samba - Apr 2006 - Samba-LDAP Roaming Profiles

Hi all

I have a samba 3.0.21c with OpenLDAP 2.3.19  as Primary Domain Controller.
I would like to enable Roaming Profiles per user basis , not for all users.
below is my smb.conf ,
[global]

  workgroup = mydomain.com <http://msdpl.com/>
  netbios name = mydomain
  passdb backend = ldapsam:ldap://mydomain.com
  server string = Domain Controller
  hosts allow = 192.168.128. 192.168.129. 192.168.130. 127.
  security = user
  encrypt passwords = yes
  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
  interfaces = eth0, lo
  printing = cups
  disable spoolss = Yes
  printcap name = cups
  max print jobs = 100
  enable privileges = yes
  password level = 8
  username level = 8
  bind interfaces only = yes
  local master = Yes
  os level = 65
  domain master = yes
  preferred master = yes
  null passwords = no
  hide unreadable = yes
  hide dot files = yes
  domain logons = yes
  logon script = %u.bat
  logon path    logon drive = X:
  logon home = \\mydomain\%U
  wins support = yes
  name resolve order = wins lmhosts host bcast
  dns proxy = no
  time server = yes
  log file = /var/log/samba/%m.log
  max log size = 50
  nt acl support = yes
  ldap passwd sync = yes
  add user script = /usr/local/sbin/smbldap-useradd -m "%u"
  delete user script = /usr/local/sbin/smbldap-userdel "%u"
  add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
  add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
  add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
"%g"
  delete user from group script = /usr/local/sbin/smbldap-groupmod -x
"%u"
"%g"
  set primary group script = /usr/local/sbin/smbldap-usermod -g '%g'
'%u'
  ldap delete dn = Yes
  ldap ssl = no
  ldap suffix = dc=msdpl,dc=com
  ldap admin dn = cn=manager,dc=msdpl,dc=com
  ldap group suffix = ou=Groups
  ldap user suffix = ou=People
  ldap machine suffix = ou=Computers
  ldap idmap suffix = ou=Idmap
  ldap timeout = 50
  idmap backend = ldap:ldap://mydomain.com
  idmap uid = 10000-20000
  idmap gid = 10000-20000
  check password script = /usr/local/bin/crackcheck -s
  map acl inherit = yes
  winbind use default domain = yes
  template shell = /bin/false

# Un-comment the following and create the netlogon directory for Domain
Logons
 [netlogon]
   comment = Network Logon Service
   path = /usr/local/samba-3c/lib/netlogon/scripts
   guest ok = yes
   browseable = yes
   write list = root

[profiles]
Comment = Profile Shares
path=/profiles
browseable=yes
writeable = yes
create mode = 0600
directory mode = 0700

  ################################################################


In the above configuration. I have not given any netbios logon path
ie logon path and for users whom i want to enable roaming profiles
i have modified through smbldap-usermod command
ie i have given smbldap-usermod -F \\mydomain\profiles\username username

1)using the above said configuration. Roaming profiles for that particular
user  is not getting enabled.

2) suppose i edit my above smb.conf and write
logon path=\\mydomain\profiles\%U
and enable roaming profile for the intended user through smbldap-usermod,
then roaming profile is getting enable, but the problem is , in /profile
directory (which is profile share)
all the user who logon to the domain, a directory is created by their
username.

3) for the user's who  i have manually enabled roaming profile, their
roaming profile works perfectly in
windows 2003 and windows Xp, ie if they create any new folder or shortcut ,
it gets reflected in the server
profile directory,but the same user when logon in windows 2000 professional,
it's not working ie, what ever is in
the server profile it gets loaded but if any modification is done, it does
not reflect in server.

4) my query is should we enable logon path = \\mypdc\profiles\%u in server.
if i leave it blank and edit manually per user through smbldap-usermod will
it work.

what is the correct method of enable per user roaming profile for samba with
LDAP backend



Please guide me
Regards
 Niranjan

On 2006/4/24, mallapadi niranjan <niranjan.ashok@gmail.com>
wrote:
> Hi all
>
> I have a samba 3.0.21c with OpenLDAP 2.3.19  as Primary Domain Controller.
> I would like to enable Roaming Profiles per user basis , not for all users.
> below is my smb.conf
> ...
Hi,
I think you can do this as follows:
First blank out the "logon path" and "logon home" parameters
in SMB.CONF:
        logon path         logon home This way by default users have no roaming
profile (I think).
Then modify the users who DO need a roaming profile as follows:
        pdbedit <username> -h "\\\\server\\homedirpath" -p
"\\\\server\\profilepath"

