[Samba] Samba 3.4, Windows 7, Roaming profiles and Folder redirection

[Linda Walsh]

John H Terpstra wrote:
> On 07/21/2011 10:07 AM, Tanuki uk wrote:
>> Hello,
>> I'm quite new to Samba administration and I've inherited a working samba
>> setup with roaming profiles however the login and logout times for
>> users has
>> been growing and I'm starting to think it's time do something about
>> it. I'm
>> thinking redirect some folders to a samba share on the network will
>> speed up
>> the login and logout times.
> 
> The increasing logon and logoff times are most frequently caused by
> people storing files on their desktops (a VERY bad practice in corporate
> environments) - the entire desktop is written to the server when the
> user logs off from a machine.  This is particularly problematic when
> people log onto multiple machines at the same time.
> 
> Additionally, the files that are stored under "My Documents" are also
> copied from the profile server to the workstation at logon and are
> written back to the profile server at logoff.
> 
> PS: I came across one site where users had up to 120GB files in their
> "My Documents" and up to 20GB on their desktop.  Needless to say, they
> could not afford the long logon and logoff times. :-)
---
	Yeppers....	
	In my Win7 setup, I have my domain user sharing some files
with the local user (which was setup first), so:
domainuser in their 'homedir: (along with registry, and 'appdata/roaming')
is:

lrwxrwxrwx  1       18 2011-02-14 17:40 Contacts -> Documents/Contacts/
lrwxrwxrwx  1       17 2010-01-26 03:55 Desktop -> Documents/Desktop/
lrwxrwxrwx  1       16 2010-07-08 13:59 Documents -> ../law/Documents/
lrwxrwxrwx  1       19 2011-02-14 17:37 Downloads -> Documents/Downloads/
lrwxrwxrwx  1       19 2011-06-27 16:19 Favorites -> Documents/Favorites/
lrwxrwxrwx  1       15 2011-06-27 16:36 Links -> Documents/Links/
lrwxrwxrwx  1       15 2011-07-12 04:25 Music -> Documents/Music/
lrwxrwxrwx  1       18 2010-07-08 13:59 Pictures -> Documents/Pictures/



The ../law (local user) has:

%lrwxrwxrwx 2011-02-14 17:40 Contacts -> Documents/Contacts/
%lrwxrwxrwx 2010-02-08 14:41 Cookies ->
Appdata/Roaming/Microsoft/Windows/Cookies/
lrwxrwxrwx  2010-04-01 22:25 Desktop -> Documents/Desktop/
lrwxrwxrwx  2010-04-06 00:13 Documents -> //Bliss/home/law/Documents/
lrwxrwxrwx  2011-02-14 17:37 Downloads -> Documents/Downloads/
lrwxrwxrwx  2011-06-27 16:19 Favorites -> Documents/Favorites/
%lrwxrwxrwx 2011-07-12 04:26 Links -> Documents/Links/
lrwxrwxrwx  2011-07-12 04:27 Music -> Documents/Music/
lrwxrwxrwx  2010-04-06 00:15 Pictures -> Documents/Pictures/
%lrwxrwxrwx 2010-02-08 14:44 Recent -> AppData/Roaming/Microsoft/Windows/Recent/
%lrwxrwxrwx 2010-02-08 14:45 SendTo -> AppData/Roaming/Microsoft/Windows/SendTo/
%lrwxrwxrwx 2010-02-08 14:45 Start Menu ->
AppData/Roaming/Microsoft/Windows/Start Menu/

Note: the % entries were attempts to provide compat with XP, client, BUT,
the XP client doesn't understand 'mklink' style symlinks...
(I think the kernel doesn't understand them, so even if you created them,
they wouldn't work).
instead, you have ntfs hardlinks, and 'junctions', which are more limited
but can be made to work -- like my 'Documents directory, is a separate Share
I can mount it by //Bliss/Documents, and it will mount the user-specific
share, for their doc dir, (same dir as //Bliss/home/law/Documents in above).
I then can mount it at a rootdir -- something junctions seemed to have some
requirement for)...

