[Samba] logon drive, ldap ssl = start_tls, ssh and client/server encryption (and logon.bat permission tip)

[Paul Henry]

Dear list, 

More questions on my PDC travels ;-)

1. Is it ok, with roaming profiles on, to leave "logon drive = "
empty, as this drive seems to be confusing users?

2. All my ldap stuff is using tls, and I just want to confirm that
"ldap ssl = start_tls" is looking in /etc/ldap.conf for certificate
locations etc.?

3. Is all traffic between Windows clients and the Samba server
encrypted, or can this be done/how?

4. Nowhere in Samba How-To or Samba-Guide did it say that the
logon.bat (logon script, whatever you wish to name it) should be
permission 744, i.e. chmod 744 could we add this?

5. Why do you need to ldap enable sshd via pam? This lets any domain
user log into the server. I think this is a bad idea, unless you are
providing shell access for some reason?

Thanks for your time,

Paul.