profiles on Win2K

Jon Gerdes gerdesj at whl.co.uk
Tue Jan 8 06:44:04 GMT 2002


Ladislav

OK you asked for it <g>.  Here's a blow by blow account of what I do to set up a PDC with roaming profiles under Samba:

This is all on Mandrake 8.0, check binary paths.
Samba 2.2.2 compiled up from source as follows - 

Make sure you have all the dependencies for PAM installed (PAM devel etc)

#./configure \
        --prefix=/usr \
        --with-fhs \
        --libdir=/etc/samba \
        --localstatedir=/var \
        --with-codepagedir=/usr/share/samba/codepages \
        --with-configdir=/etc/samba \
        --with-swatdir=/usr/share/swat \
        --with-quotas \
        --with-smbmount \
        --with-pam \
        --with-pam_smbpass \
        --with-syslog \
        --with-utmp \
        --with-sambabook=/usr/share/swat/using_samba

#make && make install
#md /usr/share/samba     (if install fails at the codepages stage, then run make install again)
#md /usr/share/swat  (might be needed before make install)
#md /var/samba
#md /etc/samba/private

Now here's the smb.conf:

[root at pgroupwise /root]# cat /etc/samba/smb.conf
# Samba config file created using SWAT
# from NODDY.gkn-whl.co.uk (172.18.12.12)
# Date: 2001/08/23 11:41:28

# Global parameters
[global]
        workgroup = WHLDOM
        netbios name = WHL-PDC
        server string = Samba Server %v
        encrypt passwords = Yes
        update encrypted = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
        unix password sync = Yes
        log level = 1
        log file = /var/samba/%m.log
        max log size = 50
        name resolve order = host wins bcast
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        printcap name = lpstat
        domain admin group = root, gerdesj
        add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
        logon drive = Q:
        domain logons = Yes
        os level = 65
        preferred master = True
        domain master = True
        wins proxy = Yes
        wins server = 172.16.40.1

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[netlogon]
        path = /home/samba/netlogon
        browseable = No

Incidently, I don't seem to have a /home/samba directory so you can probably ignore the [netlogon] share (Win 9x ???) 
Now we need a user or two:

#smbpasswd -a gerdesj    (set the password)
#smbpasswd -a root    (set password)

Get it up and running, here's my start/stop script:

[root at pgroupwise /root]# cat /etc/rc.d/init.d/smb
#!/bin/sh
#
# Startup script for SAMBA
#


# Source function library.
. /etc/rc.d/init.d/functions

# See how we were called.
case "$1" in
  start)
        echo -n "Starting samba: "
        VARTMP=/var
        export VARTMP
        daemon smbd -D
        daemon nmbd -D
        echo
        touch /var/lock/subsys/smb
        ;;
  stop)
        echo -n "Shutting down samba: "
        killproc smbd
        killproc nmbd
        echo
        rm -f /var/lock/subsys/smb
        rm -f /var/run/samba/smb.pid
        ;;
  status)
        status smb
        ;;
  restart)
        $0 stop
        $0 start
        ;;
  *)
        echo "Usage: $0 {start|stop|restart|reload|status}"
        exit 1
esac

exit 0

#chmod u+x /etc/rc.d/init.d/smb
#service smb start
(don't forget to add in rc.d links for your various runlevels)

Get SWAT running:

[root at pgroupwise /root]# cat /etc/xinetd.d/swat

service swat
{
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/sbin/swat
        log_on_success          += DURATION USERID
        log_on_failure          += USERID
        disable                 = no


#service xinetd restart

... and sort out PAM so you can login to SWAT:

[root at pgroupwise /root]# cat /etc/pam.d/samba
#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth

Create a directory in the user's $HOME called profile eg /home/gerdesj/profile perhaps put it in /etc/skel and all users will get one when created under Linux.

Setup a temporary user on a PC so that it is "standard".  Log out and in again as an Admin user. Make sure that you can see hidden files and directories.  Right click on My Computer, select Properties and go to the Profiles section.  Copy the profile for the temporary user over the top of c:\Documents and Settings\Default User

Right now lets get the PC into the domain:
Go to the Network Identification tab of the My Computer properties, and click on the "Properties" button. Type in your domain name in the Member of Domain box and click on OK.  You will be prompted for a username and password - THIS MUST BE ROOT !!! and of course the password you entered at the smbpassword stage.  You get the welcome box.  Re boot.

On boot up, you can now log in as your non-root user, a new roaming profile will be copied up to the Linux box from the "local" Default User profile.  I'm not an NT expert so I havn't figured out how to get a "network/shared" default user profile to work yet.

NB Make sure Win 2000 is SP2.  Get the other basics right as well eg DNS and WINS

Now that should do the trick, sorry if I went into too much detail but you should be able to exactly recreate a working system from the above.  Have fun and let me know how you get on.  I have around 3500 odd NT4 PCs to look after though we mainly use Novell for file and print.  As you can imagine getting Samba in on the act makes for some pretty impressive cost savings ...

Cheers
Jon Gerdes




>>> Ladislav Kostal <ladislav.kostal at fem.uniag.sk> 08/01/2002 11:55:15 >>>
On Tue, 8 Jan 2002, Jon Gerdes wrote:

> OK, sorry. I can see what you mean. I've never tried to do a domain logon
> without roaming profiles - they just work.  As you say it is a fair
> amount of traffic but you can use the Group Policy editor to limit what
> gets copied - eg. stop the browser cache from being up/downloaded.

You have working roaming profiles??? (I mean - user login, his profile is
downloaded from server, user change something, logouts and profile is
MOVED to server, so nothing remains on local client?) If so, could you be
so kind and send me your smb.conf and other relevant infos?

Thanks much

Ladislav Kostal





More information about the samba mailing list