mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
992f1e6b8f
add the 5 missing chapters from the HOWTO
and add jht's Samba by Example book.
(This used to be commit 9fb5bcb93e
)
1103 lines
50 KiB
XML
1103 lines
50 KiB
XML
<chapter id="ProfileMgmt">
|
|
<chapterinfo>
|
|
&author.jht;
|
|
<pubdate>April 3 2003</pubdate>
|
|
</chapterinfo>
|
|
|
|
<title>Desktop Profile Management</title>
|
|
|
|
<sect1>
|
|
<title>Features and Benefits</title>
|
|
|
|
<para>
|
|
Roaming profiles are feared by some, hated by a few, loved by many, and a Godsend for
|
|
some administrators.
|
|
</para>
|
|
|
|
<para>
|
|
Roaming profiles allow an administrator to make available a consistent user desktop
|
|
as the user moves from one machine to another. This chapter provides much information
|
|
regarding how to configure and manage roaming profiles.
|
|
</para>
|
|
|
|
<para>
|
|
While roaming profiles might sound like nirvana to some, they are a real and tangible
|
|
problem to others. In particular, users of mobile computing tools, where often there may not
|
|
be a sustained network connection, are often better served by purely local profiles.
|
|
This chapter provides information to help the Samba administrator deal with those
|
|
situations.
|
|
</para>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Roaming Profiles</title>
|
|
|
|
<warning>
|
|
<para>
|
|
Roaming profiles support is different for Windows 9x/Me and Windows NT4/200x.
|
|
</para>
|
|
</warning>
|
|
|
|
<para>
|
|
Before discussing how to configure roaming profiles, it is useful to see how
|
|
Windows 9x/Me and Windows NT4/200x clients implement these features.
|
|
</para>
|
|
|
|
<para>
|
|
Windows 9x/Me clients send a NetUserGetInfo request to the server to get the user's
|
|
profiles location. However, the response does not have room for a separate
|
|
profiles location field, only the user's home share. This means that Windows 9x/Me
|
|
profiles are restricted to being stored in the user's home directory.
|
|
</para>
|
|
|
|
|
|
<para>
|
|
Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields
|
|
including a separate field for the location of the user's profiles.
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>Samba Configuration for Profile Handling</title>
|
|
|
|
<para>
|
|
This section documents how to configure Samba for MS Windows client profile support.
|
|
</para>
|
|
|
|
<sect3>
|
|
<title>NT4/200x User Profiles</title>
|
|
|
|
<para>
|
|
For example, to support Windows NT4/200x clients, set the followoing in the [global] section of the &smb.conf; file:
|
|
</para>
|
|
|
|
<para>
|
|
<smbconfblock>
|
|
<smbconfoption><name>logon path</name><value> </value></smbconfoption>
|
|
<member><parameter>\\profileserver\profileshare\profilepath\%U\moreprofilepath</parameter></member>
|
|
</smbconfblock>
|
|
|
|
This is typically implemented like:
|
|
|
|
<smbconfblock>
|
|
<smbconfoption><name>logon path</name><value>\\%L\Profiles\%u</value></smbconfoption>
|
|
</smbconfblock>
|
|
where <quote>%L</quote> translates to the name of the Samba server and <quote>%u</quote> translates to the user name.
|
|
</para>
|
|
|
|
<para>
|
|
The default for this option is <filename>\\%N\%U\profile</filename>, namely <filename>\\sambaserver\username\profile</filename>.
|
|
The <filename>\\%N\%U</filename> service is created automatically by the [homes] service. If you are using
|
|
a Samba server for the profiles, you must make the share that is specified in the logon path
|
|
browseable. Please refer to the man page for &smb.conf; in respect of the different
|
|
semantics of <quote>%L</quote> and <quote>%N</quote>, as well as <quote>%U</quote> and <quote>%u</quote>.
|
|
</para>
|
|
|
|
<note>
|
|
<para>
|
|
MS Windows NT/200x clients at times do not disconnect a connection to a server between logons. It is recommended
|
|
to not use the <smbconfsection>homes</smbconfsection> meta-service name as part of the profile share path.
|
|
</para>
|
|
</note>
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Windows 9x/Me User Profiles</title>
|
|
|
|
<para>
|
|
To support Windows 9x/Me clients, you must use the <smbconfoption><name>logon home</name></smbconfoption>
|
|
parameter. Samba has been fixed so <userinput>net use /home</userinput> now works as well and it, too, relies
|
|
on the <command>logon home</command> parameter.
|
|
</para>
|
|
|
|
<para>
|
|
By using the logon home parameter, you are restricted to putting Windows 9x/Me profiles in the user's home
|
|
directory. But wait! There is a trick you can use. If you set the following in the
|
|
<smbconfsection>[global]</smbconfsection> section of your &smb.conf; file:
|
|
</para>
|
|
<para><smbconfblock>
|
|
<smbconfoption><name>logon home</name><value>\\%L\%U\.profiles</value></smbconfoption>
|
|
</smbconfblock></para>
|
|
|
|
<para>
|
|
then your Windows 9x/Me clients will dutifully put their clients in a subdirectory
|
|
of your home directory called <filename>.profiles</filename> (making them hidden).
|
|
</para>
|
|
|
|
<para>
|
|
Not only that, but <userinput>net use /home</userinput> will also work because of a feature in
|
|
Windows 9x/Me. It removes any directory stuff off the end of the home directory area
|
|
and only uses the server and share portion. That is, it looks like you
|
|
specified <filename>\\%L\%U</filename> for <smbconfoption><name>logon home</name></smbconfoption>.
|
|
</para>
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Mixed Windows 9x/Me and Windows NT4/200x User Profiles</title>
|
|
|
|
<para>
|
|
You can support profiles for Windows 9x and Windows NT clients by setting both the
|
|
<smbconfoption><name>logon home</name></smbconfoption> and <smbconfoption><name>logon path</name></smbconfoption> parameters. For example:
|
|
</para>
|
|
|
|
<para><smbconfblock>
|
|
<smbconfoption><name>logon home</name><value>\\%L\%u\.profiles</value></smbconfoption>
|
|
<smbconfoption><name>logon path</name><value>\\%L\profiles\%u</value></smbconfoption>
|
|
</smbconfblock></para>
|
|
|
|
</sect3>
|
|
<sect3>
|
|
<title>Disabling Roaming Profile Support</title>
|
|
|
|
<para>
|
|
A question often asked is: <quote>How may I enforce use of local profiles?</quote> or
|
|
<quote>How do I disable roaming profiles?</quote>
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>roaming profiles</primary></indexterm>
|
|
There are three ways of doing this:
|
|
<indexterm><primary>windows registry settings</primary><secondary>roaming profiles</secondary></indexterm>
|
|
</para>
|
|
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>In &smb.conf;</term>
|
|
<listitem><para>
|
|
Affect the following settings and ALL clients will be forced to use a local profile:
|
|
<smbconfoption><name>logon home</name></smbconfoption> and <smbconfoption><name>logon path</name></smbconfoption>
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>MS Windows Registry</term>
|
|
<listitem><para>
|
|
By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP
|
|
machine to use only a local profile. This, of course, modifies registry settings. The full
|
|
path to the option is:
|
|
<screen>
|
|
Local Computer Policy\
|
|
Computer Configuration\
|
|
Administrative Templates\
|
|
System\
|
|
User Profiles\
|
|
|
|
Disable: Only Allow Local User Profiles
|
|
Disable: Prevent Roaming Profile Change from Propagating to the Server
|
|
</screen>
|
|
</para> </listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Change of Profile Type:</term>
|
|
<listitem><para>From the start menu right-click on <guiicon>My Computer icon</guiicon>,
|
|
select <guimenuitem>Properties</guimenuitem>, click on the <guilabel>User Profiles</guilabel>
|
|
tab, select the profile you wish to change from
|
|
<guimenu>Roaming</guimenu> type to <guimenu>Local</guimenu>, and click on
|
|
<guibutton>Change Type</guibutton>.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para>
|
|
Consult the MS Windows registry guide for your particular MS Windows version for more information
|
|
about which registry keys to change to enforce use of only local user profiles.
