Hi, here are 3 questions I've been fighting with...

Background: I'm running Samba 2.0.7 on RedHat 7.0 (kernel 2.2.16-22smp). This machine is set up as a "PDC" managing domain logons. All client machines are NT 4, varying service packs but I think all are at least SP4, and the problems below even occur on SP6.

1) Problem: Certain users get the message "could not find your profile, contact your network administrator" or something like that, and they are kicked right out after trying to log in. I check the Samba logs, and they are showing connections to the appropriate shares (including the home share). I peeked around in the registry, comparing the users' "profile location" key with that of users experiencing no problems, and couldn't find any discrepancies. However, in C:\WINNT\Profiles, for one problem user in particular (and a few others), there are several "username.###" and "username.###.bak" entries, with ### ranging from 000 upward. Maybe that is a clue to the solution or cause.

2) Problem: I suspect this might be related to #1 above. My own personal account on the domain will not let me change any HKLU registry settings. I think other users are experiencing this one, too. In the domain "logon.bat" file, I have

"NET USE x: \\MACHINENAME\SHARE /PERSISTENT:NO"

to map a few network drives. The /PERSISTENT:NO causes the command to return an error about not being able to save a profile registry setting (about saving drive connections). Other peculiarities:

2a) Logging in, I always get the stupid "Welcome to NT" window.

2b) I set a new wallpaper and click OK, it doesn't take.

2c) I set a new desktop color and click OK, it DOES take.

In addition, each client machine keeps listing an "DOMAIN\Account unknown" in its user manager, permissions boxes, etc. I think it believes that "Account Unknown" owns the registry, or at least the HKLU branch.

3) How-to: This one is much simpler, how do I map NT groups to UNIX groups? I've heard rumors of a "domain group map" or similar parameter, but seen no documentation on it or the format of the map file. I simply want to create a UNIX group, such as "power" and then specify that each user in that UNIX group will be a Power User on the NT domain. If this can be done, I'd like to know how, or if it can't yet, that's fine (I suppose :).

A trivial suggestion but : if the local pc is short on diskspace you get this effect. Just a suggestion...

I've seen this in relation to diskspace shortages, starts when the domain profile area is short of space and user profiles cannot be copied to the server. Each logon makes a new entry and then the client soon fills up. Especially if you have lots of users per machine.

Thanks to those who supplied feedback to my previous questions. All is well now (mostly). It turns out that it was a disk usage problem after all. I didn't think to check the quotas of the problem users. I set each quota to 200 MB for the /home partition but [explicative] IE 5 ate up all of the space with its cache. I'm a Netscape guy myself...

Anyways, I'm playing around with the registry permissions stuff and I think I found a cheap solution. I noticed that for some reason, most users have "NTUSER.DAT" and "ntuser.dat.LOG" in their ~/profile directory, and other users (myself included) have "ntuser.dat" and "ntuser.dat.LOG" instead (notice the case). I removed the lowercase "ntuser.dat" off my ~/profile directory as well as my "locally" stored profile on one of the client machines then logged into NT. Previously there was just "username" in the WINNT\Profiles directory but now there is "username.000" which seems to be storing ALL of my correct profile information, Desktop, registry, etc. I'm not too concerned by the extra profile directories hanging around. BTW, there are no local accounts on the machine in question, except for the usual (Administrator, Guest, etc.).

Maybe this info can help others with similar problems, or maybe some of you know of better approaches.

turn on "delete cache on exit" in the ie preferences. helps a lot. ;)

Set the system policy to ignore the Temporary Internet Files Folder in the profile.

I run a script that sleeps for a minute then removes the whole profile if the user was a student.

Like this :

root postexec = /usr/local/sbin/setprofile %u -R

This way they get the default profile next time they logon and nothing is left on server. Further, local profiles are turned off.

As shown in the subject, I'm still having problems with the latest CVS of samba 2.2. When joining the win2k clients to the domain, I logon using root (which is also in smbpasswd) and after about 30 or a minute it comes up with the message welcome to the domain "workgroup". In those 30-60 seconds, there is around 50 pages of messages in the log.smd with a log level of 3. And at the end of it all, there is some garbage about invalid uid, unable to set uid blah blah, where uid is some weird NEGATIVE number... so it defaults to 0:0 and then "panics" and blurts stuff about an internal error occured. About 10 seconds after the panic message, win2k pops up welcome to the domain. I reboot the win2k machine, and when I try to login to the domain, I get the follow error:

The system cannot log you on to this domain because the system's computer account in its primary domain is missing or the password on that account is incorrect.

Has anyone else experienced this situation, or know what on earth is wrong? Any suggestions or comments on how to resolve this issue is greatly appreciated. If there is any information that I left out that could help isolate the problem, feel free to ask.

I tried this whole thing with a different win2k box, which btw has sp1, and this time I got the error message "unable to log in to the domain because the netlogon services is not started." Well, that's bullshit, because I used the other win2k machine to remote admin, and saw that the netlogon service was indeed started and running. I suspect not, but could this be a samba related problem

1. You have map to guest enabled

2. The guest has a funky UID [such as too large or negative.. in case of too large it will become negative]

3. When logging on as root, it's not fully recognised as such, mapped to guest, and the behaviour you describe will occur.

Seriously though, I have heard a number of people saying that a 'complicated' config file confused 2.2. Nobody seems willing to explain what they mean by 'complicated' however. Yours, with the defaults all spelt out might just be what people mean (??).

Just in case (and I don't really believe it will help), could you grab the conf file from the howto, change only those parameters that you need to (and there are only about two ) and try with that ??

Is this with CVS of 2.2 ? If so, can you please either send in a gdb stack backtrace, or a debug level 10 of the log before this error message.

We're running the samba 2.2 CVS from Nov 3rd now for quite a while in production environment. (big hurray for the brave ;)

It works fine as PDC for our W2k Workstations. Fileserving seems to be stable, no problems with joining the domain. All I'm looking forward to is the auth system rewrite. (maybe then we can finally use our ldap server even to auth samba users ;)

The only thing we came across were some string overflow errors when handling the favorites of the profiles. Like:

ERROR: string overflow by 5 in safe_strcpy [/guitar guitars tablature music mp3 olga percussio]

The user was not able to log in when this happened! W2k denied the access! I had to go and clean the favorites directory!

Currently one of the issues that needs to be rewritten in Samba is the static nature of strings (fstrings and pstrings). Both are declared as char arrays with a fixed length. The strcpy, strcat, etc... functions are wrapped as to prevent buffer overflows. The problem is things like what you are experiencing. (although this could be caused by RPC bugs in other parts of the code).

In order to give you an honest answer, we would need to see level 10 debug logs at the time of the error.

Sure. Send me a level 10 debug log of the failure. I need the surrounding information 'cause I need to know what string was being passed in.