[Samba] Re: roaming and local profiles on same domain

Jim C. jcllings at javahop.com
Fri Jul 16 16:30:42 GMT 2004 

First, there may be an account flagg for this, I don't know.  You should 
investigate this. Aside from that...

A simple way to do this might be to create the users profile directory 
and then deny the user access by changeing perms/ownership.  The local 
system would then respond with "Can't find a roaming profile, using a 
local one". My users, for example, have access to 
/var/lib/samba/profiles/[username].  I create the user profile 
directories using a short script.  I have to do this because I provide 
*no* access to the root folder of the profiles share, i.e. 
/var/lib/samba/profiles is:

drwxr-xr-x  4 root root 4096 Jul 10 12:08 profiles/
instead of something like:
drwxrwxr-x  4 root Domain Users 4096 Jul 10 12:08 profiles/

Here is an example of the script:

[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
.
.
.
root preexec = PROFILE=/var/lib/samba/profiles/%u; if [ ! -e $PROFILE ]; \
                 then mkdir -pm700 $PROFILE; chown "%u"."%g" $PROFILE; fi

It is possible I could modify the script so that if %g (the users group) 
is "Local Profile" then do not create the profile etc. etc.


OK, that is one angle but here is another.

 From my smb.conf:
#Below is for Windows XP Pro, NT, 2K Pro
#Cooresponds to userProfile in /etc/samba/smbldap_conf.pm
#which sets sambaProfilePath in the user account.
logon path = \\%L\profiles\%U

#Below is for Windows 95 style clients.
#Cooresponds to userSmbHome in /etc/samba/smbldap_conf.pm
#which sets sambaHomePath in the user account.
logon home = \\%L\%U\profiles

Now I beleive the settings in the user account are supposed to override 
the defaults in smb.conf *but* if the user account settings are invalid 
or blank, then the defaults in smb.conf will be used.  If this is the 
case, then you should be able to set everyone to the correct settings 
explicitly by using smbldap-tools and then comment out the defaults in 
smb.conf *or* set those defaults in smb.conf to something that is 
invalid like \\dev\null.  This way, if the user's settings are blank or 
invalid samba should default to something in the smb.conf that also 
doesn't exist which, in turn,  should result in "Can't find a roaming 
profile, using a local one".

Yet another angle:

Now remember that my users have no access to the root folder of the 
profiles share.  This means that \\SERVERNETBIOSNAME\profiles is a 
*valid* resource to which *no one* has write access.  So I might be able 
to get the results you desire by setting the individual user accounts to 
sambaProfilePath=\\SERVERNETBIOSNAME\profiles instead of 
sambaProfilePath=\\SERVERNETBIOSNAME\profiles\[username].

smbldap-useradd -a -m -F \\\\SERVERNETBIOSNAME\profiles newusername

Of course I *may* have to remove read access to the profiles directory 
for "other", I'm not sure.

In other words change
drwxr-xr-x  4 root root 4096 Jul 10 12:08 profiles/
to
drwxr-x--x  4 root root 4096 Jul 10 12:08 profiles/



Jim C.

Richard Hall wrote:

> I have samba 3 configured and running fine as a PDC with LDAP as the 
> back end user database.   I have most users using roaming profiles but 
> there are a few I would like to be able to only have local profiles.   
> Is it possible to configure samba to use both types of  profile rather 
> than one or the other.   I have the profile path set on each user 
> account in LDAP as the field  "sambaProfilePath" and I have tried 
> removing the "logon path" directive from the smb.conf file.   If I 
> remove the sambaProfilePath entry from a user record then their profile 
> still gets saved to the profile directory under what I assume is the 
> default "logon path" setting.   If I set   "logon path =" with no value 
> on the right of = then this breaks all the roaming profiles and it seems 

How does this stand up to testparm?  Does the system consider it an 
error?  I think you should probably either set it to something or 
comment it out.

> to ignore the "sambaProfilePath" set on the individual accounts.   I 
> gather there is a reg setting that I can use on each windows machine to 
> tell it to ignore roaming profiles, but I would like to do it on a per 
> user rather than per machine basis. 
> Does anyone know of a way round this?
> 
> Thanks
> Rich
> 


-- 

-----------------------------------------------------------------
| I can be reached on the following Instant Messenger services: |
|---------------------------------------------------------------|
| MSN: j_c_llings at hotmail.com  AIM: WyteLi0n  ICQ: 123291844 	|
|---------------------------------------------------------------|
| Y!: j_c_llings               Jabber: jcllings at njs.netlab.cz	|
-----------------------------------------------------------------

More information about the samba mailing list