First, there may be an account flagg for this, I don't know. You should
investigate this. Aside from that...
A simple way to do this might be to create the users profile directory
and then deny the user access by changeing perms/ownership. The local
system would then respond with "Can't find a roaming profile, using a
local one". My users, for example, have access to
/var/lib/samba/profiles/[username]. I create the user profile
directories using a short script. I have to do this because I provide
*no* access to the root folder of the profiles share, i.e.
/var/lib/samba/profiles is:
drwxr-xr-x 4 root root 4096 Jul 10 12:08 profiles/
instead of something like:
drwxrwxr-x 4 root Domain Users 4096 Jul 10 12:08 profiles/
Here is an example of the script:
[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
.
.
.
root preexec = PROFILE=/var/lib/samba/profiles/%u; if [ ! -e $PROFILE ]; \
then mkdir -pm700 $PROFILE; chown "%u"."%g"
$PROFILE; fi
It is possible I could modify the script so that if %g (the users group)
is "Local Profile" then do not create the profile etc. etc.
OK, that is one angle but here is another.
From my smb.conf:
#Below is for Windows XP Pro, NT, 2K Pro
#Cooresponds to userProfile in /etc/samba/smbldap_conf.pm
#which sets sambaProfilePath in the user account.
logon path = \\%L\profiles\%U
#Below is for Windows 95 style clients.
#Cooresponds to userSmbHome in /etc/samba/smbldap_conf.pm
#which sets sambaHomePath in the user account.
logon home = \\%L\%U\profiles
Now I beleive the settings in the user account are supposed to override
the defaults in smb.conf *but* if the user account settings are invalid
or blank, then the defaults in smb.conf will be used. If this is the
case, then you should be able to set everyone to the correct settings
explicitly by using smbldap-tools and then comment out the defaults in
smb.conf *or* set those defaults in smb.conf to something that is
invalid like \\dev\null. This way, if the user's settings are blank or
invalid samba should default to something in the smb.conf that also
doesn't exist which, in turn, should result in "Can't find a
roaming
profile, using a local one".
Yet another angle:
Now remember that my users have no access to the root folder of the
profiles share. This means that \\SERVERNETBIOSNAME\profiles is a
*valid* resource to which *no one* has write access. So I might be able
to get the results you desire by setting the individual user accounts to
sambaProfilePath=\\SERVERNETBIOSNAME\profiles instead of
sambaProfilePath=\\SERVERNETBIOSNAME\profiles\[username].
smbldap-useradd -a -m -F \\\\SERVERNETBIOSNAME\profiles newusername
Of course I *may* have to remove read access to the profiles directory
for "other", I'm not sure.
In other words change
drwxr-xr-x 4 root root 4096 Jul 10 12:08 profiles/
to
drwxr-x--x 4 root root 4096 Jul 10 12:08 profiles/
Jim C.
Richard Hall wrote:
> I have samba 3 configured and running fine as a PDC with LDAP as the
> back end user database. I have most users using roaming profiles but
> there are a few I would like to be able to only have local profiles.
> Is it possible to configure samba to use both types of profile rather
> than one or the other. I have the profile path set on each user
> account in LDAP as the field "sambaProfilePath" and I have tried
> removing the "logon path" directive from the smb.conf file. If
I
> remove the sambaProfilePath entry from a user record then their profile
> still gets saved to the profile directory under what I assume is the
> default "logon path" setting. If I set "logon path
=" with no value
> on the right of = then this breaks all the roaming profiles and it seems
How does this stand up to testparm? Does the system consider it an
error? I think you should probably either set it to something or
comment it out.
> to ignore the "sambaProfilePath" set on the individual accounts.
I
> gather there is a reg setting that I can use on each windows machine to
> tell it to ignore roaming profiles, but I would like to do it on a per
> user rather than per machine basis.
> Does anyone know of a way round this?
>
> Thanks
> Rich
>
--
-----------------------------------------------------------------
| I can be reached on the following Instant Messenger services: |
|---------------------------------------------------------------|
| MSN: j_c_llings@hotmail.com AIM: WyteLi0n ICQ: 123291844 |
|---------------------------------------------------------------|
| Y!: j_c_llings Jabber: jcllings@njs.netlab.cz |
-----------------------------------------------------------------