[Samba] few idea about dealing with "Large Roaming Profiles"

Ilia Chipitsine ilia at cgu.chel.su
Tue Feb 26 07:08:11 GMT 2002 

Well,

I put it here. All the experience gained in about-half-an-year-management
of Samba-PDC + numerous NT4 workstations is included. Also, I'd be glad to
hear from you what did I miss!

1) when NT4-workstations are organised into "domain", there's some
   action assosiated to this: "to log into domain".
   samba ain such case acts as PDC (primary domain controller),
   it does the "password checking" task

2) two things about "domain logons", well, actually three things:
   a) system policies
   b) user profile (roaming profile)
   c) logon script

when particular users logs "into domain" following occurs:

a) "registry propagation rules" apply. 
   this is called "system policies", but that is obviously less
   descriptive. WinNT registry contains HKEY_LOCAL_MACHINE and
   HKEY_CURRENT_USER branches, so you may define "system policies"
   on "per user/per machine" basis.

   tool for editing policies is called poledit.exe, 
   (run "servicepackbinary.exe /x" in order to obtain poledit.exe)

   you may either use "adm" files that are shipped with poledit.exe
   or use custom "adm" files (see examples below)

   create file "ntconfig.pol" with poledit.exe and put it to 
   "netlogon" share (that share is defined in smb.conf, see below)
   
   Default User
    |
    +-> Windows NT User Profiles
       [x] Exclude directories in roaming profile
         (Temporary Internet Files; Temp)

   Default Computer
    |
    +-> Windows NT User Profiles
       [x] Delete cached copies of roaming profiles
       [x] Choose default profile operation
           (Download profile)

   this keeps profile size from being obscene LARGE...

b) define special directory for roaming profile (see smb.conf included
   below), DO NOT put anything else into that directory (i.e. games,
   movies, songs, etc), every single byte counts!

   profile contains file NTuser.dat (which is just a registry dump)
   and numerous directories.

   if you rename NTuser.dat -> NTuser.man, such profile means "mandatory", 
   it won't be ever changed, also it won't be corrupted.
   (when profile grows large, file NTuser.dat sometimes become
   corrupted which is very bad) 
 
c) certain script is executed upon every "logon", you may put
   commands to save particular registry branches (for easier
   recovery after profile corruption)

   for example:

   regedit /e \\SOL\thebat\batsave\%UserName%-batsave.reg
      HKEY_CURRENT_USER\Software\RIT
 
  (notice that "logon script" must be edited using DOS editors!)

--addons----

1) smb.conf 

[global]
   invalid users = root
   time server = true
   workgroup = solar
   netbios name = SOL
   encrypt passwords = yes
   domain admin group = @nt_adm
   log file = /dev/null
   security = user
   interfaces = 192.168.100.1/24 192.168.200.1/24 127.0.0.1/8
   min protocol = NT1
   local master = yes
   os level = 255
   domain master = yes 
   preferred master = yes
   domain logons = yes
   logon script = s.bat

  logon path = \\%L\%U\profile
  logon home = \\%L\%U\profile

wins support = yes

[netlogon]
   path = /home/netlogon
   valid users = @users
   guest ok = yes
   read only = yes
   browseable = no


2) custom "adm" files for use with poledit.exe

a) (this is not "roaming profile" related, just to illustrate here) 

CLASS USER

CATEGORY  !!Kontur
           
 CATEGORY "MSWord - 97"
			POLICY "protect from macro-viruses"
                        KEYNAME "Software\Microsoft\Office\8.0\Word\Options"
                        VALUENAME "EnableMacroVirusProtection"
                        VALUEON "1"
                        VALUEOFF "0"
			END POLICY

			POLICY "use RTF by default"
                        KEYNAME "Software\Microsoft\Office\8.0\Word\Default Save"
                        VALUENAME "Default Format"
                        VALUEON "Rtf"
                        VALUEOFF ""
			END POLICY
 END CATEGORY


b) another "adm" example

CLASS USER

CATEGORY  "Internet Explorer 5.X"

			POLICY "enable proxy"
                        KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"

                        PART "Use proxy server" CHECKBOX DEFCHECKED
                        VALUENAME "ProxyEnable"
                        VALUEON NUMERIC 1
                        VALUEOFF NUMERIC 0
                        END PART   

                        PART "address of proxy server" EDITTEXT
			VALUENAME "ProxyServer"
			END PART
                      PART "specify as proxy.domain.com:1234" TEXT END  PART


			END POLICY

			POLICY "Home page"
                        KEYNAME "Software\Microsoft\Internet Explorer\Main"
                        PART "Server" EDITTEXT
                        VALUENAME "Start Page"
                        END PART
			END POLICY


END CATEGORY

Regards, (Наилучшие пожелания)
Ilia Chipitsine (Илья Шипицин)

More information about the samba mailing list