Tomasz Chmielewski
2006-Mar-10 14:14 UTC
[Samba] many servers and mobile users - "always use the most fresh user profile" - ideas?
I have a situation like below: Samba servers in many cities; one "backup" server in the central location that fetches user profiles each night (changes really with rsync). Users work in many locations; sometimes one user can work in city A, and a day later he can work in city B. This means that they have problems with their profiles - user profile for city A will be different from his profile in city B. Using the central server for storing all profiles is not a good solution - it would take too long to fetch/upload user profile over WAN/VPN. Pulling the profile from the central server should only happen if the local profile is older. I tried using preexec, to launch a script which would compare the local and "remote" profile, and pull the newest version from the central server if necessary. However, Windows logon times outs after 2 minutes, and usually it takes longer to download the profile. Has anyone ever dealt with the situation where users work in multiple locations, but would like to have the profiles the same? I know it can be done easily with Windows 2003 R2, what about Samba? -- Tomasz Chmielewski
Gautier, B (Bob)
2006-Mar-10 14:29 UTC
[Samba] many servers and mobile users - "always use the most fresh user profile" - ideas?
> -----Original Message----- > From: samba-bounces+bob.gautier=rabobank.com@lists.samba.org > [mailto:samba-bounces+bob.gautier=rabobank.com@lists.samba.org > ] On Behalf Of Tomasz Chmielewski > Sent: 10 March 2006 14:14 > To: samba > Subject: [Samba] many servers and mobile users - "always use > the most fresh user profile" - ideas? > > I have a situation like below: > > Samba servers in many cities; one "backup" server in the > central location that fetches user profiles each night > (changes really with rsync). > > Users work in many locations; sometimes one user can work in > city A, and a day later he can work in city B. > > > This means that they have problems with their profiles - user profile > for city A will be different from his profile in city B. > > > Using the central server for storing all profiles is not a > good solution > - it would take too long to fetch/upload user profile over WAN/VPN. > Pulling the profile from the central server should only happen if the > local profile is older. > > > I tried using preexec, to launch a script which would compare > the local > and "remote" profile, and pull the newest version from the central > server if necessary. > > However, Windows logon times outs after 2 minutes, and > usually it takes > longer to download the profile. > > > Has anyone ever dealt with the situation where users work in multiple > locations, but would like to have the profiles the same? > > > I know it can be done easily with Windows 2003 R2, what about Samba?About a year ago I worked out an architecture in which rsync would be used to replicate profiles from location to location (replication being triggered by *logout*, not *login*) but it never got anywhere near implementation as far as I am aware. You just have to make sure you have enough bandwidth so you can move the profiles faster than the people. :-) Of course rsync helps quite a bit. Bob Gautier> > > > -- > Tomasz Chmielewski > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >_____________________________________________________________ This email (including any attachments to it) is confidential, legally privileged, subject to copyright and is sent for the personal attention of the intended recipient only. If you have received this email in error, please advise us immediately and delete it. You are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Although we have taken reasonable precautions to ensure no viruses are present in this email, we cannot accept responsibility for any loss or damage arising from the viruses in this email or attachments. We exclude any liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided in this email or its attachments, unless that information is subsequently confirmed in writing. If this email contains an offer, that should be considered as an invitation to treat. _____________________________________________________________
Tomasz Chmielewski
2006-Mar-10 15:09 UTC
[Samba] many servers and mobile users - "always use the most fresh user profile" - ideas?
Gautier, B (Bob) wrote: (...)>>> About a year ago I worked out an architecture in which >> rsync would be >>> used to replicate profiles from location to location (replication >>> being triggered by *logout*, not *login*) but it never got anywhere >>> near implementation as far as I am aware. You just have to >> make sure >>> you have enough bandwidth so you can move the profiles >> faster than the >>> people. :-) Of course rsync helps quite a bit. >> Hmm, no, using your idea (replication triggered by logout) >> would mean that user profile would be replicated to cities >> A-Z, where in reality a given user works only in cities A and B. > > If you are sure the user never actually visits C-Z you can maybe ensure > you can configure the replication to avoid doing those copies. The > assumption is that it's low overhead anyway.It would be a nightmare to manage if you have more than 5 users and don't really know where they work.>> Theoretically, it should be easy to do (I assume we're using LDAP): >> >> 1) user begins logon >> >> 2) some program or a script compares local (branch) and >> remote (central) NTUSER.DAT - and picks the newest >> >> 3) "sambaProfilePath:" is set according to the newest >> NTUSER.DAT location, ie. >> >> a) no "sambaProfilePath:" entry in LDAP, if the local >> NTUSER.DAT is the newest >> b) "sambaProfilePath: \\remote\profiles" if the remote >> NTUSER.DAT is the newest >> >> 4) on logout the profile should be saved locally (and perhaps >> at night, or at some interval, transferred to the central server) >> >> >> >> Of course setting "sambaProfilePath:" value according to some script >> exit value or output is the tricky part :) >> > > This all sounds more or less feasible but any work you do at logon time > is (as you pointed out) very time-limited.Hey, not really. It's perfectly fine to load a profile for 10 minutes from a remote server - as long as something happens (the files are being transferred), it's OK for a Windows workstation.> I'd also worry about LDAP replication time-lag: you probably can't > update sambaProfilePath during the logon and expect to see the change > within the time available.I wouldn't want to replicate anything. I'd just fake "sambaProfilePath:" to point to the server containing the newest profile.> How about setting sambaProfilePath for a user at logout time, based on > the location they are logging off from? And updating it if you get > around to replicating the profile to a central site before they logon > again?Only half of it is fine. We have two things: 1) user should download the profile from the server with the newest profile (either local or a remote one) 2) user should upload the profile to the local server *only* So, it will work only if we can change the "sambaProfilePath:" value to the local one after user logs in - which is not a problem, but I'm not sure if the Windows client will respect that (which I'm going to find out now).> The less work you do at logon time the better, IMHO.True. -- Tomasz Chmielewski http://wpkg.org
Robert Schetterer
2006-Mar-10 15:33 UTC
[Samba] many servers and mobile users - "always use the most fresh user profile" - ideas?
