Some users on a Windows XP Professional host are (lately) unable to use
their roaming profile. A Windows error message states that due to a
security problem or a corrupt profile, that it is unusable. A second error
message immediately following the first states that a temporary profile will
be used and that any changes will not be saved. Other users are able to log
on with their profile, but they are unable to save changes to it when
logging off (the Windows error message suggests it is bad hardware or a
network problem that prevents the write).

The PDC is running Samba version 3.0.23c-2.el5.2.0.2 on CentOS 5.0 x86_64
with kernel 2.6.18- OpenLDAP is the backend (v 2.3.27-5).

There are no obvious error messages on the Samba server. The following
error message shows up only when the computer with problems is online:
smbd[11981]: [2007/06/14 12:34:01.108071, 0]
smbd[11981]: smbldap_open: cannot access LDAP when not root..

Typing `smbstatus` on the PDC shows that the user logging on is being denied
write access to the files in their profile. The output of smbstatus looks
something like this:
11981 510 DENY_WRITE 0x20089 RDONLY NONE

The unix permissions are "correct". No problems with other permissions from
the Windows side (i.e., writing to H have appeared.

Interestingly, Windows error messages regarding "unable to write file foo to
..../USER_A/windows/profile/..." appear when USER_B logs in.

Here's the Samba configuration file from the PDC (aka Asterix/ldap (and
there's a BDC named Obelix/bdc/ldap2)):
# Samba config file created using SWAT
# from (
# Date: 2007/05/15 15:24:29

workgroup = FOO
server string = Primary Domain Controller
password server = *
passdb backend = ldapsam:"ldap:// ldap://"
# log level = 0
# log level = 50 passdb:50 auth:20 winbind:20
log file = /var/log/samba/%m.log
max log size = 50
debug hires timestamp = Yes
smb ports = 139
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
logon script = %U.bat
# logon path = \\%N\%U\windows\profile
logon path = \\asterix\%U\windows\profile
logon home = \\asterix\%U
logon drive = H:
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
local master = Yes
security = User
dns proxy = No
wins support = Yes
ldap admin dn = cn=ldapadmin,dc=foo,dc=com
ldap group suffix = ou=Group
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=foo,dc=com
ldap ssl = no
idmap backend = ldap:ldap://
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
interfaces = eth0 lo
bind interfaces only = yes
passwd chat debug = Yes

template shell = /bin/false
winbind use default domain = false
path = /var/lib/samba/netlogon
browseable = No
comment = Home Directories
read only = No
browseable = No

comment = stuff for everybody
path = /export/common
read only = No

comment = Literature repository
path = /export/papers
read only = No

comment = useful programs
path = /export/src
read only = No

comment = Administrative stuff
path = /export/admin
invalid users = user1
valid users = user2, user3
write list = user2, user3
read only = No
create mask = 0740
security mask = 0770
directory mask = 0750
directory security mask = 0700
browseable = No

comment = executive storage
path = /export/exec
invalid users = user1, user2
valid users = user3
read only = No
create mask = 0740
security mask = 0770
directory mask = 0750
directory security mask = 0770
browseable = No

comment = Dell 1815dn laser printer
path = /var/spool/samba
guest ok = Yes
printable = Yes
cups options = "raw"


Thanks for your time+help!
To unsubscribe from this list go to the following URL and read the