Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Windows Home Directories and PDC/member servers -- smb.conf filesfor PDC and domain members


On 29 Sep, 2004, at 21:24, John Gerth wrote:

I can't locate your original post and don't know that I'm remembering the
symptoms correctly. Here's what I think you saw:
a) long pauses at logon/logoff
b) second prompts for U: disk
c) U: disk is read-only even after authentication

Long pauses, and outright failures, during login/logout, when too many users attempt to do so simultaneously. Only fix is to restart server, not just service.


You said you suppressed roaming profiles, but how? On each and every client?
The only way to do it on the server is to add:
logon path =
which nulls out the compiled-in default of \\%N\%U\profile. That would
translate to \\osx-login2\%UserName%\profile and hit each user's default
share in [homes] below causing i/o on the PDC in addition to whatever
your login.bat did.

I sent a reply to your last message, and responded in detail; however, the message is still being reviewed (because of length) by the moderator. That being said, here is my previous answer:

We found that by removing or even commenting-out 'logon path = \\%N\profiles\%u', any new user logging-in is effected by the configuration change. Upon XP login, a user is warned that network profiles could not be found, and that a temporary profile will be used instead. This occurs as soon as smb.conf is saved, and I assume happens since smb.conf is read by each new smbd daemon spawned by each new login. As soon as profiles are enabled again, after saving smb.conf, a user logging-in to XP will not receive the profile error. This happens regardless whether the Windows services are restarted or not.

Interestingly, with the 'logon path = \\%N\profiles\%u' directive removed from smb.conf, and with all other XP logins receiving network profile errors, a user who has a 'User Profile Path' specified in Workgroup Manager will not receive an error, and will load her profile.

>From this I concluded that /etc/smb.conf is read each time smbd is spawned, followed by a call to the LDAP directory for additional Samba directives, on a per-user basis.


client ntlmv2 auth = no
domain logons = yes
This is what makes it a DC (domain controller) via the [netlogon] share

Okay.


auth methods = opendirectory guest
Mine is "auth methods = guest opendirectory" which is interesting because as
"man smb.conf" points out that these are searched *in order*

The "guest" method is for anonymous connections (user=unknown on Xserve)
and I suspect having it second means more work for OD's directory server
which I think is one of your symptoms. Do you remember changing this?

Yes, we changed this. We reasoned that by searching first for the username in the OD directory, we would cut-down the authentication time. We were under the impression that since we do not allow "guest" account login, it would be faster to simply search the OD directory first for the name of the user logging-in. This has been changed again, today, to reflect the default settings you refer to.


printer admin = @admin, @staff, unknown
I don't have "unknown"...I think this means that anyone
can administer printers...not related to your current problem
but it is currious

Indeed.


[..] feel free to delete any of the ones your not using but you *must* keep [netlogon].
[homes] is a standard, but optional Samba share. The rest are Xserve
additions which you don't seem to be using.

Another good point. I have removed extraneous SMB shares from our PDC and each of our home directory servers.


On my domain member Linux machines, I also set:
password server = *
which tells Samba to ask for the name of the domain controller.
The "man smb.conf" file says the default value for this is null
which might also be why your member Xserves can't authenticate
users when those users ask for their home shares.

We will give this a try. Thank you.


auth methods = guest ntdomain opendirectory
Note that "opendirectory" is also there. Normally Samba would have a local
auth method after "ntdomain" to allow local accounts just as in Windows.
Assuming that your Xserves are using the OD master on the PDC, this might
be a bit strange in that they might search the database again but only
in a local context.

I have removed 'opendirectory' from this directive in each home directory server. I will see if it makes any difference.


I can't prove this, but I can imagine that you might see in the logs
(with level HIGH) as many as 3 traversals of the OD database during
[...]

I will have a look.


We may need to do more spelunking use the "net", "nmblookup", and "smbclient"
commands on the Xserve, and the "net" "netdom" and "nltest" commands on XP.


Bottom line...make changes one-at-a-time and measure results. My initial
experiments would be:
a) change "auth methods" order on PDC to put "guest" first

"auth methods" directive was originally--and is once again--configured this way.

b) add "logon path = " on PDC to make sure roaming profiles are disabled

Will do.

c) add "password server = * " on domain member

Okay.

Thank you again for your suggestions and insights.
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden
References: 
 >Re: Windows Home Directories and PDC/member servers (From: Chris <email@hidden>)
 >Re: Windows Home Directories and PDC/member servers (From: email@hidden)
 >Re: Windows Home Directories and PDC/member servers (From: John Gerth <email@hidden>)
 >Re: Windows Home Directories and PDC/member servers (From: email@hidden)
 >Re: Windows Home Directories and PDC/member servers (From: John Gerth <email@hidden>)
 >Re: Windows Home Directories and PDC/member servers (From: email@hidden)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.