Hi there,
Here the question I had:
1.) Every user in my System should use the same profile. In dsa.msc I
gave every user as profile-path \\samba4\profiles\stud
2.) The users should not be able to change anything in that profile (I
think changing ntuser.dat to ntuser.man should do the job, proposed i
got step one managed )
ok, here we go. There are 2 different (semi-official) approaches.
BUT... the third one worked for me....
I describe the scenarios in my testenvironment:
1.) Approach
I have a Default User.V2 profile in my netlongon share.
Configuration:
- in AD three users are added: vartest1, vartest2, vartest3
- all users have profile-paths: \\samba4\profiles\vartest[1-3] (three
different profiles-paths...)
- netlogon share is "read only = yes" and "profile acls = true"
- profile directory security settings is set to "authenticated users ->
full access"
- profile ntuser.dat security settings via regedit -> load hive is set
to "authenticated users -> full access"
- profiles-share is set to "atuhtenticated users -> full access"
In this configuration every user gets same profile. Each profile is
created in profiles-share.
But if I'm trying to change ntuser.dat to ntuser.man the Default User.V2
profile is not being loaded. The Default User-profile of the local
machine is chosen instead...
So I only can produce changeable profiles.
2.) Approach
I have a Default User.V2 profile in my netlongon share.
Configuration:
- in AD three users are added: statest1, statest2, statest3
- all users have one and the same profile-path:
\\samba4\profiles\statest (all have the same profile-path)
- netlogon share is "read only = yes" and "profile acls = true"
- profile directory security settings is set to "authenticated users ->
full access"
- profile ntuser.dat security settings via regedit -> load hive is set
to "authenticated users -> full access"
- profiles-share is set to "atuhtenticated users -> full access"
In this configuration the profile can't be used by other users. It's
clear why, the first loged in user has all rights, no other
users are allowed and so on...
What I wanted to have is one profile for every user, i.e. same
profile-path for every user in my system. So I have only one profile in my
profiles directory. AND: the profile should not be changeable.
3.) So my approach to this was following:
I created a share "profiles" :
[profiles]
path = /home/samba/profiles
vfs objects = fake_perms
read only = Yes
writeable = No
There i stored a profile.
- Directory security settings: full access to authenticated users
- ntuser.man: security settings (regedit -> load hive): full access to
authenticated users.
These settings were made in a writeable share, and I copied (cp -a ) the
directory in linux to the profiles (read only) share.
This way I have, what I wanted. All users share the same profile and
they can't change it.
I hope I mentioned every needed detail of my setup... I tried days,
setup samba maybe 7-8 times (other os, other architecture -> x86, x64
and so on) and
I didn't write down every step... So if anything is unclear, just ask...
I'm not sure, whether this way is very elegant (it doesn't seem to be,
andrew mentioned that fake_perms is ugly...), but it was the only way
for me to get this working.
So thanks for your help @andrew barlett!
Maybe some people have tried similar setups, every feedback or
suggestion to get a better setup is very welcome.
Kind regards
Uli
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