|
|
</para>
|
|
|
|
<note><para>
|
|
The specifics of how to convert a local profile to a roaming profile, or a roaming profile
|
|
to a local one vary according to the version of MS Windows you are running. Consult the Microsoft MS
|
|
Windows Resource Kit for your version of Windows for specific information.
|
|
</para></note>
|
|
|
|
</sect3> </sect2>
|
|
|
|
<sect2> <title>Windows Client Profile Configuration Information</title>
|
|
|
|
<sect3> <title>Windows 9x/Me Profile Setup</title>
|
|
|
|
<para>
|
|
When a user first logs in on Windows 9X, the file user.DAT is created, as are folders
|
|
<filename>Start Menu</filename>, <filename>Desktop</filename>, <filename>Programs</filename>, and
|
|
<filename>Nethood</filename>. These directories and their contents will be merged with the local
|
|
versions stored in <filename>c:\windows\profiles\username</filename> on subsequent logins, taking the
|
|
most recent from each. You will need to use the <smbconfsection>[global]</smbconfsection> options
|
|
<smbconfoption><name>preserve case</name><value>yes</value></smbconfoption>,
|
|
<smbconfoption><name>short preserve case</name><value>yes</value></smbconfoption> and
|
|
<smbconfoption><name>case sensitive</name><value>no</value></smbconfoption>
|
|
in order to maintain capital letters in shortcuts in any of the profile folders.
|
|
</para>
|
|
|
|
<para>
|
|
The <filename>user.DAT</filename> file contains all the user's preferences. If you wish to enforce a set of preferences,
|
|
rename their <filename>user.DAT</filename> file to <filename>user.MAN</filename>, and deny them write access to this file.
|
|
</para>
|
|
|
|
<orderedlist>
|
|
<listitem> <para>
|
|
On the Windows 9x/Me machine, go to <guimenu>Control Panel</guimenu> ->
|
|
<guimenuitem>Passwords</guimenuitem> and select the <guilabel>User Profiles</guilabel> tab.
|
|
Select the required level of roaming preferences. Press <guibutton>OK</guibutton>, but do not
|
|
allow the computer to reboot.
|
|
</para> </listitem>
|
|
|
|
<listitem> <para>
|
|
On the Windows 9x/Me machine, go to <guimenu>Control Panel</guimenu> ->
|
|
<guimenuitem>Network</guimenuitem> -> <guimenuitem>Client for Microsoft Networks</guimenuitem>
|
|
-> <guilabel>Preferences</guilabel>. Select <guilabel>Log on to NT Domain</guilabel>. Then,
|
|
ensure that the Primary Logon is <guilabel>Client for Microsoft Networks</guilabel>. Press
|
|
<guibutton>OK</guibutton>, and this time allow the computer to reboot.
|
|
</para> </listitem>
|
|
</orderedlist>
|
|
|
|
<para> Under Windows 9x/ME, profiles are downloaded from the Primary Logon. If you have the Primary Logon
|
|
as <quote>Client for Novell Networks</quote>, then the profiles and logon script will be downloaded from
|
|
your Novell Server. If you have the Primary Logon as <quote>Windows Logon</quote>, then the profiles will
|
|
be loaded from the local machine &smbmdash; a bit against the concept of roaming profiles, it would seem! </para>
|
|
|
|
<para>
|
|
You will now find that the Microsoft Networks Login box contains <constant>[user, password, domain]</constant> instead
|
|
of just <constant>[user, password]</constant>. Type in the Samba server's domain name (or any other domain known to exist,
|
|
but bear in mind that the user will be authenticated against this domain and profiles downloaded from it,
|
|
if that domain logon server supports it), user name and user's password.
|
|
</para>
|
|
|
|
<para> Once the user has been successfully validated, the Windows 9x/Me machine will inform you that
|
|
<computeroutput>The user has not logged on before</computeroutput> and asks you <computeroutput>Do you
|
|
wish to save the user's preferences?</computeroutput> Select <guibutton>Yes</guibutton>. </para>
|
|
|
|
<para> Once the Windows 9x/Me client comes up with the desktop, you should be able to examine the
|
|
contents of the directory specified in the <smbconfoption><name>logon path</name></smbconfoption> on
|
|
the Samba server and verify that the <filename>Desktop</filename>, <filename>Start Menu</filename>,
|
|
<filename>Programs</filename> and <filename>Nethood</filename> folders have been created. </para>
|
|
|
|
<para> These folders will be cached locally on the client, and updated when the user logs off (if
|
|
you haven't made them read-only by then). You will find that if the user creates further folders or
|
|
shortcut, that the client will merge the profile contents downloaded with the contents of the profile
|
|
directory already on the local client, taking the newest folders and shortcut from each set. </para>
|
|
|
|
<para> If you have made the folders/files read-only on the Samba server, then you will get errors from
|
|
the Windows 9x/Me machine on logon and logout as it attempts to merge the local and remote profile.
|
|
Basically, if you have any errors reported by the Windows 9x/Me machine, check the UNIX file permissions
|
|
and ownership rights on the profile directory contents, on the Samba server. </para>
|
|
|
|
<para> If you have problems creating user profiles, you can reset the user's local desktop cache, as
|
|
shown below. When this user next logs in, the user will be told that he/she is logging in <quote>for
|
|
the first time</quote>.
|
|
|
|
<indexterm><primary>windows registry settings</primary><secondary>profile path</secondary></indexterm>
|
|
</para>
|
|
|
|
|
|
<orderedlist>
|
|
<listitem><para>
|
|
Instead of logging in under the [user, password, domain] dialog, press <guibutton>escape</guibutton>.
