Re: [Samba] Controlling use of roaming profiles
On Wed, 2003-02-05 at 12:20, John H Terpstra wrote: On Wed, 5 Feb 2003, Jonathan Gowland wrote: We are using a system running Red Hat Linux 7.0 with Samba 2.2.7a as our PDC. For the most part, we want to use roaming profiles, so that users' settings are backed up via the PDC, and are available if they need to change or reinstall their Windows desktop machine. However, there are a few Windows systems (running NT 4.0 or Windows 2000) for which we would like to be able to disable roaming profiles. Atlas is a system running Windows 2000 server. It is a member of the domain. On a system running Windows NT 4.0 Terminal Server edition I did the following: - Logged on as local administrator. - Ran poledit.exe. - Added machine Atlas. - Double-clicked Atlas icon. Under Windows NT User Profiles-Choose profile default operation, selected Use local profile. - Saved as NTConfig.pol and copied to the root directory of the netlogon share. When a user does a domain logon on Atlas, the Samba log log.atlas does not show NTConfig.pol being accessed. When the user logs off, updates to the user's profiles are saved. Agrigento is a system running Windows 2000 Workstation, and is also a member of the domain. I ran poledit.exe as above, but added a computer entry for Agrigento, and saved NTConfig.pol. When a user does a domain logon on Agrigento, the Samba log log.agrigento shows NTConfig.pol being accessed. However, when the user logs off, updates to the user's profiles are saved, so the policy change in NTConfig.pol seems to have no effect. You need to make the profile a mandatory profile if you want it to be read-only. The proedure is documented in the NT4/Win2K Server Resource kits. If you want a 'real' read only profile, look into the 'vfs_fake_perms.so' VFS module in Samba HEAD. It fakes up the permissions on the files being sent to the client, so that you don't need to keep them read/write on the server. So what am I doing wrong? Is it possible to disable the use of roaming profiles on a per-machine basis? (I've been told that you can do this on a per-account basis, but this is not appropriate for our needs.) By default all MS Windows roaming profiles are 'user' centric. I do not know of a way to do this on a 'machine-of-origin' basis. I am working on this for a presentation at the SambaXP conference so I am interested in any of your findings. I was thinking we could play silly buggers with %m to allow this - have the PDC return different profile paths. The interesting case here is getting this to work when samba is a acting as a trusted domain. (BTW, Samba 3.0 works very nicely being trusted by NT4 at my site). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Controlling use of roaming profiles
On Wed, 5 Feb 2003, Andrew Bartlett wrote: If you want a 'real' read only profile, look into the 'vfs_fake_perms.so' VFS module in Samba HEAD. It fakes up the permissions on the files being sent to the client, so that you don't need to keep them read/write on the server. Well done - you sure did not waste any time doingthis man! By default all MS Windows roaming profiles are 'user' centric. I do not know of a way to do this on a 'machine-of-origin' basis. I am working on this for a presentation at the SambaXP conference so I am interested in any of your findings. I was thinking we could play silly buggers with %m to allow this - have the PDC return different profile paths. The interesting case here is getting this to work when samba is a acting as a trusted domain. Now that is neat! Why di M$ not think of that. It means we can set up a profile path for the user in the backend and still keep the profile mobile. Isn't that a bit twisted? I like it! (BTW, Samba 3.0 works very nicely being trusted by NT4 at my site). Good, but how did you set up the trust relationships? Keep up the good work, and the progress. This is exciting. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Controlling use of roaming profiles
On Thu, 2003-02-06 at 04:22, John H Terpstra wrote: On Wed, 5 Feb 2003, Andrew Bartlett wrote: If you want a 'real' read only profile, look into the 'vfs_fake_perms.so' VFS module in Samba HEAD. It fakes up the permissions on the files being sent to the client, so that you don't need to keep them read/write on the server. Well done - you sure did not waste any time doingthis man! Putting servers into production has that kind of effect on my activities :-). By default all MS Windows roaming profiles are 'user' centric. I do not know of a way to do this on a 'machine-of-origin' basis. I am working on this for a presentation at the SambaXP conference so I am interested in any of your findings. I was thinking we could play silly buggers with %m to allow this - have the PDC return different profile paths. The interesting case here is getting this to work when samba is a acting as a trusted domain. Now that is neat! Why di M$ not think of that. It means we can set up a profile path for the user in the backend and still keep the profile mobile. Isn't that a bit twisted? I like it! (BTW, Samba 3.0 works very nicely being trusted by NT4 at my site). Good, but how did you set up the trust relationships? I just added the trust account to our SAM with 'smbpasswd', then used usrmgr on the resource domains to set up the one-way trust. They trust me, I don't trust them (they are NT4). Keep up the good work, and the progress. This is exciting. I'll certainly try :-) Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Controlling use of roaming profiles
On Wed, 5 Feb 2003, Jonathan Gowland wrote: We are using a system running Red Hat Linux 7.0 with Samba 2.2.7a as our PDC. For the most part, we want to use roaming profiles, so that users' settings are backed up via the PDC, and are available if they need to change or reinstall their Windows desktop machine. However, there are a few Windows systems (running NT 4.0 or Windows 2000) for which we would like to be able to disable roaming profiles. Atlas is a system running Windows 2000 server. It is a member of the domain. On a system running Windows NT 4.0 Terminal Server edition I did the following: - Logged on as local administrator. - Ran poledit.exe. - Added machine Atlas. - Double-clicked Atlas icon. Under Windows NT User Profiles-Choose profile default operation, selected Use local profile. - Saved as NTConfig.pol and copied to the root directory of the netlogon share. When a user does a domain logon on Atlas, the Samba log log.atlas does not show NTConfig.pol being accessed. When the user logs off, updates to the user's profiles are saved. Agrigento is a system running Windows 2000 Workstation, and is also a member of the domain. I ran poledit.exe as above, but added a computer entry for Agrigento, and saved NTConfig.pol. When a user does a domain logon on Agrigento, the Samba log log.agrigento shows NTConfig.pol being accessed. However, when the user logs off, updates to the user's profiles are saved, so the policy change in NTConfig.pol seems to have no effect. You need to make the profile a mandatory profile if you want it to be read-only. The proedure is documented in the NT4/Win2K Server Resource kits. So what am I doing wrong? Is it possible to disable the use of roaming profiles on a per-machine basis? (I've been told that you can do this on a per-account basis, but this is not appropriate for our needs.) By default all MS Windows roaming profiles are 'user' centric. I do not know of a way to do this on a 'machine-of-origin' basis. I am working on this for a presentation at the SambaXP conference so I am interested in any of your findings. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
