[Samba] Windows profile properties with Samba

John H Terpstra jht at samba.org
Thu Jan 29 00:11:35 GMT 2009

On Wednesday 28 January 2009 17:24:52 Troy Heidner wrote:
> Hello everyone,
> We are investigating migrating our Windows 2003 active directory domain to
> a purely Samba one.  I am a relative novice to Samba.  I have used it many
> times to do simple file and printer sharing on an individual or workgroup
> basis, but never in a domain environment.  One of the things I need to find
> out how to do involves delivering Windows profiles.  On our Windows
> network, some users use local profiles, some use roaming profiles, and some
> use mandatory profiles; depending on their status as staff, faculty, or
> student.  Currently, I set these attributes individually in each user
> object's properties in active directory.

Samba currently implements only NT4 style profile handling.  It is easily 
possible to create any type of NT4-style windows profile. The capability exits 
	a) Roaming per-user profiles

	b) Mandatory profiles (per-user or per-group)

	c) Network default profiles
		Samba makes it possible to do this per group also.

It is also possible to apply NTConfig.POL policies but so far as I am aware 
this does not work with Vista and Windows 7.

> I have successfully deployed a roaming profile on my test Samba network.

This is the simplest to deploy.  It is documented in Samba3-ByExample. See: 

> But so far I can only see how to do this globally for all users in the
> global section of the smb.conf.  

With an LDAP backend it is possible to specify the location of a per-user 
profile. This also makes it possible to specify a group profile.

> I HAVE to be able to assign these on an
> individual or group basis based on the needs of different users.  I intend
> to use LDAP for my backend.  As I understand it, you can set many different
> user attributes using LDAP.  I would like to find out specifically how to
> setup individual windows profiles, and generally whatever other windows
> property managements may be possible?  

Any setting that is available in NT4 can be set with Samba.

> I'd also like to know if it is
> possible to assign these kinds of attributes to groups in Samba.  

Samba does NOT implement group policy objects as does active directory.  For 
that capability you need Samba4 which has not yet been released for production 
use.  You may want to evaluate Samba4 and be part of the feedback team on 
that.  Samba4 implements active directory technology.

> It would
> be convenient to be able to set up an environment configuration based on
> group membership.  Then I could control these things merely by moving users
> in and out of different groups.

It is possible to test for group membership in a logon script and then to map 
drives to or paths to a location at which a group profile is shared. It's one 
one to get mostly what you want.

John T.

More information about the samba mailing list