|
|
</para> </listitem>
|
|
|
|
<listitem><para>
|
|
Run the <command>regedit.exe</command> program, and look in:
|
|
</para>
|
|
|
|
<para>
|
|
<filename>HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList</filename>
|
|
</para>
|
|
|
|
<para>
|
|
You will find an entry for each user of ProfilePath. Note the contents of this key
|
|
(likely to be <filename>c:\windows\profiles\username</filename>), then delete the key
|
|
<parameter>ProfilePath</parameter> for the required user.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
Exit the registry editor.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
Search for the user's .PWL password-caching file in the <filename>c:\windows</filename> directory, and delete it.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
Log off the Windows 9x/Me client.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
Check the contents of the profile path (see <smbconfoption><name>logon path</name></smbconfoption>
|
|
described above) and delete the <filename>user.DAT</filename> or <filename>user.MAN</filename>
|
|
file for the user, making a backup if required.
|
|
</para></listitem>
|
|
</orderedlist>
|
|
|
|
<warning><para>
|
|
Before deleting the contents of the directory listed in the <parameter>ProfilePath</parameter>
|
|
(this is likely to be <filename>c:\windows\profiles\username)</filename>, ask the owner if they have
|
|
any important files stored on their desktop or in their start menu. Delete the contents of the
|
|
directory <parameter>ProfilePath</parameter> (making a backup if any of the files are needed).
|
|
</para>
|
|
|
|
<para>
|
|
This will have the effect of removing the local (read-only hidden system file) <filename>user.DAT</filename>
|
|
in their profile directory, as well as the local <quote>desktop,</quote> <quote>nethood,</quote>
|
|
<quote>start menu,</quote> and <quote>programs</quote> folders.
|
|
</para></warning>
|
|
|
|
<para>
|
|
If all else fails, increase Samba's debug log levels to between 3 and 10, and/or run a packet
|
|
sniffer program such as ethereal or <command>netmon.exe</command>, and look for error messages.
|
|
</para>
|
|
|
|
<para> If you have access to an Windows NT4/200x server, then first set up roaming profiles and/or
|
|
netlogons on the Windows NT4/200x server. Make a packet trace, or examine the example packet traces
|
|
provided with Windows NT4/200x server, and see what the differences are with the equivalent Samba trace.
|
|
</para>
|
|
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Windows NT4 Workstation</title>
|
|
|
|
<para> When a user first logs in to a Windows NT Workstation, the profile NTuser.DAT is created. The profile
|
|
location can be now specified through the <smbconfoption><name>logon path</name></smbconfoption> parameter.
|
|
</para>
|
|
|
|
<para> There is a parameter that is now available for use with NT Profiles: <smbconfoption><name>logon drive</name></smbconfoption>.
|
|
This should be set to <filename>H:</filename> or any other drive, and should be used in conjunction with
|
|
the new <smbconfoption><name>logon home</name></smbconfoption> parameter. </para>
|
|
|
|
<para> The entry for the NT4 profile is a directory not a file. The NT help on Profiles mentions that a
|
|
directory is also created with a .PDS extension. The user, while logging in, must have write permission
|
|
to create the full profile path (and the folder with the .PDS extension for those situations where it
|
|
might be created.) </para>
|
|
|
|
<para> In the profile directory, Windows NT4 creates more folders than Windows 9x/Me. It creates
|
|
<filename>Application Data</filename> and others, as well as <filename>Desktop</filename>,
|
|
<filename>Nethood</filename>, <filename>Start Menu,</filename> and <filename>Programs</filename>.
|
|
The profile itself is stored in a file <filename>NTuser.DAT</filename>. Nothing appears to be stored
|
|
in the .PDS directory, and its purpose is currently unknown. </para>
|
|
|
|
<para> You can use the <application>System Control Panel</application> to copy a local profile onto
|
|
a Samba server (see NT Help on Profiles; it is also capable of firing up the correct location in the
|
|
<application>System Control Panel</application> for you). The NT Help file also mentions that renaming
|
|
<filename>NTuser.DAT</filename> to <filename>NTuser.MAN</filename> turns a profile into a mandatory one.
|
|
</para>
|
|
|
|
<para> The case of the profile is significant. The file must be called <filename>NTuser.DAT</filename>
|
|
or, for a mandatory profile, <filename>NTuser.MAN</filename>. </para> </sect3>
|
|
|
|
<sect3> <title>Windows 2000/XP Professional</title>
|
|
|
|
<para> You must first convert the profile from a local profile to a domain profile on the MS Windows
|
|
workstation as follows: </para>
|
|
|
|
<procedure>
|
|
<step><para> Log on as the <emphasis>local</emphasis> workstation administrator. </para></step>
|
|
|
|
<step><para> Right-click on the <guiicon>My Computer</guiicon> Icon, select
|
|
<guimenuitem>Properties</guimenuitem>.</para></step>
|
|
|
|
<step><para> Click on the <guilabel>User Profiles</guilabel> tab.</para></step>
|
|
|
|
<step><para> Select the profile you wish to convert (click it once).</para></step>
|
|
|
|
<step><para> Click on the <guibutton>Copy To</guibutton> button.</para></step>
|
|
|
|
<step><para> In the <guilabel>Permitted to use</guilabel> box, click on the
|
|
<guibutton>Change</guibutton> button. </para></step>
|
|
|
|
<step><para> Click on the <guilabel>Look in</guilabel> area that lists the machine name. When you click here, it will
|
|
open up a selection box. Click on the domain to which the profile must be accessible. </para>
|
|
|
|
<note><para>You will need to log on if a logon box opens up.
|
|
For example, connect as <replaceable>DOMAIN</replaceable>\root, password:
|
|
<replaceable>mypassword</replaceable>.</para></note> </step>
|
|
|
|
<step><para> To make the profile capable of being used by anyone, select <quote>Everyone</quote>. </para></step>
|
|
|
|
<step><para> Click on <guibutton>OK</guibutton> and the Selection box will close. </para></step>
|
|
|
|
<step><para> Now click on <guibutton>OK</guibutton> to create the profile in the path
|
|
you nominated. </para></step>
|
|
</procedure>
|
|
|
|
<para> Done. You now have a profile that can be edited using the Samba <command>profiles</command> tool.
|
|
</para>
|
|
|
|
<note><para>
|
|
Under Windows NT/200x, the use of mandatory profiles forces the use of MS Exchange storage of mail
|
|
data and keeps it out of the desktop profile. That keeps desktop profiles from becoming unusable.
|
|
</para> </note>
|
|
|
|
<sect4>
|
|
<title>Windows XP Service Pack 1</title>
|
|
<para>
|
|
There is a security check new to Windows XP (or maybe only Windows XP service pack 1).
