The Samba-Bugzilla – Bug 3042
NT Policies are not downloaded to clients
Last modified: 2005-11-18 11:57:25 UTC
Tested on Fedora 4 binaries.
Steps to reproduce:
1. Install/upgrade to 3.0.20
2. Set up [netlogon] share with ntconfig.pol file for NT/2000/XP policies
3. Configure clients to download policies from server
Result: Clients ignore policies
Downgrading to 3.0.14a seems to fix the problem.
Reading through the smbd logs shows that the NTCONFIG.POL is being downloaded by
the client. Any possible reason the client isn't applying the group policies? If
more information is needed (e.g. logs, configs, etc.), please ask.
if the ntconfig.pol is being downloaded by the client, then
we've done our part. I'm not sure where to go with this one.
Has anyone been able to reproduce the problem on 3.0.20? I was only led to
believe it must be Samba because downgrading to 3.0.14a fixes the problem every
time. I have approx. 100 Win2000 clients from different installations that all
behave the same way, so I'm almost certain it's not a problem on the client side
unless it's specifically related to Win2000.
The Win2000 clients are all running SP4 with the Update Rollup. Is there an
issue between 3.0.20 and these updates possibly?
I'll burn some more cycles on this but as yet have not been
able to reproduce it and no one else has reported it. What
server OS are you running on?
I'm running Fedora Core 4 on two IBM x205's as Samba PDC and BDC with OpenLDAP.
we also have the same problem since we upgraded our 3.0.5 to 3.0.20
we use rhes3.0 + samba from http://ftp.sernet.de/pub/samba/rhel/rhel3.
(wich openldap nss_ldap ldap_pam)
we use policies for win2k and winxp clients.
it only happens on win2k installations and is does not depend on
any service packs or hotfixes.
we can reproduce it with every win2k station at one location.
on the other location we have still a logon server with older samba version an
It appears the problem might be fixed in 3.0.20b, can anyone confirm this?
(In reply to comment #7)
> It appears the problem might be fixed in 3.0.20b, can anyone confirm this?
i upgraded to 3.0.20b at the weekend.
didn´t change anything.
policies still don´t work when policy is downloaded from new samba version.
when policy was downloaded from samba 3.0.10 then everything works fine.
i think there has to something different between 3.0.10 and 3.0.20xx
69669: WINLOGON.EXE:180 OpenKey
HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS Access: 0x20019
69670: WINLOGON.EXE:180 OpenKey
69671: WINLOGON.EXE:180 QueryValue
69672: WINLOGON.EXE:180 CloseKey
69673: WINLOGON.EXE:180 CloseKey
69674: WINLOGON.EXE:180 OpenKey HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon SUCCESS Access: 0x20019
69675: WINLOGON.EXE:180 QueryValue HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\PolicyHandler NOT FOUND
69676: WINLOGON.EXE:180 CloseKey HKLM\Software\Microsoft\Windows
69677: WINLOGON.EXE:180 LoadKey HKU\AdminConfigData (164746) INVALID PARAMETER
\\??\C:\Dokumente und Einstellungen\moserger.LISEC\prf3.tmp
could it be something about rights.
because i noticed that:
.) when i copy the file from an older samba version netlogon share
the ntconfig.pol on win2k locally is read-write
.) when the ntconfig.pol is copied from a samba 3.0.20 netlogon share
the file is read-only stored locally!!
share on both servers are identically and unix rights are the same to.
path = /work/server/netlogon
browseable = yes
read only = yes
write list = @admin Administrator
create mask = 0755
directory mask = 0755
i also noticed, that the files prfxx.tmp could not be deleted locally from the user.
because of READonly flag.
changed the rights of the file on the netlogon share
experimentaly to 777 and ntconfig.pol is working now.
was there something changed on 3.0.20 and netlogon share defaults?
or is there a new parameter for readonly flags?
don´t know, why it didn´t happen on winxp.
when i copied the file it was readonly too!
but policies worked.
i think for my case it works.
Try setting "acl check permissions = no", I suspect that will fix it. This has
been fixed in a different way for 3.0.21.
We had the same problem since .20, "RegLoadKey failed with invalid parameter"
in the W2K logs and and tons of prf*.tmp files in the profiles.
"acl check permissions = no" fixed it.
we will try this parameter today.
why is the "acl check permissions = no" not documented in the smb.conf man page
only in the release notes the is something about this parameter.
i think it would be helpful for other people to know the association with
policy and win2k.
tests were successfull.
with the "acl check permissions = no" policy download
and regload on win2k clients works.
xpxp2002: was the problem gone when you upgraded to 3.0.20b ?
don´t know if this is really a bug our only some undoucumented
I had some issues with user accounts I created on 3.0.20b before, but did some
additional testing just now and the policies only seem to download to Win2K with
the "acl check permissions = no" set on the [netlogon] share.
I also had this issue in 3.0.20.
I paste it here in case someone looks for it in the future - same symptoms, and in the event log it was as eventid: 1000, source: uservenv, and in the log itself it says something like (translated from German):
RegLoadKey aborted. Returned value "False Parameter." for C:\Documents and Settings\Administrator.DOMAIN\prfCA.tmp
"acl check permissions = no" entry in [netlogon] definition seem to fix the NTConfig.POL issue for Windows 2000.
I did further investigation, and it seems that for some reason it's impossible to import any .pol file from the netlogon share using regedt32.exe.
Making the [netlogon] share writable also seems to fix the issue :)
This really just boils down to whether or not the ntconfig.pol
file shows the read only DOS attribute as being set. Check
the file properties as a user that is havingf problems. There
were some changes recently in this space.
So the resolution is to either
(a) Use EA's (i.e. store dos attributes = yes), andmake sure the
read only flag is not set, or
(b) set 'acl check permissions = no' (in <= 3.0.14a)
(c) in 3.0.21, use 'map readonly = yes' to get the previous behavior
of looking at the owner's 'w' bit for the readonly attrib value
Windows apparently has some problems with any regf based file
(ntconfig.pol, ntuser.dat, etc...) that hash the ReadOnly bit set.
#17: did you mean by:
(b) set 'acl check permissions = no' (in <= 3.0.14a)
that I should put this entry in all Sambas later than 3.0.14a (that is, in all Sambas 3.0.14a and lower, this entry is not needed, as according to smb.conf it was first introduced in 3.0.20?)