[Samba] [SOLVED] Still mandatory profiles, every user same profile

Ulrich Schinz ulrich.schinz at ksfh.de
Thu Sep 6 03:11:27 MDT 2012 

Hi there,

Here the question I had:

1.) Every user in my System should use the same profile. In dsa.msc I 
gave every user as profile-path \\samba4\profiles\stud
2.) The users should not be able to change anything in that profile (I 
think changing ntuser.dat to ntuser.man should do the job, proposed i 
got step one managed )


ok, here we go. There are 2 different (semi-official) approaches.

BUT... the third one worked for me....

I describe the scenarios in my testenvironment:

1.) Approach
I have a Default User.V2 profile in my netlongon share.

Configuration:
- in AD three users are added: vartest1, vartest2, vartest3
- all users have profile-paths: \\samba4\profiles\vartest[1-3] (three 
different profiles-paths...)
- netlogon share is "read only = yes" and  "profile acls = true"
- profile directory security settings is set to "authenticated users -> 
full access"
- profile ntuser.dat security settings via regedit -> load hive is set 
to "authenticated users -> full access"
- profiles-share is set to "atuhtenticated users -> full access"

In this configuration every user gets same profile. Each profile is 
created in profiles-share.

But if I'm trying to change ntuser.dat to ntuser.man the Default User.V2 
profile is not being loaded. The Default User-profile of the local 
machine is chosen instead...

So I only can produce changeable profiles.

2.) Approach
I have a Default User.V2 profile in my netlongon share.

Configuration:
- in AD three users are added: statest1, statest2, statest3
- all users have one and the same profile-path: 
\\samba4\profiles\statest (all have the same profile-path)
- netlogon share is "read only = yes" and  "profile acls = true"
- profile directory security settings is set to "authenticated users -> 
full access"
- profile ntuser.dat security settings via regedit -> load hive is set 
to "authenticated users -> full access"
- profiles-share is set to "atuhtenticated users -> full access"

In this configuration the profile can't be used by other users. It's 
clear why, the first loged in user has all rights, no other
users are allowed and so on...


What I wanted to have is one profile for every user, i.e. same 
profile-path for every user in my system. So I have only one profile in my
profiles directory. AND: the profile should not be changeable.

3.) So my approach to this was following:

I created a share "profiles" :

[profiles]
     path = /home/samba/profiles
     vfs objects = fake_perms
     read only = Yes
     writeable = No

There i stored a profile.
- Directory security settings: full access to authenticated users
- ntuser.man: security settings (regedit -> load hive): full access to 
authenticated users.
These settings were made in a writeable share, and I copied (cp -a ) the 
directory in linux to the profiles (read only) share.

This way I have, what I wanted. All users share the same profile and 
they can't change it.

I hope I mentioned every needed detail of my setup... I tried days, 
setup samba maybe 7-8 times (other os, other architecture -> x86, x64 
and so on) and
I didn't write down every step... So if anything is unclear, just ask...

I'm not sure, whether this way is very elegant (it doesn't seem to be, 
andrew mentioned that fake_perms is ugly...), but it was the only way 
for me to get this working.

So thanks for your help @andrew barlett!

Maybe some people have tried similar setups, every feedback or 
suggestion to get a better setup is very welcome.

Kind regards
Uli

More information about the samba mailing list