|
|
It can be disabled via a group policy in the Active Directory. The policy is called:
|
|
</para>
|
|
|
|
<para>
|
|
<filename>Computer Configuration\Administrative Templates\System\User Profiles\<?latex \linebreak ?>Do not check for
|
|
user ownership of Roaming Profile Folders</filename>i
|
|
</para>
|
|
|
|
<para>
|
|
This should be set to <constant>Enabled</constant>.
|
|
</para>
|
|
|
|
<para>
|
|
Does the new version of Samba have an Active Directory analogue? If so, then you may be able to set the policy through this.
|
|
</para>
|
|
|
|
<para>If you cannot set group policies in Samba, then you may be able to set the policy locally on
|
|
each machine. If you want to try this, then do the following (N.B. I do not know for sure that this
|
|
will work in the same way as a domain group policy):
|
|
</para>
|
|
|
|
|
|
<procedure>
|
|
<step><para>On the XP workstation, log in with an Administrative account.</para></step>
|
|
|
|
<step><para>Click on <guimenu>Start</guimenu> -> <guimenuitem>Run</guimenuitem>.</para></step>
|
|
<step><para>Type <command>mmc</command>.</para></step>
|
|
<step><para>Click on <guibutton>OK</guibutton>.</para></step>
|
|
<step><para>A Microsoft Management Console should appear.</para></step>
|
|
<step><para>Click on <guimenu>File</guimenu> -> <guimenuitem>Add/Remove Snap-in</guimenuitem> -> <guimenuitem>Add</guimenuitem>.</para></step>
|
|
<step><para>Double-click on <guiicon>Group Policy</guiicon>.</para></step>
|
|
<step><para>Click on <guibutton>Finish</guibutton> -> <guibutton>Close</guibutton>.</para></step>
|
|
<step><para>Click on <guibutton>OK</guibutton>.</para></step>
|
|
<step><para>In the <quote>Console Root</quote> window expand <guiicon>Local Computer Policy</guiicon> ->
|
|
<guiicon>Computer Configuration</guiicon> -> <guiicon>Administrative Templates</guiicon> ->
|
|
<guiicon>System</guiicon> -> <guiicon>User Profiles</guiicon>.</para></step>
|
|
<step><para>Double-click on <guilabel>Do not check for user ownership of Roaming Profile Folders</guilabel>.</para></step>
|
|
<step><para>Select <guilabel>Enabled</guilabel>.</para></step>
|
|
<step><para>Click on <guibutton>OK</guibutton>.</para></step>
|
|
<step><para>Close the whole console. You do not need to save the settings (this refers to the
|
|
console settings rather than the policies you have changed).</para></step>
|
|
<step><para>Reboot.</para></step>
|
|
</procedure>
|
|
</sect4>
|
|
</sect3>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Sharing Profiles between W9x/Me and NT4/200x/XP Workstations</title>
|
|
|
|
<para> Sharing of desktop profiles between Windows versions is not recommended. Desktop profiles are an
|
|
evolving phenomenon and profiles for later versions of MS Windows clients add features that may interfere
|
|
with earlier versions of MS Windows clients. Probably the more salient reason to not mix profiles is
|
|
that when logging off an earlier version of MS Windows, the older format of profile contents may overwrite
|
|
information that belongs to the newer version resulting in loss of profile information content when that
|
|
user logs on again with the newer version of MS Windows. </para>
|
|
|
|
<para> If you then want to share the same Start Menu/Desktop with W9x/Me, you will need to specify a common
|
|
location for the profiles. The &smb.conf; parameters that need to be common are
|
|
<smbconfoption><name>logon path</name></smbconfoption> and
|
|
<smbconfoption><name>logon home</name></smbconfoption>. </para>
|
|
|
|
<para> If you have this set up correctly, you will find separate <filename>user.DAT</filename> and
|
|
<filename>NTuser.DAT</filename> files in the same profile directory. </para>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Profile Migration from Windows NT4/200x Server to Samba</title>
|
|
|
|
<para> There is nothing to stop you from specifying any path that you like for the location of users' profiles.
|
|
Therefore, you could specify that the profile be stored on a Samba server, or any other SMB server,
|
|
as long as that SMB server supports encrypted passwords. </para>
|
|
|
|
<sect3>
|
|
<title>Windows NT4 Profile Management Tools</title>
|
|
|
|
<para> Unfortunately, the Resource Kit information is specific to the version of MS Windows NT4/200x. The
|
|
correct resource kit is required for each platform. </para>
|
|
|
|
<para>Here is a quick guide:</para>
|
|
|
|
<procedure>
|
|
<step><para> On your NT4 Domain Controller, right click on <guiicon>My Computer</guiicon>, then select the
|
|
tab labeled <guilabel>User Profiles</guilabel>. </para></step>
|
|
|
|
<step><para> Select a user profile you want to migrate and click on it. </para>
|
|
|
|
<note><para>I am using the term <quote>migrate</quote> loosely. You can copy a profile to create a group
|
|
profile. You can give the user <parameter>Everyone</parameter> rights to the profile you copy this to. That
|
|
is what you need to do, since your Samba domain is not a member of a trust relationship with your NT4
|
|
PDC.</para></note></step>
|
|
|
|
<step><para>Click on the <guibutton>Copy To</guibutton> button.</para></step>
|
|
|
|
<step><para>In the box labeled <guilabel>Copy Profile to</guilabel> add your new path, e.g.,
|
|
<filename>c:\temp\foobar</filename></para></step>
|
|
|
|
<step><para>Click on <guibutton>Change</guibutton> in the <guilabel>Permitted to use</guilabel> box.</para></step>
|
|
|
|
<step><para>Click on the group <quote>Everyone</quote>, click on <guibutton>OK</guibutton>. This
|
|
closes the <quote>choose user</quote> box.</para></step>
|
|
|
|
<step><para>Now click on <guibutton>OK</guibutton>.</para></step>
|
|
</procedure>
|
|
|
|
<para> Follow the above for every profile you need to migrate. </para>
|
|
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Side Bar Notes</title>
|
|
|
|
|
|
<para>
|
|
<indexterm><primary>SID</primary></indexterm>
|
|
You should obtain the SID of your NT4 domain. You can use smbpasswd to do this. Read the man
|
|
page.</para>
|
|
|
|
</sect3>
|
|
|
|
<sect3> <title>moveuser.exe</title>
|
|
|
|
<para> The Windows 200x professional resource kit has <command>moveuser.exe</command>. <command>moveuser.exe</command> changes the security of a profile
|
|
from one user to another. This allows the account domain to change, and/or the user name to change.</para>
|
|
|
|
<para>
|
|
This command is like the Samba <command>profiles</command> tool.
