[Samba] security with normal profiles

Felipe Augusto van de Wiel felipe at paranacidade.org.br
Fri Sep 15 14:39:06 GMT 2006

Hash: SHA1

On 09/13/2006 08:28 AM, Thierry Lacoste escreveu:
> Following TOSHARG and "Samba 3 by examples" I implemented
> Folder redirection plus some security restrictions by building
> a custom NTUSER.DAT which is the default profile of my users.
> The problem is that each user has read/write access to its profile
> share therefore he can replace its NTUSER.DAT.
> This is why I chose mandatory profiles.
> Is there another solution?

	From the beloved smb.conf manpage:

The share and the path must be readable  by  the  user  for  the
preferences  and  directories  to  be loaded onto the Windows NT
client. The share must be writeable when the user  logs  in  for
the  first  time, in order that the Windows NT client can create
the NTuser.dat and other directories. Thereafter,  the  directo‐
ries  and  any  of  the  contents  can,  if  required,  be  made
read-only. It is not advisable that the NTuser.dat file be  made
read-only  -  rename  it  to  NTuser.man  to achieve the desired
effect (aMANdatory profile).

> The problem with mandatory profiles is that some settings are not
> saved: for instance the Favorites folder; I did not redirect it because
> I read in several books that only the Desktop, My documents,
> Application Data and Start Menu can be redirected.
> Is there a way to save Favorites with mandatory profiles?

	Hmmm, not sure... probably no, because it is a mandatory
profile, but you can save it on alternative paths, I don't why
to do that. :(

> Regards,
> Thierry.

	Kind regards,

- --
Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org


More information about the samba mailing list