Wednesday, June 25, 2003
Profiles created on ext3fs
...prolly not a filesystem problem at all. I was attempting the first logon with these accounts from a WinXP Pro box. With these users, I was coping the domain 'Default User' profile manually into there still-inactive profile folder.
More expermentation showed this-
- On the first logon, the logon hangs while the "Loading your settings" message is on the screen.
- I did a hard reboot
- the account logged on fine
It appears that window profile/ntuser.dat needs something special in it if it's going to log on to XP. Once I copies this users 'skeleton' profle into another new users profile folder, it loaded fine on first attempt. So during the hang, I suspect XP is writing something to the profile.
...prolly not a filesystem problem at all. I was attempting the first logon with these accounts from a WinXP Pro box. With these users, I was coping the domain 'Default User' profile manually into there still-inactive profile folder.
More expermentation showed this-
- On the first logon, the logon hangs while the "Loading your settings" message is on the screen.
- I did a hard reboot
- the account logged on fine
It appears that window profile/ntuser.dat needs something special in it if it's going to log on to XP. Once I copies this users 'skeleton' profle into another new users profile folder, it loaded fine on first attempt. So during the hang, I suspect XP is writing something to the profile.
Profiles created on ext3fs
Seeing more weirdness with home directories that I'm am creating directly on the linux box (as opposed to migrating). It appears that the profile/ntuser.dat must have group ownship of a group that the user in in. Or something.
Seeing more weirdness with home directories that I'm am creating directly on the linux box (as opposed to migrating). It appears that the profile/ntuser.dat must have group ownship of a group that the user in in. Or something.
Tuesday, June 24, 2003
Auto generating domain default profile with Samba
Ran into a problem generating a profile for a new domain users. I created the users home folder directly on the Samba box. But the NT 4.0 driven domain could not create a profile for them, because the "Domain Admin" didn't have permission to write to the users \\sambaserver\home\username\ folder. So I need to determine what domain account "writes" the \\PDC\NETLOGON\Default User folder to the users domain profile location. And map that windows user to a unix user. Or maybe there is another workaround, because I was trying to avoid making privledged Windows users have privlege on the Unix side of things.
Ran into a problem generating a profile for a new domain users. I created the users home folder directly on the Samba box. But the NT 4.0 driven domain could not create a profile for them, because the "Domain Admin" didn't have permission to write to the users \\sambaserver\home\username\ folder. So I need to determine what domain account "writes" the \\PDC\NETLOGON\Default User folder to the users domain profile location. And map that windows user to a unix user. Or maybe there is another workaround, because I was trying to avoid making privledged Windows users have privlege on the Unix side of things.
Windows XP domain issues.
I saw three major issues trying to add an XP Pro laptop to our NT 4.0 domain yesterday. Some of these may be caused by browsing problems.
1) During the first attempt to log on, a message popped up about "creating browse list". Though the main domain appeared immidiately, it was apparently having problems reaching our trusted offsite domain. The diaglog did not have a cacel button, and after 15 minutes of hard drive activity, didn't time out either. Ctrl+ALt+Del allowed a reboot, and after several reboots and dickering around (I'm not sure what changed or what worked) it allow us to log on to the computer. During this time, even the local accounts could not be used, because the "browse list" message couldn't be cancelled.
2) File sychronization was a major annoyace. All mapped drives wanted to attempt synchronization- as though they were actually local files. This appear to have nothing to do with the windows profile.
3) Windows profiles could not be loaded until the user was the NTFS owner of thier profile folder. I never saw this behavoir in Win2K.
These three out-of-box annoyances have nixed my desire to experment with XP on lab computers. The synch really should be disabled by default, or have an obvious context-menu way to disable.
I saw three major issues trying to add an XP Pro laptop to our NT 4.0 domain yesterday. Some of these may be caused by browsing problems.
1) During the first attempt to log on, a message popped up about "creating browse list". Though the main domain appeared immidiately, it was apparently having problems reaching our trusted offsite domain. The diaglog did not have a cacel button, and after 15 minutes of hard drive activity, didn't time out either. Ctrl+ALt+Del allowed a reboot, and after several reboots and dickering around (I'm not sure what changed or what worked) it allow us to log on to the computer. During this time, even the local accounts could not be used, because the "browse list" message couldn't be cancelled.
