[Samba] Samba-LDAP Roaming Profiles

Rune Tønnesen rune.tonnesen at bordings-friskole.dk
Mon Apr 24 21:54:00 GMT 2006 

mallapadi niranjan skrev:
> Hi all
>
> I have a samba 3.0.21c with OpenLDAP 2.3.19  as Primary Domain Controller.
> I would like to enable Roaming Profiles per user basis , not for all users.
> below is my smb.conf ,
> [global]
>
>   workgroup = mydomain.com <http://msdpl.com/>
>   netbios name = mydomain
>   passdb backend = ldapsam:ldap://mydomain.com
>   server string = Domain Controller
>   hosts allow = 192.168.128. 192.168.129. 192.168.130. 127.
>   security = user
>   encrypt passwords = yes
>   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>   interfaces = eth0, lo
>   printing = cups
>   disable spoolss = Yes
>   printcap name = cups
>   max print jobs = 100
>   enable privileges = yes
>   password level = 8
>   username level = 8
>   bind interfaces only = yes
>   local master = Yes
>   os level = 65
>   domain master = yes
>   preferred master = yes
>   null passwords = no
>   hide unreadable = yes
>   hide dot files = yes
>   domain logons = yes
>   logon script = %u.bat
>   logon path =
>    logon drive = X:
>   logon home = \\mydomain\%U
>   wins support = yes
>   name resolve order = wins lmhosts host bcast
>   dns proxy = no
>   time server = yes
>   log file = /var/log/samba/%m.log
>   max log size = 50
>   nt acl support = yes
>   ldap passwd sync = yes
>   add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>   delete user script = /usr/local/sbin/smbldap-userdel "%u"
>   add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
>   add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>   add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
>   delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u"
> "%g"
>   set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
>   ldap delete dn = Yes
>   ldap ssl = no
>   ldap suffix = dc=msdpl,dc=com
>   ldap admin dn = cn=manager,dc=msdpl,dc=com
>   ldap group suffix = ou=Groups
>   ldap user suffix = ou=People
>   ldap machine suffix = ou=Computers
>   ldap idmap suffix = ou=Idmap
>   ldap timeout = 50
>   idmap backend = ldap:ldap://mydomain.com
>   idmap uid = 10000-20000
>   idmap gid = 10000-20000
>   check password script = /usr/local/bin/crackcheck -s
>   map acl inherit = yes
>   winbind use default domain = yes
>   template shell = /bin/false
>
> # Un-comment the following and create the netlogon directory for Domain
> Logons
>  [netlogon]
>    comment = Network Logon Service
>    path = /usr/local/samba-3c/lib/netlogon/scripts
>    guest ok = yes
>    browseable = yes
>    write list = root
>
> [profiles]
> Comment = Profile Shares
> path=/profiles
> browseable=yes
> writeable = yes
> create mode = 0600
> directory mode = 0700
>
>   ################################################################
>
>
> In the above configuration. I have not given any netbios logon path
> ie logon path =
> and for users whom i want to enable roaming profiles
> i have modified through smbldap-usermod command
> ie i have given smbldap-usermod -F \\mydomain\profiles\username username
>
> 1)using the above said configuration. Roaming profiles for that particular
> user  is not getting enabled.
>
> 2) suppose i edit my above smb.conf and write
> logon path=\\mydomain\profiles\%U
> and enable roaming profile for the intended user through smbldap-usermod,
> then roaming profile is getting enable, but the problem is , in /profile
> directory (which is profile share)
> all the user who logon to the domain, a directory is created by their
> username.
>
> 3) for the user's who  i have manually enabled roaming profile, their
> roaming profile works perfectly in
> windows 2003 and windows Xp, ie if they create any new folder or shortcut ,
> it gets reflected in the server
> profile directory,but the same user when logon in windows 2000 professional,
> it's not working ie, what ever is in
> the server profile it gets loaded but if any modification is done, it does
> not reflect in server.
>
> 4) my query is should we enable logon path = \\mypdc\profiles\%u in server.
> if i leave it blank and edit manually per user through smbldap-usermod will
> it work.
>
> what is the correct method of enable per user roaming profile for samba with
> LDAP backend
>
>
>
> Please guide me
> Regards
>  Niranjan
>   
Hi Niranjan

My suggestion to your problem would be
Mandatory profile as default for all users which mean you specify the 
profile directory in smb.conf
check
http://caad.ar.vtu.lt/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html#id2628723

logon path=\\mydomain\profiles\mandatory # you would have to use fake perms 


by doing so they download their profile from \\mydomain\profiles\mandatory
For the few choosen you change logon path in their account using 
smbldap-usermod to

\\mydomain\profiles\%U

-- 
Venlig Hilsen (Best Regards)
Rune Tønnesen

More information about the samba mailing list