[Samba] WinXP - Not So Roaming profile

fabricio bianco abreu fabricio at tc.df.gov.br
Thu Jun 23 19:53:47 GMT 2005

Hi folks,

I am trying to deploy an LDAP based Samba3 PDC, migrated from an old WinNT4
Domain to support roaming profile for new WinXP clients.

But I do not want a full roaming profile. AFAIK WinXP profiles tends to grow. If
 possible, I would like to roam only the desktop settings, and maybe the
navigator (IE or Firefox) configuration.

Another important (I believe) information is that our WinXP is a localized
information - brazilian portuguese - version. The main importance of this fact
is that in the registry the key names are in English, whereas in the filesystem
the folders name are in brazilian portuguese.

I have already succeeded in configure the roaming profile. I am having trouble
in limiting its contents.

In my tests I am trying to roam only the "Desktop" session of the user profile.

Here is the symptom I am experiencing: when a user logs in WinXP a folder
"Desktop" is created on his profile directory; when this user logs out WinXP all
other folders (from "Ambiente de impressao" up to "SendTo") that are part of the
profile are created on his profile directory.

What am I missing to achieve this objective: have only the "Desktop" folder
present on a user profile directory?

In the next lines (long) I have included information so that you know my
environment and have a clue to send me.

As for the samba configuration, 
1. Created and populated a "Default User" directory under netlogon share with
the following directories: 
root at nipdl08:/var/samba/profiles/fabricio# ls -l /var/samba/netlogon/Default\ Users
total 234
drwxr-x---  2 root Domain Users     48 2005-05-20 16:37 Ambiente de impressão
drwxr-x---  2 root Domain Users     48 2005-05-20 16:37 Ambiente de rede
drwxr-x---  2 root Domain Users     48 2005-06-21 10:23 Configurações locais
drwxr-x---  2 root Domain Users     48 2005-06-21 10:24 Cookies
drwxr-x---  2 root Domain Users     48 2005-06-21 10:23 Dados de aplicativos
drwxr-x---  2 root Domain Users     48 2005-05-20 16:37 Desktop
drwxr-x---  2 root Domain Users     48 2005-05-20 16:37 Favoritos
drwxr-x---  3 root Domain Users     80 2005-06-21 10:24 Menu Iniciar
drwxr-x---  2 root Domain Users     48 2005-05-20 16:37 Meus documentos
drwxr-x---  2 root Domain Users     48 2005-06-21 10:25 Modelos
-rw-r--r--  1 root Domain Users 229376 2005-06-20 16:51 NTUSER.DAT
-rw-r--r--  1 root Domain Users   1024 2005-06-20 16:51 NTUSER.DAT.LOG
drwxr-x---  2 root Domain Users     48 2005-05-20 16:37 Recent
drwxr-x---  2 root Domain Users     48 2005-06-21 10:27 SendTo

2. here is an typical user in the ldap database:
root at nipdl08:~# smbldap-usershow fabricio
dn: uid=fabricio,ou=Users,dc=tcdf,dc=net
objectClass: top,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
cn: fabricio
sn: fabricio
uid: fabricio
uidNumber: 10639
gidNumber: 513
loginShell: /bin/bash
gecos: System User
sambaSID: S-1-5-21-162996128-359937467-561332275-2722
sambaPrimaryGroupSID: S-1-5-21-162996128-359937467-561332275-513
displayName: fabricio bianco abreu
description: Administrador do Domino tcdf-master
sambaLogonScript: login.bat
sambaLogonTime: 1118682725
sambaLogoffTime: 1106238911
sambaProfilePath: \\NIPDL08\profile\fabricio
sambaHomeDrive: H:
sambaHomePath: \\NIPDL08\fabricio\.profile
homeDirectory: /home/fabricio
sambaLMPassword: 5602E3F3E86AD1CB81FE6D90B93317CB
sambaAcctFlags: [U]
sambaNTPassword: 2B60D7C84864C848D393509A619D1722
sambaPwdLastSet: 1118872627
sambaPwdMustChange: 1122760627
userPassword: {MD5}z8ANILCzE3FxpQ2SS99TUg==

3. Here is my smb.conf
# Global parameters
        workgroup = TCDF-MASTER
        netbios name = NIPDL08
	enable privileges = yes
        interfaces =, 
	bind interfaces only = yes
	username map = /etc/samba/smbusers
        server string = %L Samba-LDAP PDC Server %v
        security = user
        encrypt passwords = true
        obey pam restrictions = No
        ldap passwd sync = Yes
        log level = 2
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 100000
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        mangling method = hash2
        Dos charset = 850
        Unix charset = ISO8859-1
        logon script = login.bat
        logon drive = H:
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins support = Yes
	passdb backend = ldapsam:ldap://nipdl08.tcdf.net/
        ldap admin dn = cn=samba,ou=DSA,dc=tcdf,dc=net
        ldap suffix = dc=tcdf,dc=net
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap machine suffix = ou=Computers
	ldap idmap suffix = ou=Users
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        ldap delete dn = Yes
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add machine script = /usr/sbin/smbldap-useradd -w "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g" 
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
        printer admin = @"Print Operators"
        load printers = Yes
        create mask = 0640
        directory mask = 0750
        nt acl support = No
        printing = lprng
        printcap name = /etc/printcap
        deadtime = 10
        guest account = nobody
        map to guest = Bad User
        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
        show add printer wizard = yes
        ; to maintain capital letters in shortcuts in any of the profile folders:
        preserve case = yes
        short preserve case = yes
        case sensitive = no
        comment = diretorio de %U, %u
        read only = No
        create mask = 0644
        directory mask = 0775
        browseable = No
        path = /var/samba/netlogon/
	browseable = No
        read only = yes
	write list = @"Domain Admins"
        path = /var/samba/profiles
        guest ok = Yes
        profile acls = yes
        csc policy = disable
        create mode = 0600
	directory mode = 0700
	# next line is a great way to secure the profiles 
        force user = %U 
        # next line allows administrator to access all profiles 
        write list = %U @"Domain Admins"
        comment = Network Printers
        printer admin = @"Print Operators"
        guest ok = yes 
        printable = yes
        path = /var/spool/samba
        browseable = No
        read only  = Yes
        printable = Yes
        print command = /usr/bin/lpr -P%p -r %s
        lpq command = /usr/bin/lpq -P%p
        lprm command = /usr/bin/lprm -P%p %j
        path = /var/samba/printers
        guest ok = No
        browseable = Yes
        read only = Yes
        valid users = @"Print Operators"
        write list = @"Print Operators"
        create mask = 0664
        directory mask = 0775