Hi Bob, the normal setup would be a bdc in other locations, and setup users profiles in their home offices, if they have only short terms of visit in other offices they must life with longer logon time, if they stay lets say longer than two week than move their profiles and homes to the other bdc, so its done in very large ( 10000 users ) windows networks ,i know. this is can very easy be done with ldap and samba. I dont think rsync profiles will be a satisfactory solution, cause users can also comming from vpn adsl/wlan etc so the profile are never in sync int that case ( ie if they work in hotels at night etc ) in my cenarios. choose a good vpn connect 2 MB synchron with openvpn was enough for me with 100 users 90% sitting in their home offices 10 % traveling around. I had limited the profiles to 30 MB maximum, so even in the worst case in ca. 3 minutes they got their profile staying in any kind of office net. This stuff deeply depends on the conection limits, so i.e i know companies they have black fiber lines in usa , europe, asia , but isdn in africa and have to sync more than just profiles, i.e exchange data etc. so the have bdc in africa office ( with good connect ) so they syncing with europe every hour , from there africa office b wich has only isdn is synced further only in night. after all have this global network a full working time service across the networks is needed, just a lot what admins much think of at syncing any data. Best Regards Gautier, B (Bob) schrieb:>> -----Original Message----- >> From: samba-bounces+bob.gautier=rabobank.com@lists.samba.org >> [mailto:samba-bounces+bob.gautier=rabobank.com@lists.samba.org >> ] On Behalf Of Tomasz Chmielewski >> Sent: 10 March 2006 14:14 >> To: samba >> Subject: [Samba] many servers and mobile users - "always use >> the most fresh user profile" - ideas? >> >> I have a situation like below: >> >> Samba servers in many cities; one "backup" server in the >> central location that fetches user profiles each night >> (changes really with rsync). >> >> Users work in many locations; sometimes one user can work in >> city A, and a day later he can work in city B. >> >> >> This means that they have problems with their profiles - user profile >> for city A will be different from his profile in city B. >> >> >> Using the central server for storing all profiles is not a >> good solution >> - it would take too long to fetch/upload user profile over WAN/VPN. >> Pulling the profile from the central server should only happen if the >> local profile is older. >> >> >> I tried using preexec, to launch a script which would compare >> the local >> and "remote" profile, and pull the newest version from the central >> server if necessary. >> >> However, Windows logon times outs after 2 minutes, and >> usually it takes >> longer to download the profile. >> >> >> Has anyone ever dealt with the situation where users work in multiple >> locations, but would like to have the profiles the same? >> >> >> I know it can be done easily with Windows 2003 R2, what about Samba? > > About a year ago I worked out an architecture in which rsync would be > used to replicate profiles from location to location (replication being > triggered by *logout*, not *login*) but it never got anywhere near > implementation as far as I am aware. You just have to make sure you > have enough bandwidth so you can move the profiles faster than the > people. :-) Of course rsync helps quite a bit. > > Bob Gautier > >> >> >> -- >> Tomasz Chmielewski >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/listinfo/samba >> > _____________________________________________________________ > > This email (including any attachments to it) is confidential, legally privileged, subject to copyright and is sent for the personal attention of the intended recipient only. If you have received this email in error, please advise us immediately and delete it. You are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Although we have taken reasonable precautions to ensure no viruses are present in this email, we cannot accept responsibility for any loss or damage arising from the viruses in this email or attachments. We exclude any liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided in this email or its attachments, unless that information is subsequently confirmed in writing. If this email contains an offer, that should be considered as an invitation to treat. > _____________________________________________________________
Tomasz Chmielewski
2006-Mar-10 16:18 UTC
[Samba] many servers and mobile users - "always use the most fresh user profile" - ideas?
Gautier, B (Bob) wrote: (...)>>> How about setting sambaProfilePath for a user at logout >> time, based on >>> the location they are logging off from? And updating it if you get >>> around to replicating the profile to a central site before >> they logon >>> again? >> Only half of it is fine. We have two things: >> >> 1) user should download the profile from the server with the newest >> profile (either local or a remote one) >> 2) user should upload the profile to the local server *only* >> >> So, it will work only if we can change the >> "sambaProfilePath:" value to >> the local one after user logs in - which is not a problem, >> but I'm not >> sure if the Windows client will respect that (which I'm going to find >> out now).Tada, this seems to work, I just need to polish some bits. I tested it on a local server only, without trying to change anything in LDAP. To "reproduce" fetching a profile from one location on logon, and uploading the profile to another location on logoff, do: 1) logon (that was hard, wasn't it?) :) 2) launch regedit take a look at this key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<USER-SID>\CentralProfile It contains the value where the profile is stored, let's say, \\server\profiles\profile1 Now change this value to something else, like \\server\profiles\profile2 This can be scripted of course. 3) quit regedit 4) logoff 5) you will see your profile being saved to \\server\profiles\profile2, while it was read from \\server\profiles\profile1 6) after logoff, write to LDAP and change the "sambaProfilePath:" to your current (newest) location. That's the theory, perhaps it needs a couple of hours of scripting and testing, but I guess it should work like this. Anyone who would like to test it? :) I got a reply from a Microsoft representative today suggesting that I should replace all the servers to Win2k3 R2 which contain "Branch Office Infrastructure Solution ?" which lets me do that... -- Tomasz Chmielewski http://wpkg.org