but smbpasswd -a does
2: I can confirm that if you follow the guide 100% then it also works with Windows XP

smbpasswd -la root is what I used to add root to samba. This did not work for you? smbpasswd -a <regular_user> is what you use to add regular users....

I just tried to use the

Code: Select all

smbpasswd -la root

without success. Should it perhaps be a capital L instead of lowercase? Otherwise great howto.

[batal]

same here. -la dose not work. i used -a only instead. what should the parameter ´l´ do?

[Ateo]

Hmm.

Both of you are correct. I could almost swear I did smbpasswd -la <user> but after going over the smbpasswd man page, there is no -l option.. So, I've corrected the howto.

Thanks for the input.

[Avathar]

As im slightly new to Samba and its use in authentication in a network i will pop the first question of a pherhaps newbie character.

I have followed this HOWTO to the letter, samba itself is running fine and everything is setup on that end, this was from a very slim gentoo install, but now when ive come to the point where i want to add windows clients to the server ive gotten stuck and cant do just that, i pressume that in the network identification part you choose domain and not workgroup and done just that but get the following error.

The following error occured validating the name "nordic".
This condition may be caused by a DNS lookup problem.
For information about troubleshooting common DNS lookup problems, please see the following Microsoft Web site:
http://go.microsoft.com/fwlink/?LinkId=5171
The Specified domain either does not ecist or could not be contacted.

My final question is then, does this HOWTO pressume you have BIND+DHCPD running on the server? If so should i configure that in any special way or is it just that i have missed something not so obvius in this HOWTO?

Its a windows 2000 server machine im trying to get into the SAMBA for authentication.

Thankful for any replies to this post.

edit: i know this is a kind of idiot post but still, ive attempted this a few times now and end up on the me being kicked in the nuts by this solution a few times allready.

[Pubare]

Could be wrong on some of this, but I don't think you have to have BIND or DHCP running. Since it's a Win2k _server_ machine, make sure that it is NOT set to be a Domain Controller and make sure the functional level is mixed - otherwise it may try to be the ADS DC and not play nice with Samba. If you don't have a DNS server running at all, you would at the least need it pointed to the Samba PDC for WINS with Netbios over TCP enabled - that should suffice for the name lookup (I think). It should be able to at the least communicate with the Samba PDC in "workgroup" mode. If not, make sure that Secure Channel and Digital Signing is not set to "always" in the Win2k security policy. If it still won't talk to the Samba box as a workgroup / stand-alone member, not sure what to tell you.... If it will talk to the Samba box in workgroup mode, but can't join as a domain member, well, still not sure what to tell you...

Probably not much help, but at least a reminder of the basics.

[darkphader]

Code: Select all

  name resolve order = wins lmhosts hosts bcast

Typo: the value is "host" not "hosts". Should read:

Code: Select all

name resolve order = wins lmhosts host bcast

Of course if you're not using an lmhosts file you should leave that value out. Also a different order may be more proper:

Code: Select all

name resolve order = host wins bcast

may work better in some cases.

Chris

[RedJane]

In order to employ roaming profiles, you need to establish a "Default Profile" on Samba. This requires you to copy the content of C:\Documents and Settings\Default Profile to your samba server. You will need to copy it into the directory specified in your [netlogon] service. This way your users will have a default profile to log into

THX for the howto... GREAT...,
but I still have a small problem:

I need to copy the content of "C:\Documents and Settings\Default Profile", you mean "C:\Documents and Settings\Default User"?
If so,where exactly do I have to copy the conent of this map "C:\Documents and Settings\Default User" to? /var/lib/samba/profiles/username?

Cause I always get a warning profile not found.

thx

[Ejunkie]

I've been working with Samba PDC's for quite a while now, nice howto !

Does anyone know how to implement this with a LDAP backend ?

You can read this
http://hostopia.samba.org/samba/docs/man/Samba-Guide/

http://www.gentoo.org/doc/en/ldap-howto.xml
http://gentoo-wiki.com/HOWTO_SAMBA-LDAP ... this_HOWTO

and you have to set the "bind_policy" to "soft" else it won't work

In order to employ roaming profiles, you need to establish a "Default Profile" on Samba. This requires you to copy the content of C:\Documents and Settings\Default Profile to your samba server. You will need to copy it into the directory specified in your [netlogon] service. This way your users will have a default profile to log into

THX for the howto... GREAT...,
but I still have a small problem:

I need to copy the content of "C:\Documents and Settings\Default Profile", you mean "C:\Documents and Settings\Default User"?
If so,where exactly do I have to copy the conent of this map "C:\Documents and Settings\Default User" to? /var/lib/samba/profiles/username?

Cause I always get a warning profile not found.

thx

you have to copy "C:\Documents and Settings\Default User" to the netlogon folder on the pdc. and then it shoud work.


nice work what i dont get is why you dont use the acl flag.

[mudrii]

Grate How-to just start thinking seriously to move PD do Linux

[JROCK2004]

I've been working with Samba PDC's for quite a while now, nice howto !

Does anyone know how to implement this with a LDAP backend ?

You can read this
http://hostopia.samba.org/samba/docs/man/Samba-Guide/

http://www.gentoo.org/doc/en/ldap-howto.xml
http://gentoo-wiki.com/HOWTO_SAMBA-LDAP ... this_HOWTO

and you have to set the "bind_policy" to "soft" als it wont work

In order to employ roaming profiles, you need to establish a "Default Profile" on Samba. This requires you to copy the content of C:\Documents and Settings\Default Profile to your samba server. You will need to copy it into the directory specified in your [netlogon] service. This way your users will have a default profile to log into

THX for the howto... GREAT...,
but I still have a small problem:

I need to copy the content of "C:\Documents and Settings\Default Profile", you mean "C:\Documents and Settings\Default User"?
If so,where exactly do I have to copy the conent of this map "C:\Documents and Settings\Default User" to? /var/lib/samba/profiles/username?

Cause I always get a warning profile not found.

thx

you have to copy "C:\Documents and Settings\Default User" to the netlogon folder on the pdc. and then it shoud work.


nice work what i dont get is why you dont use the acl flag.

Do you have to create a dir in netlogin for the username?

[Ejunkie]

I've been working with Samba PDC's for quite a while now, nice howto !

Does anyone know how to implement this with a LDAP backend ?

You can read this
http://hostopia.samba.org/samba/docs/man/Samba-Guide/

http://www.gentoo.org/doc/en/ldap-howto.xml
http://gentoo-wiki.com/HOWTO_SAMBA-LDAP ... this_HOWTO

and you have to set the "bind_policy" to "soft" als it wont work

In order to employ roaming profiles, you need to establish a "Default Profile" on Samba. This requires you to copy the content of C:\Documents and Settings\Default Profile to your samba server. You will need to copy it into the directory specified in your [netlogon] service. This way your users will have a default profile to log into

THX for the howto... GREAT...,
but I still have a small problem:

I need to copy the content of "C:\Documents and Settings\Default Profile", you mean "C:\Documents and Settings\Default User"?
If so,where exactly do I have to copy the conent of this map "C:\Documents and Settings\Default User" to? /var/lib/samba/profiles/username?

Cause I always get a warning profile not found.

thx

you have to copy "C:\Documents and Settings\Default User" to the netlogon folder on the pdc. and then it shoud work.


nice work what i dont get is why you dont use the acl flag.

Do you have to create a dir in netlogin for the username?

there shoud be a dir called netlogon this dir must be shared as netlogon, this dir is for logon scripts and the default user, the default user is the default profile that is given to new users.