Since things work 'flakey' (links are sometimes turned into files, so windows
will try to access things via other means), I setup cross-user links for
dirs I wanted shared -- don't share the appdirs!  (it isn't that you can't, or
that it won't work, but it isn't reliable, and you have to keep the apps on the
different clients in sync  if you don't or you have a workstation that doesn't
read a profile in on login for some reason (I've had it happen more than once),
but it *DOES* write the full profile out on logout), and if that workstation
was recently reformatted and doesn't have all the same settings
as the more current workstations, your 'unconfig'ed settings 'overwrite' your
newer settings .. then when they login on the new workstations...they get
settings that don't make sense or are months old or in a default config.

Backups and keeping a recent lsm snapshot going in the background can allow
quick recovery, it can still be a royal pain and certainly a nightmare on a
larger site.

The things that work well -- keeping my Desktop inside Documents, and keeping
Documents on the network share -- that way it's never updated via the roaming
profile.

Still have some 'wayward', ill behaved apps (Adobe apps in particular, but
also some personal backup SW, -- Thunderbird 3.x or above ... that download
huge amounts of data into the user's local-roaming profile.  (Adobe 2-3G,
Backup SW .. varies, Tbird -- will download an entire network-share of
email (IMAP) -- designed so network users could share 1 mail depot, into their
appdir -- by default.  Supposedly easy to turn off, but have had it turn back
on or not configed right -- so ~4+GB of email folders get downloaded to
each client.  (They forgot about IMAP being designed to be a local-cache of
files when they put together TB3.0 and treated it the same as POP) (though
IMAP can be used offsite as well, it was designed with higher-speed networking
in mind)....   So you have to remain vigilant, even if you do some obvious
steps like putting downloads and music, and .. all those things that would end
up roaming and take lots of space inside the Docdir, and put it out on the net.


>> Our setup has 25 Windows 7 workstations and about 10 laptop users(also on
>> windows 7) all connecting to one Samba server. The laptops are often
>> not on
>> the main office network so i was planning to use offline file sync for
>> the
>> network drive i would be redirecing to, is this a bad idea for some
>> reason?
> 
> Should work OK so long as you can educate your users NOT to use the
> desktop and traditional "My Documents" to store large volumes of files.
>  Both the "Desktop" and "My Documents" folders can be redirected to a
> network share in the users' home directory - that will help resolve some
> of the problems.  Make sure that you disable the copying of these
> folders as part of the profile.  Refer to the Microsoft knowledge-base
> for info on how to do that.
---
	Win7 is smart enough to NOT copy those folders if they are
on a network share, but I don't know (and don't think XP is)...


> 
>> I've had a look around at various documentation and details seem
>> quite scarce. However all the documentation I've found is targeted at
>> Windows XP or suggests using domain wide Group Policy Objects (GPO's). My
>> understanding is that GPO's can only be used if you have a Windows AD
>> server
>> or Samba 4 however I don't have a Windows server and Samba 4 is abit too
>> bleeding edge for a production deployment(?).
----
	Not true.   I use GPO's with Samba 3 series - and they work
OUTSIDE of a domain.

	Check out the GPO snapin -- when you re 'outside' a domain, on a local
machine -- NOTE GPO policies need to be setup on a per-machine basis when they
are not part of a domain, but that could be scripted via a common login script.

	Things aren't as bleak as some might paint them, BUT they aren't always
reliable.

	There seems to be nothign preventing me from logging in as same user
on multiple workstations -- the last one to logout gets its settings saved.

	If you want to 'logout and not save settings', (at least in win7,)
kill your winlogin process that has the same 'session number' as the user
who's settings you don't want saved.  Any files they have saved to a network
HD, will
be find, but their local profile won't be copied back.


	A smart thing i found -- you can background update user registries and
sync them with the servers every 24 hours in background -- won't do the entire
profiles, but will do the regs.  (Another GPO option)....  So, some things can
be saved even w/o logoff.

	I could tell you too much more, but have written too much already...
and my setup is currently hosed to due to 3.6 having  different ways of handling
UID->SID translations and moving the default location of the RPC pipes (that
was a random catch on my part -- the dir didn't exist on my distro's setup).

	Always a blast .... and things still don't work as well as they did
under 3.5.4, which was reliable for > a year...but I had to move forward and
had to upgrade server (suse was dropping suport for 11.2; and have been
recovering (finding bits at a time...)...from that upgrade ever since
(apr/may timeframe).

linda