|
|
</para>
|
|
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Get SID</title>
|
|
|
|
<para>
|
|
<indexterm><primary>SID</primary></indexterm>
|
|
You can identify the SID by using <command>GetSID.exe</command> from the Windows NT Server 4.0 Resource Kit. </para>
|
|
|
|
<para> Windows NT 4.0 stores the local profile information in the registry under the following key:
|
|
<filename>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</filename> </para>
|
|
|
|
<para> Under the ProfileList key, there will be subkeys named with the SIDs of the users who have logged
|
|
on to this computer. (To find the profile information for the user whose locally cached profile you want
|
|
to move, find the SID for the user with the <command>GetSID.exe</command> utility.) Inside the appropriate user's subkey,
|
|
you will see a string value named <parameter>ProfileImagePath</parameter>. </para>
|
|
|
|
</sect3> </sect2> </sect1>
|
|
|
|
<sect1> <title>Mandatory Profiles</title>
|
|
|
|
<para>
|
|
<indexterm><primary>mandatory profiles</primary></indexterm>
|
|
A Mandatory Profile is a profile that the user does not have the ability to overwrite. During the
|
|
user's session, it may be possible to change the desktop environment, however, as the user logs out all changes
|
|
made will be lost. If it is desired to not allow the user any ability to change the desktop environment,
|
|
then this must be done through policy settings. See the previous chapter. </para>
|
|
|
|
<note><para> Under NO circumstances should the profile directory (or its
|
|
contents) be made read-only as this may render the profile un-usable.
|
|
Where it is essential to make a profile read-only within the UNIX file
|
|
system, this can be done but then you absolutely must use the
|
|
<command>fake-permissions</command> VFS module to instruct MS Windows
|
|
NT/200x/XP clients that the Profile has write permission for the user.
|
|
See <link linkend="fakeperms">fake_perms VFS module</link>. </para></note>
|
|
|
|
<para> For MS Windows NT4/200x/XP, the above method can also be used to create mandatory profiles. To
|
|
convert a group profile into a mandatory profile, simply locate the <filename>NTUser.DAT</filename> file in the copied profile
|
|
and rename it to <filename>NTUser.MAN</filename>. </para>
|
|
|
|
<para> For MS Windows 9x/ME, it is the <filename>User.DAT</filename> file that must be renamed to
|
|
<filename>User.MAN</filename> to effect a mandatory profile. </para>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Creating and Managing Group Profiles</title>
|
|
|
|
<para>
|
|
<indexterm><primary>group profiles</primary></indexterm>
|
|
Most organizations are arranged into departments. There is a nice benefit in this fact since usually
|
|
most users in a department require the same desktop applications and the same desktop layout. MS
|
|
Windows NT4/200x/XP will allow the use of Group Profiles. A Group Profile is a profile that is created
|
|
first using a template (example) user. Then using the profile migration tool (see above), the profile is
|
|
assigned access rights for the user group that needs to be given access to the group profile. </para>
|
|
|
|
<para> The next step is rather important. Instead of assigning a group profile to users (Using User Manager)
|
|
on a <quote>per user</quote> basis, the group itself is assigned the now modified profile. </para>
|
|
|
|
<note>
|
|
<para> Be careful with Group Profiles. If the user who is a member of a group also has a personal
|
|
profile, then the result will be a fusion (merge) of the two. </para>
|
|
</note>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Default Profile for Windows Users</title>
|
|
|
|
<para>
|
|
<indexterm><primary>default profile</primary></indexterm>
|
|
MS Windows 9x/Me and NT4/200x/XP will use a default profile for any user for whom a profile
|
|
does not already exist. Armed with a knowledge of where the default profile is located on the Windows
|
|
workstation, and knowing which registry keys effect the path from which the default profile is created,
|
|
it is possible to modify the default profile to one that has been optimized for the site. This has
|
|
significant administrative advantages. </para>
|
|
|
|
<sect2>
|
|
<title>MS Windows 9x/Me</title>
|
|
|
|
<para> To enable default per use profiles in Windows 9x/ME, you can either use the <application>Windows
|
|
98 System Policy Editor</application> or change the registry directly. </para>
|
|
|
|
<para> To enable default per user profiles in Windows 9x/ME, launch the <application>System Policy
|
|
Editor</application>, then select <guimenu>File</guimenu> -> <guimenuitem>Open Registry</guimenuitem>,
|
|
next click on the <guiicon>Local Computer</guiicon> icon, click on <guilabel>Windows 98 System</guilabel>,
|
|
select <guilabel>User Profiles</guilabel>, and click on the enable box. Remember to save the registry
|
|
changes. </para>
|
|
|
|
<para> To modify the registry directly, launch the <application>Registry Editor</application>
|
|
(<command>regedit.exe</command>) and select the hive <filename>HKEY_LOCAL_MACHINE\Network\Logon</filename>. Now
|
|
add a DWORD type key with the name <quote>User Profiles,</quote> to
|
|
enable user profiles to set the value
|
|
to 1; to disable user profiles set it to 0. </para>
|
|
|
|
<sect3>
|
|
<title>User Profile Handling with Windows 9x/Me</title>
|
|
|
|
<para> When a user logs on to a Windows 9x/Me machine, the local profile path,
|
|
<filename>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList</filename>, is checked
|
|
for an existing entry for that user. </para>
|
|
|
|
<para> If the user has an entry in this registry location, Windows 9x/Me checks for a locally cached
|
|
version of the user profile. Windows 9x/Me also checks the user's home directory (or other specified
|
|
directory if the location has been modified) on the server for the User Profile. If a profile exists
|
|
in both locations, the newer of the two is used. If the User Profile exists on the server, but does not
|
|
exist on the local machine, the profile on the server is downloaded and used. If the User Profile only
|
|
exists on the local machine, that copy is used. </para>
|
|
|
|
<para> If a User Profile is not found in either location, the Default User Profile from the Windows
|
|
9x/Me machine is used and copied to a newly created folder for the logged on user. At log off, any
|
|
changes that the user made are written to the user's local profile. If the user has a roaming profile,
|
|
the changes are written to the user's profile on the server. </para>
|
|
|
|
</sect3> </sect2>
|
|
|
|
<sect2>
|
|
<title>MS Windows NT4 Workstation</title>
|
|
|
|
<para> On MS Windows NT4, the default user profile is obtained from the location
|
|
<filename>%SystemRoot%\Profiles</filename> which in a default installation will translate to
|
|
<filename>C:\Windows NT\Profiles</filename>. Under this directory on a clean install there will be three
|
|
(3) directories: <filename>Administrator</filename>, <filename>All
|
|
Users,</filename> and <filename>Default
|
|
User</filename>. </para>
|
|
|
|
<para> The <filename>All Users</filename> directory contains menu settings that are common across all
|
|
system users. The <filename>Default User</filename> directory contains menu entries that are customizable
|
|
per user depending on the profile settings chosen/created. </para>
|
|
|
|
<para> When a new user first logs onto an MS Windows NT4 machine, a new profile is created from: </para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para>All Users settings.</para></listitem>
|
|
<listitem><para>Default User settings (contains the default <filename>NTUser.DAT</filename> file).</para></listitem>
|
|
</itemizedlist>
|
|
|
|
<para> When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain,
|
|
the following steps are followed in respect of profile handling:
|
|
|
|
<indexterm><primary>NTConfig.POL</primary></indexterm>
|
|
</para>
|
|
|
|
|
|
<procedure>
|
|
<step> <para> The users' account information that is obtained during the logon process
|
|
contains the location of the users' desktop profile. The profile path may be local to
|
|
the machine or it may be located on a network share. If there exists a profile at the
|
|
location of the path from the user account, then this profile is copied to the location
|
|
<filename>%SystemRoot%\Profiles\%USERNAME%</filename>. This profile then inherits the settings
|
|
in the <filename>All Users</filename> profile in the <filename>%SystemRoot%\Profiles</filename>
|
|
location. </para> </step>
|
|
|
|
<step> <para> If the user account has a profile path, but at its location a profile does not
|
|
exist, then a new profile is created in the <filename>%SystemRoot%\Profiles\%USERNAME%</filename>
|
|
directory from reading the <filename>Default User</filename> profile. </para> </step>
|
|
|
|
<step> <para> If the NETLOGON share on the authenticating server (logon server) contains
|
|
a policy file (<filename>NTConfig.POL</filename>), then its contents are applied to the
|
|
<filename>NTUser.DAT</filename> which is applied to the <filename>HKEY_CURRENT_USER</filename>
|
|
part of the registry.