2) File sychronization was a major annoyace. All mapped drives wanted to attempt synchronization- as though they were actually local files. This appear to have nothing to do with the windows profile.
3) Windows profiles could not be loaded until the user was the NTFS owner of thier profile folder. I never saw this behavoir in Win2K.
These three out-of-box annoyances have nixed my desire to experment with XP on lab computers. The synch really should be disabled by default, or have an obvious context-menu way to disable.
Friday, June 13, 2003
Simple "backup" on a closed network.
We host a small network that is off the Internet, controlled through it's own private swtich. Five W2K workstations, a dozen users and a samba fileserver/domain controller. They've got a big disk array which is not RAID'ed. The goal of the network is to make it as self-sufficient as possible. I worked out a super-simple backup scheme to protect their data, and can used from Windows without logging on to the server.
Each physical disk is mounted under a samba share called "data". Another disk is mounted in the same folder, as a hidden directory.
The script uses the cp command to synch the data on the disks each night-:
cp --archive -u -v county/* .county-backup/ >> .backup.log 2>&1
cp --archive -u -v general/* .general-backup/ >> .backup.log 2>&1
If a user needs to get yesterday's version of a file, they turn on hidden file viewing in windows (My Computer-> Tools -> Folder Options -> View -> Show Hidden Files and Folders). Then they can navigate the path to the data. The cp --archive command preserves the permissions on the disk that is being synced.
We host a small network that is off the Internet, controlled through it's own private swtich. Five W2K workstations, a dozen users and a samba fileserver/domain controller. They've got a big disk array which is not RAID'ed. The goal of the network is to make it as self-sufficient as possible. I worked out a super-simple backup scheme to protect their data, and can used from Windows without logging on to the server.
Each physical disk is mounted under a samba share called "data". Another disk is mounted in the same folder, as a hidden directory.
\\server\data
- county (physical disk 1)
- general (physical disk 2)
- .county-backup (disk to mirror county)
- .general-backup (disk to mirror general)
The script uses the cp command to synch the data on the disks each night-:
cp --archive -u -v county/* .county-backup/ >> .backup.log 2>&1
cp --archive -u -v general/* .general-backup/ >> .backup.log 2>&1
If a user needs to get yesterday's version of a file, they turn on hidden file viewing in windows (My Computer-> Tools -> Folder Options -> View -> Show Hidden Files and Folders). Then they can navigate the path to the data. The cp --archive command preserves the permissions on the disk that is being synced.
Monday, June 09, 2003
Loading roaming profiles.
The problem- "Windows cannot locate your roaming profile and is logging you on with a temporary profile" error was fixed by updating the workstation to SP3. Closest match to the problem I could find was a support.microsoft.com document which suggested SP3 if the (assumed t obe windows server) was running services for Macintosh. What would the link be between samba and windows services for mac, I wonder? There may not be any.
The article pinned the problem on synching or locking the data in the profile. Of course, I cannot find the article again.
The problem- "Windows cannot locate your roaming profile and is logging you on with a temporary profile" error was fixed by updating the workstation to SP3. Closest match to the problem I could find was a support.microsoft.com document which suggested SP3 if the (assumed t obe windows server) was running services for Macintosh. What would the link be between samba and windows services for mac, I wonder? There may not be any.
The article pinned the problem on synching or locking the data in the profile. Of course, I cannot find the article again.
Friday, June 06, 2003
Problem: Local vs. Roaming Profiles
Migrated another user to the new server. They reported an error loading the profile. Accessing thier profile folder was fine, once they were logged on with the temporary domain profile. But this info would load at login time. The perms looked right on the server.
Tried chaging their account back to the old server. Same problem. It's like the problem cropped up once they were moved. The problem appear to be the with workstation, not the server.
