[Samba] Controlling use of roaming profiles
Andrew Bartlett
abartlet at samba.org
Wed Feb 5 12:15:31 GMT 2003
On Wed, 2003-02-05 at 12:20, John H Terpstra wrote:
> On Wed, 5 Feb 2003, Jonathan Gowland wrote:
>
> > We are using a system running Red Hat Linux 7.0 with Samba 2.2.7a as
> > our PDC.
> >
> > For the most part, we want to use roaming profiles, so that users'
> > settings are backed up via the PDC, and are available if they need to
> > change or reinstall their Windows desktop machine. However, there are
> > a few Windows systems (running NT 4.0 or Windows 2000) for which
> > we would like to be able to disable roaming profiles.
> >
> > Atlas is a system running Windows 2000 server. It is a member of the
> > domain.
> >
> > On a system running Windows NT 4.0 Terminal Server edition I did the
> > following:
> >
> > - Logged on as local administrator.
> >
> > - Ran poledit.exe.
> >
> > - Added machine Atlas.
> >
> > - Double-clicked Atlas icon. Under "Windows NT User Profiles"->"Choose
> > profile default operation", selected "Use local profile".
> >
> > - Saved as NTConfig.pol and copied to the root directory of the netlogon
> > share.
> >
> > When a user does a domain logon on Atlas, the Samba log log.atlas does
> > not show NTConfig.pol being accessed. When the user logs off, updates
> > to the user's profiles are saved.
> >
> > Agrigento is a system running Windows 2000 Workstation, and is also a
> > member of the domain. I ran poledit.exe as above, but added a computer
> > entry for Agrigento, and saved NTConfig.pol.
> >
> > When a user does a domain logon on Agrigento, the Samba log
> > log.agrigento shows NTConfig.pol being accessed. However, when the user
> > logs off, updates to the user's profiles are saved, so the policy change
> > in NTConfig.pol seems to have no effect.
>
> You need to make the profile a mandatory profile if you want it to be
> read-only. The proedure is documented in the NT4/Win2K Server Resource
> kits.
If you want a 'real' read only profile, look into the
'vfs_fake_perms.so' VFS module in Samba HEAD. It fakes up the
permissions on the files being sent to the client, so that you don't
need to keep them read/write on the server.
> >
> > So what am I doing wrong? Is it possible to disable the use of roaming
> > profiles on a per-machine basis? (I've been told that you can do this
> > on a per-account basis, but this is not appropriate for our needs.)
>
> By default all MS Windows roaming profiles are 'user' centric. I do not
> know of a way to do this on a 'machine-of-origin' basis. I am working on
> this for a presentation at the SambaXP conference so I am interested in
> any of your findings.
I was thinking we could play silly buggers with %m to allow this - have
the PDC return different profile paths. The interesting case here is
getting this to work when samba is a acting as a trusted domain.
(BTW, Samba 3.0 works very nicely being trusted by NT4 at my site).
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030205/ca630c91/attachment.bin
More information about the samba
mailing list