On Wed, 2003-02-05 at 12:20, John H Terpstra wrote: > On Wed, 5 Feb 2003, Jonathan Gowland wrote: > > > We are using a system running Red Hat Linux 7.0 with Samba 2.2.7a as > > our PDC. > > > > For the most part, we want to use roaming profiles, so that users' > > settings are backed up via the PDC, and are available if they need to > > change or reinstall their Windows desktop machine. However, there are > > a few Windows systems (running NT 4.0 or Windows 2000) for which > > we would like to be able to disable roaming profiles. > > > > Atlas is a system running Windows 2000 server. It is a member of the > > domain. > > > > On a system running Windows NT 4.0 Terminal Server edition I did the > > following: > > > > - Logged on as local administrator. > > > > - Ran poledit.exe. > > > > - Added machine Atlas. > > > > - Double-clicked Atlas icon. Under "Windows NT User Profiles"->"Choose > > profile default operation", selected "Use local profile". > > > > - Saved as NTConfig.pol and copied to the root directory of the netlogon > > share. > > > > When a user does a domain logon on Atlas, the Samba log log.atlas does > > not show NTConfig.pol being accessed. When the user logs off, updates > > to the user's profiles are saved. > > > > Agrigento is a system running Windows 2000 Workstation, and is also a > > member of the domain. I ran poledit.exe as above, but added a computer > > entry for Agrigento, and saved NTConfig.pol. > > > > When a user does a domain logon on Agrigento, the Samba log > > log.agrigento shows NTConfig.pol being accessed. However, when the user > > logs off, updates to the user's profiles are saved, so the policy change > > in NTConfig.pol seems to have no effect. > > You need to make the profile a mandatory profile if you want it to be > read-only. The proedure is documented in the NT4/Win2K Server Resource > kits.
If you want a 'real' read only profile, look into the 'vfs_fake_perms.so' VFS module in Samba HEAD. It fakes up the permissions on the files being sent to the client, so that you don't need to keep them read/write on the server. > > > > So what am I doing wrong? Is it possible to disable the use of roaming > > profiles on a per-machine basis? (I've been told that you can do this > > on a per-account basis, but this is not appropriate for our needs.) > > By default all MS Windows roaming profiles are 'user' centric. I do not > know of a way to do this on a 'machine-of-origin' basis. I am working on > this for a presentation at the SambaXP conference so I am interested in > any of your findings. I was thinking we could play silly buggers with %m to allow this - have the PDC return different profile paths. The interesting case here is getting this to work when samba is a acting as a trusted domain. (BTW, Samba 3.0 works very nicely being trusted by NT4 at my site). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba