samba - Mar 2006 - many servers and mobile users - "always use the most fresh user profile" - ideas?

I have a situation like below:

Samba servers in many cities; one "backup" server in the central 
location that fetches user profiles each night (changes really with rsync).

Users work in many locations; sometimes one user can work in city A, and 
a day later he can work in city B.


This means that they have problems with their profiles - user profile 
for city A will be different from his profile in city B.


Using the central server for storing all profiles is not a good solution 
- it would take too long to fetch/upload user profile over WAN/VPN.
Pulling the profile from the central server should only happen if the 
local profile is older.


I tried using preexec, to launch a script which would compare the local 
and "remote" profile, and pull the newest version from the central 
server if necessary.

However, Windows logon times outs after 2 minutes, and usually it takes 
longer to download the profile.


Has anyone ever dealt with the situation where users work in multiple 
locations, but would like to have the profiles the same?


I know it can be done easily with Windows 2003 R2, what about Samba?



-- 
Tomasz Chmielewski

> -----Original Message-----
> From: samba-bounces+bob.gautier=rabobank.com@lists.samba.org 
> [mailto:samba-bounces+bob.gautier=rabobank.com@lists.samba.org
> ] On Behalf Of Tomasz Chmielewski
> Sent: 10 March 2006 14:14
> To: samba
> Subject: [Samba] many servers and mobile users - "always use 
> the most fresh user profile" - ideas?
> 
> I have a situation like below:
> 
> Samba servers in many cities; one "backup" server in the 
> central location that fetches user profiles each night 
> (changes really with rsync).
> 
> Users work in many locations; sometimes one user can work in 
> city A, and a day later he can work in city B.
> 
> 
> This means that they have problems with their profiles - user profile 
> for city A will be different from his profile in city B.
> 
> 
> Using the central server for storing all profiles is not a 
> good solution 
> - it would take too long to fetch/upload user profile over WAN/VPN.
> Pulling the profile from the central server should only happen if the 
> local profile is older.
> 
> 
> I tried using preexec, to launch a script which would compare 
> the local 
> and "remote" profile, and pull the newest version from the
central
> server if necessary.
> 
> However, Windows logon times outs after 2 minutes, and 
> usually it takes 
> longer to download the profile.
> 
> 
> Has anyone ever dealt with the situation where users work in multiple 
> locations, but would like to have the profiles the same?
> 
> 
> I know it can be done easily with Windows 2003 R2, what about Samba?
About a year ago I worked out an architecture in which rsync would be
used to replicate profiles from location to location (replication being
triggered by *logout*, not *login*) but it never got anywhere near
implementation as far as I am aware.  You just have to make sure you
have enough bandwidth so you can move the profiles faster than the
people. :-)  Of course rsync helps quite a bit.

Bob Gautier
> 
> 
> 
> -- 
> Tomasz Chmielewski
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
_____________________________________________________________

This email (including any attachments to it) is confidential, legally
privileged, subject to copyright and is sent for the personal attention of the
intended recipient only. If you have received this email in error, please advise
us immediately and delete it. You are notified that disclosing, copying,
distributing or taking any action in reliance on the contents of this
information is strictly prohibited. Although we have taken reasonable
precautions to ensure no viruses are present in this email, we cannot accept
responsibility for any loss or damage arising from the viruses in this email or
attachments. We exclude any liability for the content of this email, or for the
consequences of any actions taken on the basis of the information provided in
this email or its attachments, unless that information is subsequently confirmed
in writing. If this email contains an offer, that should be considered as an
invitation to treat.
_____________________________________________________________

Gautier, B (Bob) wrote:

(...)
>>> About a year ago I worked out an architecture in which 
>> rsync would be 
>>> used to replicate profiles from location to location (replication 
>>> being triggered by *logout*, not *login*) but it never got anywhere
>>> near implementation as far as I am aware.  You just have to 
>> make sure 
>>> you have enough bandwidth so you can move the profiles 
>> faster than the 
>>> people. :-)  Of course rsync helps quite a bit.
>> Hmm, no, using your idea (replication triggered by logout) 
>> would mean that user profile would be replicated to cities 
>> A-Z, where in reality a given user works only in cities A and B.
> 
> If you are sure the user never actually visits C-Z you can maybe ensure
> you can configure the replication to avoid doing those copies.  The
> assumption is that it's low overhead anyway.
It would be a nightmare to manage if you have more than 5 users and 
don't really know where they work.

>> Theoretically, it should be easy to do (I assume we're using LDAP):
>>
>> 1) user begins logon
>>
>> 2) some program or a script compares local (branch) and 
>> remote (central) NTUSER.DAT - and picks the newest
>>
>> 3) "sambaProfilePath:" is set according to the newest 
>> NTUSER.DAT location, ie.
>>
>> a) no "sambaProfilePath:" entry in LDAP, if the local 
>> NTUSER.DAT is the newest
>> b) "sambaProfilePath: \\remote\profiles" if the remote 
>> NTUSER.DAT is the newest
>>
>> 4) on logout the profile should be saved locally (and perhaps 
>> at night, or at some interval, transferred to the central server)
>>
>>
>>
>> Of course setting "sambaProfilePath:" value according to some
script
>> exit value or output is the tricky part :)
>>
> 
> This all sounds more or less feasible but any work you do at logon time
> is (as you pointed out) very time-limited.
Hey, not really.
It's perfectly fine to load a profile for 10 minutes from a remote 
server - as long as something happens (the files are being transferred), 
it's OK for a Windows workstation.

> I'd also worry about LDAP replication time-lag: you probably can't
> update sambaProfilePath during the logon and expect to see the change
> within the time available.
I wouldn't want to replicate anything.

I'd just fake "sambaProfilePath:" to point to the server
containing the
newest profile.

> How about setting sambaProfilePath for a user at logout time, based on
> the location they are logging off from?  And updating it if you get
> around to replicating the profile to a central site before they logon
> again?
Only half of it is fine. We have two things:

1) user should download the profile from the server with the newest 
profile (either local or a remote one)
2) user should upload the profile to the local server *only*

So, it will work only if we can change the "sambaProfilePath:" value
to
the local one after user logs in - which is not a problem, but I'm not 
sure if the Windows client will respect that (which I'm going to find 
out now).

> The less work you do at logon time the better, IMHO.
True.


-- 
Tomasz Chmielewski
http://wpkg.org

Hi Bob,
the normal setup would be a bdc in other locations,
and setup users profiles in their home offices,
if they have only short terms of visit in other offices they must life 
with longer logon time, if they stay lets say longer than two week than 
move their profiles and homes to the other bdc, so its done in very 
large ( 10000 users ) windows networks ,i know.
this is can very easy be done with ldap and samba.
I dont think rsync profiles will be a satisfactory solution, cause
users can also comming from vpn adsl/wlan etc so the profile are never 
in sync int that case ( ie if they work in hotels at night etc ) in my 
cenarios.
choose a good vpn connect 2 MB synchron with openvpn was enough for me 
with 100 users 90% sitting in their home offices 10 % traveling around.
I had limited the profiles to 30 MB maximum, so even in the worst case 
in ca. 3 minutes they got their profile staying in any kind of office net.
This stuff deeply depends on the conection limits, so i.e i know 
companies they have black fiber lines  in usa , europe, asia , but isdn 
in africa and have to sync more than just profiles, i.e exchange data etc.
so the have bdc in africa office ( with good connect ) so they syncing
with europe every hour , from there africa office b wich has only isdn 
is synced further only in night.
after all have this global network a full working time service across
the networks is needed, just a lot what admins much think of at syncing 
any data.
Best Regards

