[Samba] Roaming profiles

John H Terpstra jht at samba.org
Sat Aug 23 14:18:37 GMT 2008 

On Saturday 23 August 2008 06:04:50 Mugo Martin wrote:
> Let me ask this again though it seems off the point.
>
> Are we supposed to add more lines to the *smb.conf* file even though the
> distribution installed does come with them defined.  Samba 3.0.x has at
> most 5 lines in the *profiles* section. No mask, force user, ..etc.
> Adding them does not break Samba and testparm outputs them, but do they add
> anything or you are better off looking for configuration problems
> elsewhere?

There is often the problem of the wisdom of the ages as against the wisdom of 
the sages.  In other words, there are the opinions of the unwashed masses 
compared with the opinion of the experts.

In respect of Roaming Profiles (also called Roving Profiles by some) opinions 
are not hard to find - just google a bit and you will see what I mean.

Instead of offering yet another divergent opinion, let me offer two profile 
share stanzas from fully working sites.

Example 1:
---------------
From my own Samba 3.2.2 server. This works perfectly fine. It has done since I 
wrote the Samba3-ByExample book.

[profiles]
        comment = Profile Share
        path = /data/samba/profiles
        read only = No
        profile acls = Yes

Example 2:
---------------
This one is in use at a site that has 4200 users, all of them rather happy, 
except when one of our bugs causes a few of them a little pain.  But so far 
as profile handling is concerned, the stanza definition has not ever caused 
them a problem.

So why the extra lines? Simple, they are required to assure absolute 
confidentiality of user data under various national laws. That is why, as a 
paranoia move, they added the masks and set browseable to No.  The "store DOS 
attributes" parameter is not needed, but they will not change the stanza 
unless there is a compelling reason to do so. Since this works, there is not 
basis for change.

[profiles]
        comment = Network Profiles Service
        path = /var/lib/samba/profiles
        read only = No
        create mask = 0600
        directory mask = 0700
        store dos attributes = Yes
        browseable = No

I hope this helps a few of you to see that the excited discussions regarding 
Samab profile share stanza definitions can be entirely over-rated.

When I update the HOWTO chapter on Windows system profile management I will 
simplify the content radically.  Profiles are not rocket science - though 
from this mailing list one can be excused for thinking it is!

Cheers,
John T.

PS: The remainder of this email is left intact to preserve the whole story for 
the benefit of search engine users.

> Mike E, sorry I didn't get back at you over your question. Couldn't think
> of a solution and I'm very new to samba. Hope you got sorted though.
>
> Martin.
>
> On Fri, Aug 22, 2008 at 6:02 PM, L.P.H. van Belle <belle at bazuin.nl> wrote:
> > First, read the man smb.conf
> > there you will see DEFAULT profile acls = no
> >
> > second if you setup your rights correctly, like
> > for example how i have it.
> > /home/samba/profiles ( 777)
> > and remember to set /home/samba at least 755 ( the last 5 is needed !! )
> >
> > autocreated bij user at logoff /home/samba/profiles/USERNAME (700)
> > if a profile exist in test enviroment, logon, set everything in windows.
> > delete the profile from the server and logoff the profile is new
> > created again with correct rights.
> >
> > when used force user = %U
> > its always the user.
> > but dont forget !!
> >        create mask = 0600
> >        directory mask = 0700
> >
> > when profiles are setup this way its just how xp sp1 and higher
> > checks its rights. with this setup you dont have to change
> > any thing in xp policies for the profiles.
> >
> > this is how i have my profles in smb.conf
> > [profiles]
> >        path = /home/samba/profiles
> >        comment = Profile enviroment.
> >        read only = no
> >        create mask = 0600
> >        directory mask = 0700
> >        browseable = Yes
> >        guest ok = Yes
> >         csc policy = disable
> >        force user = %U
> >        valid users = %U @"Domain Admins"
> >
> >
> > Sorry if i didnt reply your message, i didnt see that.
> >
> > Louis
> >
> > >-----Oorspronkelijk bericht-----
> > >Van: Charles Marcus [mailto:CMarcus at media-brokers.com]
> > >Verzonden: vrijdag 22 augustus 2008 16:53
> > >Aan: L.P.H. van Belle
> > >CC: samba at lists.samba.org
> > >Onderwerp: Re: [Samba] Roaming profiles
> > >
> > >On 8/22/2008, L.P.H. van Belle (belle at bazuin.nl) wrote:
> > >> yes, turn off Pofile acls,
> > >
> > >This is the second time you have said this, but never answered my
> > >request for WHY would you suggest this, when the samba devs say it is
> > >REQUIRED?
> > >
> > >Please, either provide an answer/rationale for why you are telling
> > >someone to try something non-standard, or stop pulling things
> > >out of the
> > >air.
> > >
> > >--
> > >
> > >Best regards,
> > >
> > >Charles
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list