If you configure a Mac OS X Server to act as a Windows Domain Member of another Mac OS X Server running as a Windows Primary Domain Controller, Profiles cannot be stored on the Domain Member.
Symptom
You can configure a User account in Workgroup Manager to store a Profile on a Mac OS X Server acting as a Windows Domain Member. When a user in this configuration authenticates from a Windows workstation to a Mac OS X Server running as a Windows Primary Domain Controller, the Windows computer will attempt to access the Profile share point that resides on the Windows Domain Member. In a default configuration, accessing this share point will fail.
Solution
There are a few reasons that Windows clients will fail to access the Profile share point that resides on the Windows Domain Member Server.
The first reason is that the share point is not automatically created on the Windows Domain Member Server. In order to allow windows clients to access the Profile share point, one must first create the Profile directory and then create a share point of the directory.
This article assumes that in Workgroup Manager you have set your User's Profile location as: \\\\<domain member server netbios name><share point><optional path to subfolder><User Name>
To create the Profile directory on the Windows Domain Member Server, execute this command:
sudo mkdir -p -m 770 <Path to Profile share point><optional path to subfolder>
If asked to authenticate, enter your admin account password.
Next, change the ownership on the new directory:
sudo chown -R root:staff <Path to Profile share point>
If asked to authenticate, enter your admin account password.
Next, on the Windows Domain Member Server, as root, add the following lines to the end of /etc/smb.conf
[profiles] path = <Path to Profile share point> oplocks = yes strict locking = no read only = no browseable = no
Last, on the Windows Domain Member Server, restart Windows Services in Server Admin.
The second reason that Windows clients will fail to access the Profile share point that resides on the Windows Domain Member Server is that specific version of Windows requires a security descriptor be sent to the server hosting the profile. The versions of Windows that require the security descriptor are Windows 2000 running Service Pack 4 and Windows XP running Service Pack 1. Perform the following steps on the Windows machines to disable the requirement for a security descriptor to be sent to the server hosting the profile.
Go to Local Computer Policy > Computer Configuration > Administrative Templates > System > Logon
If running Windows XP running Service Pack 1:
Go to Local Computer Policy > Computer Configuration > Administrative Templates > System > User Profiles