|
|
</para> </step>
|
|
|
|
<step> <para> When the user logs out, if the profile is set to be a roaming profile it will be
|
|
written out to the location of the profile. The <filename>NTuser.DAT</filename> file is then
|
|
recreated from the contents of the <filename>HKEY_CURRENT_USER</filename> contents. Thus,
|
|
should there not exist in the NETLOGON share an <filename>NTConfig.POL</filename> at the next
|
|
logon, the effect of the previous <filename>NTConfig.POL</filename> will still be held in the
|
|
profile. The effect of this is known as tattooing.
|
|
</para> </step>
|
|
</procedure>
|
|
|
|
<para> MS Windows NT4 profiles may be <emphasis>local</emphasis> or <emphasis>roaming</emphasis>. A local
|
|
profile will stored in the <filename>%SystemRoot%\Profiles\%USERNAME%</filename> location. A roaming
|
|
profile will also remain stored in the same way, unless the following registry key is created as shown: </para>
|
|
|
|
<para><screen> HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\
|
|
winlogon\"DeleteRoamingCache"=dword:0000000
|
|
</screen>
|
|
In this case, the local copy (in <filename>%SystemRoot%\Profiles\%USERNAME%</filename>) will be deleted
|
|
on logout.</para>
|
|
|
|
<para> Under MS Windows NT4, default locations for common resources like <filename>My Documents</filename>
|
|
may be redirected to a network share by modifying the following registry keys. These changes may be
|
|
affected via use of the System Policy Editor. To do so may require that you create your own template
|
|
extension for the policy editor to allow this to be done through the GUI. Another way to do this is by
|
|
way of first creating a default user profile, then while logged in as that user, run <command>regedt32</command> to edit
|
|
the key settings. </para>
|
|
|
|
<para>
|
|
The Registry Hive key that affects the behavior of folders that are part of the default user
|
|
profile are controlled by entries on Windows NT4 is:
|
|
<screen>
|
|
HKEY_CURRENT_USER
|
|
\Software
|
|
\Microsoft
|
|
\Windows
|
|
\CurrentVersion
|
|
\Explorer
|
|
\User Shell Folders
|
|
</screen>
|
|
<indexterm><primary>windows registry settings</primary><secondary>default profile locations</secondary></indexterm>
|
|
</para>
|
|
|
|
<para> The above hive key contains a list of automatically managed
|
|
folders. The default entries are shown in <link linkend="ProfileLocs">the next table</link>.
|
|
</para>
|
|
|
|
<table frame="all" id="ProfileLocs">
|
|
<title>User Shell Folder Registry Keys Default Values</title>
|
|
<tgroup cols="2">
|
|
<colspec align="left"/>
|
|
<colspec align="left"/>
|
|
<thead>
|
|
<row><entry>Name</entry><entry>Default Value</entry></row>
|
|
</thead>
|
|
<tbody>
|
|
<row><entry>AppData</entry><entry>%USERPROFILE%\Application Data</entry></row>
|
|
<row><entry>Desktop</entry><entry>%USERPROFILE%\Desktop</entry></row>
|
|
<row><entry>Favorites</entry><entry>%USERPROFILE%\Favorites</entry></row>
|
|
<row><entry>NetHood</entry><entry>%USERPROFILE%\NetHood</entry></row>
|
|
<row><entry>PrintHood</entry><entry>%USERPROFILE%\PrintHood</entry></row>
|
|
<row><entry>Programs</entry><entry>%USERPROFILE%\Start Menu\Programs</entry></row>
|
|
<row><entry>Recent</entry><entry>%USERPROFILE%\Recent</entry></row>
|
|
<row><entry>SendTo</entry><entry>%USERPROFILE%\SendTo</entry></row>
|
|
<row><entry>Start Menu </entry><entry>%USERPROFILE%\Start Menu</entry></row>
|
|
<row><entry>Startup</entry><entry>%USERPROFILE%\Start Menu\Programs\Startup</entry></row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<para> The registry key that contains the location of the default profile settings is: </para>
|
|
|
|
<para> <filename>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\<?latex \linebreak ?>
|
|
User Shell Folders</filename> </para>
|
|
|
|
<para> The default entries are shown in <link linkend="regkeys">the next table</link>.</para>
|
|
|
|
<table frame="all" id="regkeys">
|
|
<title>Defaults of Profile Settings Registry Keys</title>
|
|
<tgroup cols="2">
|
|
<colspec align="left"/>
|
|
<colspec align="left"/>
|
|
<tbody>
|
|
<row><entry>Common Desktop</entry><entry>%SystemRoot%\Profiles\All Users\Desktop</entry></row>
|
|
<row><entry>Common Programs</entry><entry>%SystemRoot%\Profiles\All Users\Programs</entry></row>
|
|
<row><entry>Common Start Menu</entry><entry>%SystemRoot%\Profiles\All Users\Start Menu</entry></row>
|
|
<row><entry>Common Startup</entry><entry>%SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup</entry></row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
</sect2>
|
|
|
|
<sect2> <title>MS Windows 200x/XP</title>
|
|
|
|
<note><para>
|
|
<indexterm><primary>GPOs</primary></indexterm>
|
|
MS Windows XP Home Edition does use default per user profiles, but cannot participate
|
|
in domain security, cannot log onto an NT/ADS-style domain, and thus can obtain the profile only
|
|
from itself. While there are benefits in doing this, the beauty of those MS Windows clients that
|
|
can participate in domain logon processes allows the administrator to create a global default
|
|
profile and enforce it through the use of Group Policy Objects (GPOs).