Investigating the c:\documents and settings folder, the only valid looking profile folder was called username.bak. Like the original c:\documents and settings\username folder was renamed. In Control Panel->System -> User Profiles, the user was listed as having a local, not a roamnig profile. We must have changed her to speed logins. Infact, I've got a good memory of doing it myself.
But how to get that user back into thier profile? Using windows to copy the data to the new server location didn't do it. It's like they've been banned from thier locally cached folder. When I looked at the ACL for c:\docu and set\username.bak, I only saw SIDs, like the ACLs were courrupted. But how would that happen?
Migrated another user to the new server. They reported an error loading the profile. Accessing thier profile folder was fine, once they were logged on with the temporary domain profile. But this info would load at login time. The perms looked right on the server.
Tried chaging their account back to the old server. Same problem. It's like the problem cropped up once they were moved. The problem appear to be the with workstation, not the server.
Investigating the c:\documents and settings folder, the only valid looking profile folder was called username.bak. Like the original c:\documents and settings\username folder was renamed. In Control Panel->System -> User Profiles, the user was listed as having a local, not a roamnig profile. We must have changed her to speed logins. Infact, I've got a good memory of doing it myself.
But how to get that user back into thier profile? Using windows to copy the data to the new server location didn't do it. It's like they've been banned from thier locally cached folder. When I looked at the ACL for c:\docu and set\username.bak, I only saw SIDs, like the ACLs were courrupted. But how would that happen?
Wednesday, June 04, 2003
Scheduling perl scripts solved.
Two Issues:
1) at.exe is extremely touchy about how it is invoked. I had got the best results using UNC paths (I run perl over a network share). The missing step is that I had to run the job through the cmd prompt, interactively, eventhough there wasn't going to be any user input.
This scheme worked:
at 23:00 /interactive cmd /c "\\appserver\perl$\bin\perl.exe \\scriptserver\script$\backup.pl \\scriptserver\script$\users.txt"
backup.pl being my script which launches ntbackup.exe, among other things, and users.txt file being the name of the file containing the logins to backup.
2) The other issue was my perl script, which had several system() calls that plugged info into various windows commands. I had to play with various quotes and backslashes to get it to run within the at job. This modified script still runs on interactively- at.exe was just less forgiving when interpeting some of the system calls.
Two Issues:
1) at.exe is extremely touchy about how it is invoked. I had got the best results using UNC paths (I run perl over a network share). The missing step is that I had to run the job through the cmd prompt, interactively, eventhough there wasn't going to be any user input.
This scheme worked:
at 23:00 /interactive cmd /c "\\appserver\perl$\bin\perl.exe \\scriptserver\script$\backup.pl \\scriptserver\script$\users.txt"
backup.pl being my script which launches ntbackup.exe, among other things, and users.txt file being the name of the file containing the logins to backup.
2) The other issue was my perl script, which had several system() calls that plugged info into various windows commands. I had to play with various quotes and backslashes to get it to run within the at job. This modified script still runs on interactively- at.exe was just less forgiving when interpeting some of the system calls.
Tuesday, June 03, 2003
SMB authentication.
Those setting for the smb auth are stored in a file /etc/pam_smb.conf, not in /etc/pam.d
Also, the server names cannont be fully qualified, ie: mypdc.env.duke.edu.
Those setting for the smb auth are stored in a file /etc/pam_smb.conf, not in /etc/pam.d
Also, the server names cannont be fully qualified, ie: mypdc.env.duke.edu.
SMB authentication for SSH.
used /etc/pam.d/authconfig to add the smb authentication via our windows domain to our test linux server. Now, if a locally similar account exists on that box, a user can ssh to the box with thier Windows credentials. If they do not have a home directory on the box, then they are logged on (presumable because they exist in /etc/passwd/) but the get an error message and land in the / directory.
This means that our users could have sftp access to their data without ever having a local password on the box.
used /etc/pam.d/authconfig to add the smb authentication via our windows domain to our test linux server. Now, if a locally similar account exists on that box, a user can ssh to the box with thier Windows credentials. If they do not have a home directory on the box, then they are logged on (presumable because they exist in /etc/passwd/) but the get an error message and land in the / directory.
This means that our users could have sftp access to their data without ever having a local password on the box.