Gautier, B (Bob) schrieb:
>> -----Original Message-----
>> From: samba-bounces+bob.gautier=rabobank.com@lists.samba.org 
>> [mailto:samba-bounces+bob.gautier=rabobank.com@lists.samba.org
>> ] On Behalf Of Tomasz Chmielewski
>> Sent: 10 March 2006 14:14
>> To: samba
>> Subject: [Samba] many servers and mobile users - "always use 
>> the most fresh user profile" - ideas?
>>
>> I have a situation like below:
>>
>> Samba servers in many cities; one "backup" server in the 
>> central location that fetches user profiles each night 
>> (changes really with rsync).
>>
>> Users work in many locations; sometimes one user can work in 
>> city A, and a day later he can work in city B.
>>
>>
>> This means that they have problems with their profiles - user profile 
>> for city A will be different from his profile in city B.
>>
>>
>> Using the central server for storing all profiles is not a 
>> good solution 
>> - it would take too long to fetch/upload user profile over WAN/VPN.
>> Pulling the profile from the central server should only happen if the 
>> local profile is older.
>>
>>
>> I tried using preexec, to launch a script which would compare 
>> the local 
>> and "remote" profile, and pull the newest version from the
central
>> server if necessary.
>>
>> However, Windows logon times outs after 2 minutes, and 
>> usually it takes 
>> longer to download the profile.
>>
>>
>> Has anyone ever dealt with the situation where users work in multiple 
>> locations, but would like to have the profiles the same?
>>
>>
>> I know it can be done easily with Windows 2003 R2, what about Samba?
> 
> About a year ago I worked out an architecture in which rsync would be
> used to replicate profiles from location to location (replication being
> triggered by *logout*, not *login*) but it never got anywhere near
> implementation as far as I am aware.  You just have to make sure you
> have enough bandwidth so you can move the profiles faster than the
> people. :-)  Of course rsync helps quite a bit.
> 
> Bob Gautier
> 
>>
>>
>> -- 
>> Tomasz Chmielewski
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
> _____________________________________________________________
> 
> This email (including any attachments to it) is confidential, legally
privileged, subject to copyright and is sent for the personal attention of the
intended recipient only. If you have received this email in error, please advise
us immediately and delete it. You are notified that disclosing, copying,
distributing or taking any action in reliance on the contents of this
information is strictly prohibited. Although we have taken reasonable
precautions to ensure no viruses are present in this email, we cannot accept
responsibility for any loss or damage arising from the viruses in this email or
attachments. We exclude any liability for the content of this email, or for the
consequences of any actions taken on the basis of the information provided in
this email or its attachments, unless that information is subsequently confirmed
in writing. If this email contains an offer, that should be considered as an
invitation to treat.
> _____________________________________________________________

Gautier, B (Bob) wrote:

(...)
>>> How about setting sambaProfilePath for a user at logout 
>> time, based on
>>> the location they are logging off from?  And updating it if you get
>>> around to replicating the profile to a central site before 
>> they logon
>>> again?
>> Only half of it is fine. We have two things:
>>
>> 1) user should download the profile from the server with the newest 
>> profile (either local or a remote one)
>> 2) user should upload the profile to the local server *only*
>>
>> So, it will work only if we can change the 
>> "sambaProfilePath:" value to 
>> the local one after user logs in - which is not a problem, 
>> but I'm not 
>> sure if the Windows client will respect that (which I'm going to
find
>> out now).
Tada, this seems to work, I just need to polish some bits.

I tested it on a local server only, without trying to change anything in 
LDAP.

To "reproduce" fetching a profile from one location on logon, and 
uploading the profile to another location on logoff, do:

1) logon (that was hard, wasn't it?) :)

2) launch regedit

take a look at this key:
HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\ProfileList\<USER-SID>\CentralProfile

It contains the value where the profile is stored, let's say, 
\\server\profiles\profile1

Now change this value to something else, like \\server\profiles\profile2

This can be scripted of course.

3) quit regedit
4) logoff
5) you will see your profile being saved to \\server\profiles\profile2, 
while it was read from \\server\profiles\profile1

6) after logoff, write to LDAP and change the "sambaProfilePath:" to 
your current (newest) location.


That's the theory, perhaps it needs a couple of hours of scripting and 
testing, but I guess it should work like this. Anyone who would like to 
test it? :)


I got a reply from a Microsoft representative today suggesting that I 
should replace all the servers to Win2k3 R2 which contain "Branch Office 
Infrastructure Solution ?" which lets me do that...



-- 
Tomasz Chmielewski
http://wpkg.org