|
|
</para></note>
|
|
|
|
<para> When a new user first logs onto an MS Windows 200x/XP machine, the default profile is obtained from
|
|
<filename>C:\Documents and Settings\Default User</filename>. The administrator can modify or change the
|
|
contents of this location and MS Windows 200x/XP will gladly use it. This is far from the optimum arrangement
|
|
since it will involve copying a new default profile to every MS Windows 200x/XP client workstation. </para>
|
|
|
|
<para> When MS Windows 200x/XP participates in a domain security context, and if the default user profile is
|
|
not found, then the client will search for a default profile in the NETLOGON share of the authenticating
|
|
server. In MS Windows parlance,<?latex \linebreak ?><filename>%LOGONSERVER%\NETLOGON\Default User,</filename> and if one
|
|
exists there it will copy this to the workstation to the <filename>C:\Documents and Settings\</filename>
|
|
under the Windows login name of the user. </para>
|
|
|
|
<note> <para> This path translates, in Samba parlance, to the &smb.conf;
|
|
<smbconfsection>[NETLOGON]</smbconfsection> share. The directory should be created at the root
|
|
of this share and must be called <filename>Default Profile</filename>. </para> </note>
|
|
|
|
<para> If a default profile does not exist in this location, then MS Windows 200x/XP will use the local
|
|
default profile. </para>
|
|
|
|
<para> On logging out, the users' desktop profile will be stored to the location specified in the registry
|
|
settings that pertain to the user. If no specific policies have been created or passed to the client
|
|
during the login process (as Samba does automatically), then the user's profile will be written to the
|
|
local machine only under the path <filename>C:\Documents and Settings\%USERNAME%</filename>. </para>
|
|
|
|
<para> Those wishing to modify the default behavior can do so through these three methods: </para>
|
|
|
|
<itemizedlist>
|
|
<listitem> <para> Modify the registry keys on the local machine manually and place the new
|
|
default profile in the NETLOGON share root. This is not recommended as it is maintenance intensive.
|
|
</para> </listitem>
|
|
|
|
<listitem> <para> Create an NT4-style NTConfig.POL file that specified this behavior and locate
|
|
this file in the root of the NETLOGON share along with the new default profile. </para> </listitem>
|
|
|
|
<listitem> <para> Create a GPO that enforces this through Active Directory, and place the new
|
|
default profile in the NETLOGON share. </para> </listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The registry hive key that effects the behavior of folders that are part of the default user
|
|
profile are controlled by entries on Windows 200x/XP is: </para>
|
|
|
|
<para> <filename>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
|
|
Folders\</filename> </para>
|
|
|
|
<para>
|
|
The above hive key contains a list of automatically managed folders. The default entries are shown
|
|
in <link linkend="defregpthkeys">the next table</link>
|
|
<indexterm><primary>windows registry settings</primary><secondary>default profile locations</secondary></indexterm>
|
|
</para>
|
|
|
|
|
|
<table frame="all" id="defregpthkeys">
|
|
<title>Defaults of Default User Profile Paths Registry Keys</title>
|
|
<tgroup cols="2">
|
|
<colspec align="left"/>
|
|
<colspec align="left"/>
|
|
<thead>
|
|
<row><entry>Name</entry><entry>Default Value</entry></row>
|
|
</thead>
|
|
<tbody>
|
|
<row><entry>AppData</entry><entry>%USERPROFILE%\Application Data</entry></row>
|
|
<row><entry>Cache</entry><entry>%USERPROFILE%\Local Settings\Temporary Internet Files</entry></row>
|
|
<row><entry>Cookies</entry><entry>%USERPROFILE%\Cookies</entry></row>
|
|
<row><entry>Desktop</entry><entry>%USERPROFILE%\Desktop</entry></row>
|
|
<row><entry>Favorites</entry><entry>%USERPROFILE%\Favorites</entry></row>
|
|
<row><entry>History</entry><entry>%USERPROFILE%\Local Settings\History</entry></row>
|
|
<row><entry>Local AppData</entry><entry>%USERPROFILE%\Local Settings\Application Data</entry></row>
|
|
<row><entry>Local Settings</entry><entry>%USERPROFILE%\Local Settings</entry></row>
|
|
<row><entry>My Pictures</entry><entry>%USERPROFILE%\My Documents\My Pictures</entry></row>
|
|
<row><entry>NetHood</entry><entry>%USERPROFILE%\NetHood</entry></row>
|
|
<row><entry>Personal</entry><entry>%USERPROFILE%\My Documents</entry></row>
|
|
<row><entry>PrintHood</entry><entry>%USERPROFILE%\PrintHood</entry></row>
|
|
<row><entry>Programs</entry><entry>%USERPROFILE%\Start Menu\Programs</entry></row>
|
|
<row><entry>Recent</entry><entry>%USERPROFILE%\Recent</entry></row>
|
|
<row><entry>SendTo</entry><entry>%USERPROFILE%\SendTo</entry></row>
|
|
<row><entry>Start Menu</entry><entry>%USERPROFILE%\Start Menu</entry></row>
|
|
<row><entry>Startup</entry><entry>%USERPROFILE%\Start Menu\Programs\Startup</entry></row>
|
|
<row><entry>Templates</entry><entry>%USERPROFILE%\Templates</entry></row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<para> There is also an entry called <quote>Default</quote> that has no value set. The default entry is
|
|
of type <constant>REG_SZ</constant>, all the others are of type <constant>REG_EXPAND_SZ</constant>. </para>
|
|
|
|
<para> It makes a huge difference to the speed of handling roaming user profiles if all the folders are
|
|
stored on a dedicated location on a network server. This means that it will not be necessary to write
|
|
the Outlook PST file over the network for every login and logout. </para>
|
|
|
|
<para> To set this to a network location, you could use the following examples: </para>
|
|
|
|
<para><filename>%LOGONSERVER%\%USERNAME%\Default Folders</filename></para>
|
|
|
|
<para> This would store the folders in the user's home directory under a directory called <filename>Default
|
|
Folders</filename>. You could also use: </para>
|
|
|
|
<para><filename>\\<replaceable>SambaServer</replaceable>\<replaceable>FolderShare</replaceable>\%USERNAME%</filename></para>
|
|
|
|
<para>
|
|
in which case the default folders will be stored in the server named <replaceable>SambaServer</replaceable>
|
|
in the share called <replaceable>FolderShare</replaceable> under a directory that has the name of the
|
|
MS Windows user as seen by the Linux/UNIX file system. </para>
|
|
|
|
<para> Please note that once you have created a default profile share, you MUST migrate a user's profile
|
|
(default or custom) to it. </para>
|
|
|
|
<para> MS Windows 200x/XP profiles may be <emphasis>Local</emphasis> or <emphasis>Roaming</emphasis>.
|
|
A roaming profile will be cached locally unless the following registry key is created:
|
|
|
|
<indexterm><primary>delete roaming profiles</primary></indexterm>
|
|
</para>
|
|
|
|
|
|
<para> <programlisting> HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\
|
|
winlogon\"DeleteRoamingCache"=dword:00000001</programlisting></para>
|
|
|
|
<para>
|
|
In this case, the local cache copy will be deleted on logout.
|
|
</para>
|
|
</sect2>
|
|
</sect1>
|
|
|
|
<sect1> <title>Common Errors</title>
|
|
|
|
<para>
|
|
The following are some typical errors, problems and questions that have been asked on the Samba mailing lists.
