[Samba] Samba roaming profile with folder redirection

Yauheni Labko yyl at chappy.com
Mon Oct 19 11:42:09 MDT 2009


I have a domain controller which was configured to use the local profiles. We 
have a relatively small group whose work required it. Now we are moving toward 
using the domain for all machine with roaming profile. There are a lot of 
posts dealing with the roaming profiles and the folder redirection. But I've 
met some issues.

My configuration:
NS3 and SMB are hostnames of our servers.
PDC is located on NS3  and file server containing profiles and home shares on 

This is NS3 configuration:
# Global parameters
        workgroup = CHAPPY-MS
        netbios name = DS01  
        server string = Chappy Samba LDAP PDC Server
        interfaces =     
        passdb backend = ldapsam:ldap://ds01/       
        enable privileges = Yes
        passwd program = /usr/sbin/smbldap-passwd -u "%u"
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        printcap name = cups
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" 
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
        add machine script = /usr/sbin/smbldap-useradd -w "%u"
        logon path = \\smb\profiles\%U\%a
        logon drive = H:
        logon home = \\smb\homes
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        ldap admin dn = cn=admin,dc=chappy,dc=com
        ldap delete dn = Yes
        ldap group suffix = ou=groups
        ldap idmap suffix = ou=idmap,dc=chappy,dc=com
        ldap machine suffix = ou=computers
        ldap passwd sync = Yes
        ldap suffix = dc=chappy,dc=com
        ldap user suffix = ou=people
        panic action = /usr/share/samba/panic-action %d
        idmap uid = 15000-20000
        idmap gid = 15000-20000
        printing = cups
        print command =
        lpq command = %p
        lprm command =

        path = /var/lib/samba/netlogon
        browseable = No

This is SMB configuration:

        workgroup = CHAPPY-MS
        server string = file server
        interfaces = 
        map to guest = Bad User    
        passdb backend = ldapsam:ldap://ds01
        syslog = 0                          
        log file = /var/log/samba/log.%m    
        max log size = 2048                 
        keepalive = 0                       
        hostname lookups = Yes                                                                
        load printers = No                                                                    
        dns proxy = No                                                                        
        wins server =
        kernel oplocks = No
        ldap admin dn = cn=admin,dc=chappy,dc=com
        ldap delete dn = Yes
        ldap group suffix = ou=groups
        ldap idmap suffix = ou=idmap,dc=chappy,dc=com
        ldap machine suffix = ou=computers
        ldap suffix = dc=chappy,dc=com
        ldap ssl = no
        ldap user suffix = ou=people
        panic action = /usr/share/samba/panic-action %d

        comment = Home Share
        path = /san/export/home/%S
        valid users = %S
        write list = %S
        force create mode = 0600
        force directory mode = 0700
        hide special files = Yes
        browseable = No

        comment = Profiles Share
        path = /san/export/samba/profiles
        read only = No
        force create mode = 0664
        force directory mode = 0775
        profile acls = Yes
        hide files = /Application Data/Cookies/Local\ 
        store dos attributes = Yes
        browseable = No
        csc policy = disable

Netlogon on NS3 has a Default User configuration redirecting Desktop, My 
Documents, My Pictures, My Music, Personal to the appropriate directories on 
Desktop - %HOMEDRIVE%\Desktop
My Documents - %HOMEDRIVE%\My Documents
My Pictures - %HOMEDRIVE%\My Documents\My Pictures

The local group policy disables the offline files and the roaming profile 
synchronization for Desktop, My Documents and Application Data. These settings 
were based on Samba by Examples, ch.5 and 6.

During the first log in  the user grabs the configured profile from netlogon 
share and correctly setup all files. But when user logged off it watched 
synchronizing window where it syncs the user home directory.
At the same time the user can write/read home drive with no problems. The 
popup message "offline files - working offline" is rather annoying. 

Could anybody give me an idea what is wrong? Or maybe I should use 
%LOGONPROFILE% variable instead of %HOMEDRIVE%?
If the synchronization window is normal for such configuration is there any 
advantage of using the folder redirection with the roaming profile? Maybe it 
is better to disable synchronization of some directories and train users to 
keep their documents on home drive arguing that this is a safe place?

Yauheni Labko (Eugene Lobko)
Junior System Administrator
Chapdelaine & Co

More information about the samba mailing list