Tested on Fedora 4 binaries. Steps to reproduce: 1. Install/upgrade to 3.0.20 2. Set up [netlogon] share with ntconfig.pol file for NT/2000/XP policies 3. Configure clients to download policies from server Result: Clients ignore policies Downgrading to 3.0.14a seems to fix the problem.
Reading through the smbd logs shows that the NTCONFIG.POL is being downloaded by the client. Any possible reason the client isn't applying the group policies? If more information is needed (e.g. logs, configs, etc.), please ask.
if the ntconfig.pol is being downloaded by the client, then we've done our part. I'm not sure where to go with this one.
Has anyone been able to reproduce the problem on 3.0.20? I was only led to believe it must be Samba because downgrading to 3.0.14a fixes the problem every time. I have approx. 100 Win2000 clients from different installations that all behave the same way, so I'm almost certain it's not a problem on the client side unless it's specifically related to Win2000. The Win2000 clients are all running SP4 with the Update Rollup. Is there an issue between 3.0.20 and these updates possibly?
I'll burn some more cycles on this but as yet have not been able to reproduce it and no one else has reported it. What server OS are you running on?
I'm running Fedora Core 4 on two IBM x205's as Samba PDC and BDC with OpenLDAP.
we also have the same problem since we upgraded our 3.0.5 to 3.0.20 we use rhes3.0 + samba from http://ftp.sernet.de/pub/samba/rhel/rhel3. (wich openldap nss_ldap ldap_pam) we use policies for win2k and winxp clients. it only happens on win2k installations and is does not depend on any service packs or hotfixes. we can reproduce it with every win2k station at one location. on the other location we have still a logon server with older samba version an policies work.
It appears the problem might be fixed in 3.0.20b, can anyone confirm this?
(In reply to comment #7) > It appears the problem might be fixed in 3.0.20b, can anyone confirm this? i upgraded to 3.0.20b at the weekend. didn´t change anything. policies still don´t work when policy is downloaded from new samba version. when policy was downloaded from samba 3.0.10 then everything works fine. i think there has to something different between 3.0.10 and 3.0.20xx regmon: 69669: WINLOGON.EXE:180 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS Access: 0x20019 69670: WINLOGON.EXE:180 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS Access: 0x20019 69671: WINLOGON.EXE:180 QueryValue HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName SUCCESS "SEFIT08" 69672: WINLOGON.EXE:180 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS 69673: WINLOGON.EXE:180 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS 69674: WINLOGON.EXE:180 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS Access: 0x20019 69675: WINLOGON.EXE:180 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PolicyHandler NOT FOUND 69676: WINLOGON.EXE:180 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS 69677: WINLOGON.EXE:180 LoadKey HKU\AdminConfigData (164746) INVALID PARAMETER \\??\C:\Dokumente und Einstellungen\moserger.LISEC\prf3.tmp
could it be something about rights. because i noticed that: .) when i copy the file from an older samba version netlogon share the ntconfig.pol on win2k locally is read-write .) when the ntconfig.pol is copied from a samba 3.0.20 netlogon share the file is read-only stored locally!! share on both servers are identically and unix rights are the same to. [netlogon] path = /work/server/netlogon browseable = yes read only = yes write list = @admin Administrator create mask = 0755 directory mask = 0755 i also noticed, that the files prfxx.tmp could not be deleted locally from the user. because of READonly flag.
ok changed the rights of the file on the netlogon share experimentaly to 777 and ntconfig.pol is working now. was there something changed on 3.0.20 and netlogon share defaults? or is there a new parameter for readonly flags? don´t know, why it didn´t happen on winxp. when i copied the file it was readonly too! but policies worked. i think for my case it works.
Try setting "acl check permissions = no", I suspect that will fix it. This has been fixed in a different way for 3.0.21. Jeremy.
We had the same problem since .20, "RegLoadKey failed with invalid parameter" in the W2K logs and and tons of prf*.tmp files in the profiles. "acl check permissions = no" fixed it. Thanks Daniel
we will try this parameter today. why is the "acl check permissions = no" not documented in the smb.conf man page only in the release notes the is something about this parameter. i think it would be helpful for other people to know the association with policy and win2k.
tests were successfull. with the "acl check permissions = no" policy download and regload on win2k clients works. xpxp2002: was the problem gone when you upgraded to 3.0.20b ? don´t know if this is really a bug our only some undoucumented upgrade steps?
I had some issues with user accounts I created on 3.0.20b before, but did some additional testing just now and the policies only seem to download to Win2K with the "acl check permissions = no" set on the [netlogon] share.
I also had this issue in 3.0.20. I paste it here in case someone looks for it in the future - same symptoms, and in the event log it was as eventid: 1000, source: uservenv, and in the log itself it says something like (translated from German): RegLoadKey aborted. Returned value "False Parameter." for C:\Documents and Settings\Administrator.DOMAIN\prfCA.tmp "acl check permissions = no" entry in [netlogon] definition seem to fix the NTConfig.POL issue for Windows 2000. I did further investigation, and it seems that for some reason it's impossible to import any .pol file from the netlogon share using regedt32.exe. Making the [netlogon] share writable also seems to fix the issue :)
This really just boils down to whether or not the ntconfig.pol file shows the read only DOS attribute as being set. Check the file properties as a user that is havingf problems. There were some changes recently in this space. So the resolution is to either (a) Use EA's (i.e. store dos attributes = yes), andmake sure the read only flag is not set, or (b) set 'acl check permissions = no' (in <= 3.0.14a) (c) in 3.0.21, use 'map readonly = yes' to get the previous behavior of looking at the owner's 'w' bit for the readonly attrib value Windows apparently has some problems with any regf based file (ntconfig.pol, ntuser.dat, etc...) that hash the ReadOnly bit set.
#17: did you mean by: (b) set 'acl check permissions = no' (in <= 3.0.14a) that I should put this entry in all Sambas later than 3.0.14a (that is, in all Sambas 3.0.14a and lower, this entry is not needed, as according to smb.conf it was first introduced in 3.0.20?)