Bug 3042 - NT Policies are not downloaded to clients
Summary: NT Policies are not downloaded to clients
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.20
Hardware: x86 Windows 2000
: P3 normal
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
Depends on:
Reported: 2005-08-25 05:38 UTC by xpxp2002
Modified: 2005-11-18 11:57 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description xpxp2002 2005-08-25 05:38:21 UTC
Tested on Fedora 4 binaries.
Steps to reproduce:
1. Install/upgrade to 3.0.20
2. Set up [netlogon] share with ntconfig.pol file for NT/2000/XP policies
3. Configure clients to download policies from server
Result: Clients ignore policies

Downgrading to 3.0.14a seems to fix the problem.
Comment 1 xpxp2002 2005-08-29 09:54:14 UTC
Reading through the smbd logs shows that the NTCONFIG.POL is being downloaded by
the client. Any possible reason the client isn't applying the group policies? If
more information is needed (e.g. logs, configs, etc.), please ask.
Comment 2 Gerald (Jerry) Carter (dead mail address) 2005-09-22 04:41:06 UTC
if the ntconfig.pol is being downloaded by the client, then
we've done our part.  I'm not sure where to go with this one.
Comment 3 xpxp2002 2005-09-22 12:07:36 UTC
Has anyone been able to reproduce the problem on 3.0.20? I was only led to
believe it must be Samba because downgrading to 3.0.14a fixes the problem every
time. I have approx. 100 Win2000 clients from different installations that all
behave the same way, so I'm almost certain it's not a problem on the client side
unless it's specifically related to Win2000.

The Win2000 clients are all running SP4 with the Update Rollup. Is there an
issue between 3.0.20 and these updates possibly?
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-09-22 12:28:29 UTC
I'll burn some more cycles on this but as yet have not been 
able to reproduce it and no one else has reported it.  What 
server OS are you running on?
Comment 5 xpxp2002 2005-09-22 12:51:40 UTC
I'm running Fedora Core 4 on two IBM x205's as Samba PDC and BDC with OpenLDAP.
Comment 6 philipp mayrhofer 2005-10-28 04:07:22 UTC
we also have the same problem since we upgraded our 3.0.5 to 3.0.20
we use rhes3.0 + samba from http://ftp.sernet.de/pub/samba/rhel/rhel3.
(wich openldap nss_ldap ldap_pam)

we use policies for win2k and winxp clients.
it only happens on win2k installations and is does not depend on
any service packs or hotfixes.

we can reproduce it with every win2k station at one location.
on the other location we have still a logon server with older samba version an
policies work.
Comment 7 xpxp2002 2005-10-28 11:57:19 UTC
It appears the problem might be fixed in 3.0.20b, can anyone confirm this?
Comment 8 philipp mayrhofer 2005-11-02 02:55:33 UTC
(In reply to comment #7)
> It appears the problem might be fixed in 3.0.20b, can anyone confirm this?

i upgraded to 3.0.20b at the weekend.
didn´t change anything.
policies still don´t work when policy is downloaded from new samba version.
when policy was downloaded from samba 3.0.10 then everything works fine.

i think there has to something different between 3.0.10 and 3.0.20xx

69669: WINLOGON.EXE:180	OpenKey
HKLM\System\CurrentControlSet\Control\ComputerName	SUCCESS	Access: 0x20019 
69670: WINLOGON.EXE:180	OpenKey
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	SUCCESS
Access: 0x20019 
69671: WINLOGON.EXE:180	QueryValue
69672: WINLOGON.EXE:180	CloseKey
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	SUCCESS
69673: WINLOGON.EXE:180	CloseKey
HKLM\System\CurrentControlSet\Control\ComputerName	SUCCESS
69674: WINLOGON.EXE:180	OpenKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon	SUCCESS	Access: 0x20019 
69675: WINLOGON.EXE:180	QueryValue	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\PolicyHandler	NOT FOUND	
69676: WINLOGON.EXE:180	CloseKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon	SUCCESS
69677: WINLOGON.EXE:180	LoadKey	HKU\AdminConfigData (164746)	INVALID PARAMETER
\\??\C:\Dokumente und Einstellungen\moserger.LISEC\prf3.tmp
Comment 9 philipp mayrhofer 2005-11-04 00:45:27 UTC
could it be something about rights.

because i noticed that:
.) when i copy the file from an older samba version netlogon share
the ntconfig.pol on win2k locally is read-write
.) when the ntconfig.pol is copied from a samba 3.0.20 netlogon share
the file is read-only stored locally!!

share on both servers are identically and unix rights are the same to.

        path = /work/server/netlogon
        browseable = yes
        read only = yes
        write list = @admin Administrator
        create mask = 0755
        directory mask = 0755

i also noticed, that the files prfxx.tmp could not be deleted locally from the user.
because of READonly flag.

