[Samba] Controlling use of roaming profiles

Andrew Bartlett abartlet at samba.org
Wed Feb 5 12:15:31 GMT 2003 

On Wed, 2003-02-05 at 12:20, John H Terpstra wrote:
> On Wed, 5 Feb 2003, Jonathan Gowland wrote:
> 
> > We are using a system running Red Hat Linux 7.0 with Samba 2.2.7a as
> > our PDC.
> >
> > For the most part, we want to use roaming profiles, so that users'
> > settings are backed up via the PDC, and are available if they need to
> > change or reinstall their Windows desktop machine.  However, there are
> > a few Windows systems (running NT 4.0 or Windows 2000) for which
> > we would like to be able to disable roaming profiles.
> >
> > Atlas is a system running Windows 2000 server.  It is a member of the
> > domain.
> >
> > On a system running Windows NT 4.0 Terminal Server edition I did the
> > following:
> >
> > - Logged on as local administrator.
> >
> > - Ran poledit.exe.
> >
> > - Added machine Atlas.
> >
> > - Double-clicked Atlas icon.  Under "Windows NT User Profiles"->"Choose
> >    profile default operation", selected "Use local profile".
> >
> > - Saved as NTConfig.pol and copied to the root directory of the netlogon
> >     share.
> >
> > When a user does a domain logon on Atlas, the Samba log log.atlas does
> > not show NTConfig.pol being accessed.  When the user logs off, updates
> > to the user's profiles are saved.
> >
> > Agrigento is a system running Windows 2000 Workstation, and is also a
> > member of the domain.  I ran poledit.exe as above, but added a computer
> > entry for Agrigento, and saved NTConfig.pol.
> >
> > When a user does a domain logon on Agrigento, the Samba log
> > log.agrigento shows NTConfig.pol being accessed. However, when the user
> > logs off, updates to the user's profiles are saved, so the policy change
> > in NTConfig.pol seems to have no effect.
> 
> You need to make the profile a mandatory profile if you want it to be
> read-only. The proedure is documented in the NT4/Win2K Server Resource
> kits.

If you want a 'real' read only profile, look into the
'vfs_fake_perms.so' VFS module in Samba HEAD.  It fakes up the
permissions on the files being sent to the client, so that you don't
need to keep them read/write on the server.

> >
> > So what am I doing wrong?  Is it possible to disable the use of roaming
> > profiles on a per-machine basis?  (I've been told that you can do this
> > on a per-account basis, but this is not appropriate for our needs.)
> 
> By default all MS Windows roaming profiles are 'user' centric. I do not
> know of a way to do this on a 'machine-of-origin' basis. I am working on
> this for a presentation at the SambaXP conference so I am interested in
> any of your findings.

I was thinking we could play silly buggers with %m to allow this - have
the PDC return different profile paths.  The interesting case here is
getting this to work when samba is a acting as a trusted domain.

(BTW, Samba 3.0 works very nicely being trusted by NT4 at my site).

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030205/ca630c91/attachment.bin

More information about the samba mailing list