[Samba] System Policy Windows 98
I am currently using my Samba Server as a PDC with Windows 98 clients. I am using the Windows system policy editor to generate config.pol files for these clients. I edit the policy ant then copy it to the [netlogon] share on the Samba server. My problem is this... Policies I set under default computer appear to load and function just fine on client machines, but policies I set under default user seem to have no affect. Any ideas? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Premature logoff from [netlogon]
I am currently using Samba as a PDC, and my logon scripts are generated by a bash shell script run with the root preexec parameter in the [netlogon] share. In this script (and in the postexec script) I use the sessreg command (part of the XFree86-4.2.1 package). This command allows me to see who is currently logged into the domain with the who command. Works great except that users seem to be logging off the [netlogon] share just a few minutes after they logon and well before they logoff the domain. Thus I only see them with who for a few minutes instead of the entire time they are logged on to the domain as I intended. Relevant excerpt from my smb.conf - [netlogon] path = /home/_shares/netlogon browseable = no read only = yes root preexec = /home/_shares/execscripts/netlogon.sh %U %g %H %M %a %I %m %T root postexec = /home/_shares/execscripts/netlogoff.sh %U %g %H %M %a %I %m %T Relevant excerpt from my netlogon.sh script - /usr/X11R6/bin/sessreg -a -l $7:smb -h $7:$6:$2 $1 21 /dev/null Relevant excerpt from my netlogoff.sh script - /usr/X11R6/bin/sessreg -d -l $7:smb -h $7:$6:$2 $1 21 /dev/null Any ideas or helpful suggestions? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Laptop users as domain members; profiles
I would like to implement Samba as a PDC in our organization, but am wrestling with how to handle laptop users. If I join them to the domain and give them a domain account, I will still need to allow them a local account so that they can logon on the road. This means that they will have two distinct accounts and two distinct profiles.I could initially make the two profiles identical by copying the existing profile to the domain profile or copying the existing profile to the default profile before the domain profile is created, but subsequent changes to the local profile would not be reflected in the domain profile and vice versa. I anticipate that this could cause great headaches for users and administrators. If a user created or edited documents, added e-mail contacts or messages in outlook express or outlook, etc. as a domain user while in the office, these changes would not be seen when they logged in on the road as a local user. I am aware that I could have the users login on the road as domain users using cached credentials, but to my knowledge (and experiments seem to verify this) caching domain credentials is limited to the use of roaming profiles. I would like to avoid what seem to me to be a lot of headaches with roaming profiles, i.e., potential loss of data, extensive logon time, etc. Further, there appears to be a limit to the number of previous logons to cache - 50. I don't have the power to limit the time of the trips our executives take or the number of times they are allowed to logon on the road. The best solution I can come up with now is to remap there My Documents folder, Oulook express store folder and Outlook .pst files for both accounts to locations outside of the profiles. This is O.K. except the additional work in setting up the client, the potential that I have missed something critical that should be non-exclusive to the two profiles, and that I don't have anyway of forcing them to login to the domain when they are in the office. They could accidentally or intentionally login as a local user in the office, and I would not be able to track usage in the office or utilize logon scripts. I am aware that some organizations seem to have a policy of simply not adding laptops to the domain, but with Samba this would also prevent me from utilizing logon scripts. Any ideas would be appreciated. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Laptop users as domain members; profiles
Sounds great. Thanks. But are you also confirming that I have to use roaming profiles to use cached credentials? I have read some of the possible scenarios where roaming profiles can cause loss of information. It also seems that to keep these profiles to a reasonable size and thus keep logon times within reason, I might want to remap My Documents, Outlook Express store folder, Outlook .pst files, and possibly others. Do you have any thoughts on these issues? Also, I am still concerned about what appears to me to be a limit on caching 50 logons. Windows 2000 security policy default is to limit the user to caching 10 previous logons with a maximum of 50. Perhaps I misunderstand this policy. Thanks again. - Original Message - From: Doug MacFarlane [EMAIL PROTECTED] To: Scott Werschke [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, September 04, 2003 3:25 PM Subject: Re: [Samba] Laptop users as domain members; profiles Go ahead and add them to the domain. Once they have logged on to the domain once, they can disconnect from the domain and still log onto it. They will get a message that No Domain Controller Was Available to Authenticate Your Logon . . . You have been logged on with cached information. Profiles will get handled properly - when they come back to the domain, the local profile is newer than the server-based one, so it will use the local one, and write it back to the server when they log off. madmac - Original Message - From: Scott Werschke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 04, 2003 4:28 PM Subject: [Samba] Laptop users as domain members; profiles I would like to implement Samba as a PDC in our organization, but am wrestling with how to handle laptop users. If I join them to the domain and give them a domain account, I will still need to allow them a local account so that they can logon on the road. This means that they will have two distinct accounts and two distinct profiles. I could initially make the two profiles identical by copying