Regarding Windowx XP I have executed the following procedure:

1. Using regedt32 I have edit de default user "NTUSER.dat" to set the keys under
[Software\Microsoft\Windows\CurrrentVersion\Explorer\User Shell Folders] as
listed bellow:
Nome da chave:         
Shell Folders
Nome da classe:        <Sem classe>
Hora da última gravação:   20/6/2005 - 15:11
Valor 0
  Nome:            AppData
  Tipo:            REG_EXPAND_SZ
  Dados:            %USERPROFILE%\Dados de aplicativos
Valor 1
  Nome:            Desktop
  Tipo:            REG_EXPAND_SZ
  Dados:            \\NIPDL08\profile\%USERNAME%\Desktop
Valor 2
  Nome:            Favorites
  Tipo:            REG_EXPAND_SZ
  Dados:            %USERPROFILE%\Favoritos
Valor 3
  Nome:            NetHood
  Tipo:            REG_EXPAND_SZ
  Dados:            %USERPROFILE%\Ambiente de rede
Valor 4
  Nome:            Personal
  Tipo:            REG_EXPAND_SZ
  Dados:            %USERPROFILE%\Meus documentos
Valor 5
  Nome:            PrintHood
  Tipo:            REG_EXPAND_SZ
  Dados:            %USERPROFILE%\Ambiente de impressão
Valor 6
  Nome:            Programs
  Tipo:            REG_EXPAND_SZ
  Dados:            %USERPROFILE%\Menu Iniciar\Programas
Valor 7
  Nome:            Recent
  Tipo:            REG_EXPAND_SZ
  Dados:            %USERPROFILE%\Recent
Valor 8
  Nome:            SendTo
  Tipo:            REG_EXPAND_SZ
  Dados:            %USERPROFILE%\SendTo
Valor 9
  Nome:            Start Menu
  Tipo:            REG_EXPAND_SZ
  Dados:            %USERPROFILE%\Menu Iniciar
Valor 10
  Nome:            Startup
  Tipo:            REG_EXPAND_SZ
  Dados:            %USERPROFILE%\Menu Iniciar\Programas\Inicializar
Valor 11
  Nome:            Templates
  Tipo:            REG_EXPAND_SZ
  Dados:            %USERPROFILE%\Modelos
Valor 12
  Nome:            Cookies
  Tipo:            REG_EXPAND_SZ
  Dados:            %USERPROFILE%\Cookies
Valor 13
  Nome:            My Pictures
  Tipo:            REG_EXPAND_SZ
  Dados:            %USERPROFILE%\Meus documentos\Minhas imagens
Valor 14
  Nome:            Local Settings
  Tipo:            REG_EXPAND_SZ
  Dados:            %USERPROFILE%\Configurações locais
Valor 15
  Nome:            Local AppData
  Tipo:            REG_EXPAND_SZ
  Dados:            %USERPROFILE%\Configurações locais\Dados de aplicativos
Valor 16
  Nome:            Cache
  Tipo:            REG_EXPAND_SZ
  Dados:            %USERPROFILE%\Configurações locais\Temporary Internet Files
Valor 17
  Nome:            History
  Tipo:            REG_EXPAND_SZ
  Dados:            %USERPROFILE%\Configurações locais\Histórico
Please note that the only folder I have redirected to the samba server is
"Desktop" and that if user "fabricio" is logged in %USERPROFILE% expands to
"c:\Documents and Settings\fabricio". Nevertherless upon logout all other
folders are created in fabricio's sambaProfilePath.

2. Using gpedit.msc I edited "Exclude directories in roaming profile" under
"User Configuration->Admnistrative Templates->System->User Profiles" as:
Ambiente de impressão;Ambiente de rede;Configurações locais;Cookies;Dados de
aplicativos;Favoritos;Menu Iniciar;Meus documentos;Modelos;Recent;SendTo
This is an almost complete list of directories in a user profile, lacking of
course the "Desktop" folder that shall be roamed

3. Using gpedit.msc I enabled "Do not checkfor user ownership of Roaming Profile
Folders" under "Computer  Configuration->Admnistrative Templates->System->User


                     Fabricio Bianco Abreu 
          Núcleo de Informática e Processamento de Dados
                   Tel 55 - 61 - 314 2236
                   Fax 55 - 61 - 314 2268
Utilize software livre (visite http://www.tc.df.gov.br/tcbrasil)        

________ Information from NOD32 ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.

More information about the samba mailing list