Or you can do the inverse: define a "logon path" and "logon
home" in
SMB.CONF, and then modify those users who do NOT need a roaming
profile like this:
        pdbedit <username> -h "" -p ""

mallapadi niranjan skrev:
> Hi all
>
> I have a samba 3.0.21c with OpenLDAP 2.3.19  as Primary Domain Controller.
> I would like to enable Roaming Profiles per user basis , not for all users.
> below is my smb.conf ,
> [global]
>
>   workgroup = mydomain.com <http://msdpl.com/>
>   netbios name = mydomain
>   passdb backend = ldapsam:ldap://mydomain.com
>   server string = Domain Controller
>   hosts allow = 192.168.128. 192.168.129. 192.168.130. 127.
>   security = user
>   encrypt passwords = yes
>   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>   interfaces = eth0, lo
>   printing = cups
>   disable spoolss = Yes
>   printcap name = cups
>   max print jobs = 100
>   enable privileges = yes
>   password level = 8
>   username level = 8
>   bind interfaces only = yes
>   local master = Yes
>   os level = 65
>   domain master = yes
>   preferred master = yes
>   null passwords = no
>   hide unreadable = yes
>   hide dot files = yes
>   domain logons = yes
>   logon script = %u.bat
>   logon path >    logon drive = X:
>   logon home = \\mydomain\%U
>   wins support = yes
>   name resolve order = wins lmhosts host bcast
>   dns proxy = no
>   time server = yes
>   log file = /var/log/samba/%m.log
>   max log size = 50
>   nt acl support = yes
>   ldap passwd sync = yes
>   add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>   delete user script = /usr/local/sbin/smbldap-userdel "%u"
>   add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
>   add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>   add user to group script = /usr/local/sbin/smbldap-groupmod -m
"%u" "%g"
>   delete user from group script = /usr/local/sbin/smbldap-groupmod -x
"%u"
> "%g"
>   set primary group script = /usr/local/sbin/smbldap-usermod -g
'%g' '%u'
>   ldap delete dn = Yes
>   ldap ssl = no
>   ldap suffix = dc=msdpl,dc=com
>   ldap admin dn = cn=manager,dc=msdpl,dc=com
>   ldap group suffix = ou=Groups
>   ldap user suffix = ou=People
>   ldap machine suffix = ou=Computers
>   ldap idmap suffix = ou=Idmap
>   ldap timeout = 50
>   idmap backend = ldap:ldap://mydomain.com
>   idmap uid = 10000-20000
>   idmap gid = 10000-20000
>   check password script = /usr/local/bin/crackcheck -s
>   map acl inherit = yes
>   winbind use default domain = yes
>   template shell = /bin/false
>
> # Un-comment the following and create the netlogon directory for Domain
> Logons
>  [netlogon]
>    comment = Network Logon Service
>    path = /usr/local/samba-3c/lib/netlogon/scripts
>    guest ok = yes
>    browseable = yes
>    write list = root
>
> [profiles]
> Comment = Profile Shares
> path=/profiles
> browseable=yes
> writeable = yes
> create mode = 0600
> directory mode = 0700
>
>   ################################################################
>
>
> In the above configuration. I have not given any netbios logon path
> ie logon path > and for users whom i want to enable roaming profiles
> i have modified through smbldap-usermod command
> ie i have given smbldap-usermod -F \\mydomain\profiles\username username
>
> 1)using the above said configuration. Roaming profiles for that particular
> user  is not getting enabled.
>
> 2) suppose i edit my above smb.conf and write
> logon path=\\mydomain\profiles\%U
> and enable roaming profile for the intended user through smbldap-usermod,
> then roaming profile is getting enable, but the problem is , in /profile
> directory (which is profile share)
> all the user who logon to the domain, a directory is created by their
> username.
>
> 3) for the user's who  i have manually enabled roaming profile, their
> roaming profile works perfectly in
> windows 2003 and windows Xp, ie if they create any new folder or shortcut ,
> it gets reflected in the server
> profile directory,but the same user when logon in windows 2000
professional,
> it's not working ie, what ever is in
> the server profile it gets loaded but if any modification is done, it does
> not reflect in server.
>
> 4) my query is should we enable logon path = \\mypdc\profiles\%u in server.
> if i leave it blank and edit manually per user through smbldap-usermod will
> it work.
>
> what is the correct method of enable per user roaming profile for samba
with
> LDAP backend
>
>
>
> Please guide me
> Regards
>  Niranjan
>   
Hi Niranjan

My suggestion to your problem would be
Mandatory profile as default for all users which mean you specify the 
profile directory in smb.conf
check
http://caad.ar.vtu.lt/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html#id2628723

logon path=\\mydomain\profiles\mandatory # you would have to use fake perms 


by doing so they download their profile from \\mydomain\profiles\mandatory
For the few choosen you change logon path in their account using 
smbldap-usermod to

\\mydomain\profiles\%U

-- 
Venlig Hilsen (Best Regards)
Rune T?nnesen