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>Configuring Roaming Profiles for a Few Users or Groups</title>
|
|
|
|
<para>
|
|
With Samba-2.2.x, the choice you have is to enable or disable roaming profiles support. It is a
|
|
global only setting. The default is to have roaming profiles and the default path will locate them in
|
|
the user's home directory.
|
|
</para>
|
|
|
|
<para>
|
|
If disabled globally, then no one will have roaming profile ability. If enabled and you want it
|
|
to apply only to certain machines, then on those machines on which roaming profile support is not wanted
|
|
it is then necessary to disable roaming profile handling in the registry of each such machine.
|
|
</para>
|
|
|
|
<para>
|
|
With Samba-3, you can have a global profile setting in &smb.conf; and you can override this by
|
|
per-user settings using the Domain User Manager (as with MS Windows NT4/ Win 200xx). </para>
|
|
|
|
<para> In any case, you can configure only one profile per user. That profile can be either: </para>
|
|
|
|
<itemizedlist>
|
|
<listitem>A profile unique to that user.</listitem>
|
|
<listitem>A mandatory profile (one the user cannot change).</listitem>
|
|
<listitem>A group profile (really should be mandatory, that is unchangable).</listitem>
|
|
</itemizedlist>
|
|
|
|
</sect2>
|
|
|
|
<sect2> <title>Cannot Use Roaming Profiles</title>
|
|
|
|
<para> A user requested the following: <quote> I do not want Roaming profiles to be implemented. I want
|
|
to give users a local profile alone. Please help me, I am totally lost with this error. For the past
|
|
two days I tried everything, I googled around but found no useful pointers. Please help me. </quote></para>
|
|
|
|
<para> The choices are: </para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>Local profiles</term> <listitem><para> I know of no registry keys that will allow
|
|
auto-deletion of LOCAL profiles on log out.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Roaming profiles</term> <listitem><para> As a user logs onto the network, a centrally
|
|
stored profile is copied to the workstation to form a local profile. This local profile
|
|
will persist (remain on the workstation disk) unless a registry key is changed that will
|
|
cause this profile to be automatically deleted on logout. </para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para>The roaming profile choices are: </para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>Personal roaming profiles</term> <listitem><para> These are typically stored in
|
|
a profile share on a central (or conveniently located local) server. </para>
|
|
|
|
<para> Workstations cache (store) a local copy of the profile. This cached
|
|
copy is used when the profile cannot be downloaded at next logon. </para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Group profiles</term> <listitem><para>These are loaded from a central profile
|
|
server.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Mandatory profiles</term> <listitem><para> Mandatory profiles can be created for
|
|
a user as well as for any group that a user is a member of. Mandatory profiles cannot be
|
|
changed by ordinary users. Only the administrator can change or reconfigure a mandatory
|
|
profile. </para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para> A Windows NT4/200x/XP profile can vary in size from 130KB to very large. Outlook PST files are
|
|
most often part of the profile and can be many GB in size. On average (in a well controlled environment),
|
|
roaming profile size of 2MB is a good rule of thumb to use for planning purposes. In an undisciplined
|
|
environment, I have seen up to 2GB profiles. Users tend to complain when it takes an hour to log onto a
|
|
workstation but they harvest the fruits of folly (and ignorance). </para>
|
|
|
|
<para> The point of all the above is to show that roaming profiles and good controls of how they can be
|
|
changed as well as good discipline make up for a problem-free site. </para>
|
|
|
|
<para> Microsoft's answer to the PST problem is to store all email in an MS Exchange Server backend. This
|
|
removes the need for a PST file. </para>
|
|
|
|
<para>Local profiles mean: </para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para>If each machine is used by many users, then much local disk storage is needed
|
|
for local profiles.</para></listitem> <listitem><para>Every workstation the user logs into has
|
|
its own profile; these can be very different from machine to machine.</para></listitem>
|
|
</itemizedlist>
|
|
|
|
<para> On the other hand, use of roaming profiles means: </para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para>The network administrator can control the desktop environment of all users.</para></listitem>
|
|
<listitem><para>Use of mandatory profiles drastically reduces network management overheads.</para></listitem>
|
|
<listitem><para>In the long run, users will experience fewer problems.</para></listitem>
|
|
</itemizedlist>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Changing the Default Profile</title>
|
|
|
|
<para><quote>When the client logs onto the Domain Controller, it searches
|
|
for a profile to download. Where do I put this default profile?</quote></para>
|
|
|
|
<para>
|
|
<indexterm><primary>default profile</primary></indexterm>
|
|
First, the Samba server needs to be configured as a Domain Controller. This can be done by
|
|
setting in &smb.conf;: </para>
|
|
|
|
<smbconfblock>
|
|
<smbconfoption><name>security</name><value>user</value></smbconfoption>
|
|
<smbconfoption><name>os level</name><value>32 (or more)</value></smbconfoption>
|
|
<smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
|
|
</smbconfblock>
|
|
|
|
<para> There must be a <smbconfsection>[netlogon]</smbconfsection> share that is world readable. It is
|
|
a good idea to add a logon script to pre-set printer and drive connections. There is also a facility
|
|
for automatically synchronizing the workstation time clock with that of the logon server (another good
|
|
thing to do). </para>
|
|
|
|
<note><para> To invoke auto-deletion of roaming profile from the local workstation cache (disk storage), use
|
|
the <application>Group Policy Editor</application> to create a file called <filename>NTConfig.POL</filename>
|
|
with the appropriate entries. This file needs to be located in the <smbconfsection>netlogon</smbconfsection>
|
|
share root directory.</para></note>
|
|
|
|
<para> Windows clients need to be members of the domain. Workgroup machines do not use network logons
|
|
so they do not interoperate with domain profiles. </para>
|
|
|
|
<para> For roaming profiles, add to &smb.conf;: </para>
|
|
|
|
<smbconfblock>
|
|
<smbconfoption><name>logon path</name><value>\\%N\profiles\%U</value></smbconfoption>
|
|
<smbconfcomment>Default logon drive is Z:</smbconfcomment>
|
|
<smbconfoption><name>logon drive</name><value>H:</value></smbconfoption>
|
|
<smbconfcomment>This requires a PROFILES share that is world writable.</smbconfcomment>
|
|
</smbconfblock>
|
|
|
|
</sect2>
|
|
</sect1>
|
|
</chapter>
|