the existing profile to the domain profile or copying the existing profile to the default profile before the domain profile is created, but subsequent changes to the local profile would not be reflected in the domain profile and vice versa. I anticipate that this could cause great headaches for users and administrators. If a user created or edited documents, added e-mail contacts or messages in outlook express or outlook, etc. as a domain user while in the office, these changes would not be seen when they logged in on the road as a local user. I am aware that I could have the users login on the road as domain users using cached credentials, but to my knowledge (and experiments seem to verify this) caching domain credentials is limited to the use of roaming profiles. I would like to avoid what seem to me to be a lot of headaches with roaming profiles, i.e., potential loss of data, extensive logon time, etc. Further, there appears to be a limit to the number of previous logons to cache - 50. I don't have the power to limit the time of the trips our executives take or the number of times they are allowed to logon on the road. The best solution I can come up with now is to remap there My Documents folder, Oulook express store folder and Outlook .pst files for both accounts to locations outside of the profiles. This is O.K. except the additional work in setting up the client, the potential that I have missed something critical that should be non-exclusive to the two profiles, and that I don't have anyway of forcing them to login to the domain when they are in the office. They could accidentally or intentionally login as a local user in the office, and I would not be able to track usage in the office or utilize logon scripts. I am aware that some organizations seem to have a policy of simply not adding laptops to the domain, but with Samba this would also prevent me from utilizing logon scripts. Any ideas would be appreciated. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Laptop users as domain members; profiles
For the record, you are right. I have tested logging on to the domain with cached credentials and it also works with just a local profile. Of course, with either roaming or local profiles at least one logon to the domain (when actually connectied to the domain controller) is required before cached credentials are available. I am still a bit confused by the security policy - number of previous logons to cache (in case domain controller is unavailable). The knowledge base article - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/579.asp seemed to also indicate that this puts a limit on the number of times cached credentials can be used. Yet, I set it to two and was able to logon to the domain (while disconnected from the network) 13 times before I decided that was good enough for me. Seems there is no real limit. Maybe this just applies when a Windows Server is used as PDC. - Original Message - From: Doug MacFarlane [EMAIL PROTECTED] To: Scott Werschke [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, September 04, 2003 3:25 PM Subject: Re: [Samba] Laptop users as domain members; profiles Go ahead and add them to the domain. Once they have logged on to the domain once, they can disconnect from the domain and still log onto it. They will get a message that No Domain Controller Was Available to Authenticate Your Logon . . . You have been logged on with cached information. Profiles will get handled properly - when they come back to the domain, the local profile is newer than the server-based one, so it will use the local one, and write it back to the server when they log off. madmac - Original Message - From: Scott Werschke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 04, 2003 4:28 PM Subject: [Samba] Laptop users as domain members; profiles I would like to implement Samba as a PDC in our organization, but am wrestling with how to handle laptop users. If I join them to the domain and give them a domain account, I will still need to allow them a local account so that they can logon on the road. This means that they will have two distinct accounts and two distinct profiles. I could initially make the two profiles identical by copying the existing profile to the domain profile or copying the existing profile to the default profile before the domain profile is created, but subsequent changes to the local profile would not be reflected in the domain profile and vice versa. I anticipate that this could cause great headaches for users and administrators. If a user created or edited documents, added e-mail contacts or messages in outlook express or outlook, etc. as a domain user while in the office, these changes would not be seen when they logged in on the road as a local user. I am aware that I could have the users login on the road as domain users using cached credentials, but to my knowledge (and experiments seem to verify this) caching domain credentials is limited to the use of roaming profiles. I would like to avoid what seem to me to be a lot of headaches with roaming profiles, i.e., potential loss of data, extensive logon time, etc. Further, there appears to be a limit to the number of previous logons to cache - 50. I don't have the power to limit the time of the trips our executives take or the number of times they are allowed to logon on the road. The best solution I can come up with now is to remap there My Documents folder, Oulook express store folder and Outlook .pst files for both accounts to locations outside of the profiles. This is O.K. except the additional work in setting up the client, the potential that I have missed something critical that should be non-exclusive to the two profiles, and that I don't have anyway of forcing them to login to the domain when they are in the office. They could accidentally or intentionally login as a local user in the office, and I would not be able to track usage in the office or utilize logon scripts. I am aware that some organizations seem to have a policy of simply not adding laptops to the domain, but with Samba this would also prevent me from utilizing logon scripts. Any ideas would be appreciated. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