Comment 10 philipp mayrhofer 2005-11-04 05:30:55 UTC
changed the rights of the file on the netlogon share
experimentaly to 777 and ntconfig.pol is working now.

was there something changed on 3.0.20 and netlogon share defaults?
or is there a new parameter for readonly flags?

don´t know, why it didn´t happen on winxp.
when i copied the file it was readonly too!
but policies worked.

i think for my case it works.
Comment 11 Jeremy Allison 2005-11-04 09:38:00 UTC
Try setting "acl check permissions = no", I suspect that will fix it. This has
been fixed in a different way for 3.0.21.
Comment 12 Daniel Beschorner (dead mail address) 2005-11-04 16:39:44 UTC
We had the same problem since .20, "RegLoadKey failed with invalid parameter" 
in the W2K logs and and tons of prf*.tmp files in the profiles.
"acl check permissions = no" fixed it.

Comment 13 philipp mayrhofer 2005-11-07 00:18:38 UTC
we will try this parameter today.

why is the "acl check permissions = no" not documented in the smb.conf man page
only in the release notes the is something about this parameter.

i think it would be helpful for other people to know the association with
policy and win2k.

Comment 14 philipp mayrhofer 2005-11-07 02:34:13 UTC
tests were successfull.
with the "acl check permissions = no" policy download
and regload on win2k clients works.

xpxp2002: was the problem gone when you upgraded to 3.0.20b ?

don´t know if this is really a bug our only some undoucumented
upgrade steps?
Comment 15 xpxp2002 2005-11-07 11:25:46 UTC
I had some issues with user accounts I created on 3.0.20b before, but did some
additional testing just now and the policies only seem to download to Win2K with
the "acl check permissions = no" set on the [netlogon] share.
Comment 16 Tomasz Chmielewski 2005-11-18 06:33:43 UTC
I also had this issue in 3.0.20.
I paste it here in case someone looks for it in the future - same symptoms, and in the event log it was as eventid: 1000, source: uservenv, and in the log itself it says something like (translated from German):

RegLoadKey aborted. Returned value "False Parameter." for C:\Documents and Settings\Administrator.DOMAIN\prfCA.tmp

"acl check permissions = no" entry in [netlogon] definition seem to fix the NTConfig.POL issue for Windows 2000.

I did further investigation, and it seems that for some reason it's impossible to import any .pol file from the netlogon share using regedt32.exe.

Making the [netlogon] share writable also seems to fix the issue :)
Comment 17 Gerald (Jerry) Carter (dead mail address) 2005-11-18 08:13:31 UTC
This really just boils down to whether or not the ntconfig.pol 
file shows the read only DOS attribute as being set.  Check 
the file properties as a user that is havingf problems.  There 
were some changes recently in this space.

So the resolution is to either

(a) Use EA's (i.e. store dos attributes = yes), andmake sure the 
    read only flag is not set, or
(b) set 'acl check permissions = no' (in <= 3.0.14a)
(c) in 3.0.21, use 'map readonly = yes' to get the previous behavior 
    of looking at the owner's 'w' bit for the readonly attrib value

Windows apparently has some problems with any regf based file 
(ntconfig.pol, ntuser.dat, etc...) that hash the ReadOnly bit set.
Comment 18 Tomasz Chmielewski 2005-11-18 11:57:25 UTC
#17: did you mean by:

(b) set 'acl check permissions = no'  (in <= 3.0.14a)

that I should put this entry in all Sambas later than 3.0.14a (that is, in all Sambas 3.0.14a and lower, this entry is not needed, as according to smb.conf it was first introduced in 3.0.20?)