Ulrich Schinz
2012-Aug-28 11:10 UTC
[Samba] Still mandatory profiles, every user same profile
Hi there, again me, again similar question. First of all, what is it, what I'd like to have: 1.) Every user in my System should use the same profile. In dsa.msc I gave every user as profile-path \\samba4\profiles\stud 2.) The users should not be able to change anything in that profile (I think changing ntuser.dat to ntuser.man should do the job, proposed i got step one managed ;) ) System setup: OS: Linux, Debian Wheezy, 3.2.0-3-amd64 #1 SMP Samba-Version: todays git-pull: Version 4.0.0beta8-GIT-9e441c4 On my client I'm using Windows 7. My samba-setup followed the wiki. What I tried until now: 1.) http://infrablog.escde.net/2011/09/30/mandatory-profiles-oder-ein-profil-fur-alle/ (sorry it's in german, but I think its clear, what has to be done there). Another vid showing same way: http://www.youtube.com/watch?v=bDWEsJ0bJe8 This one didn't work. If i try to change the rights of that folder and ntuser.dat-hive, it's not possible to get the same rights, like shown in the video. Some rights (creator group etc) are created automatically, and ich cant remove them. Not shure, whether this is the problem, anyways, windows 7 allways tells me, that I'm beeing logged on with a temporary profile... 2.) http://lists.samba.org/archive/samba/2005-August/110239.html Another post from me, some months ago, where I managed this setup in a samba3-ldap environment (where it worked). This way even is not working. Same error, temporary profile. 3.) I tried to create a default user profile in my netlogon-share. My plan was to create a default user profile, so that at every logon this profile is copied. So I would have been able to delete the profiles over night via cron... But the profile isn't loaded. Maybe I'm doing something wrong in this setup... One way was to copy a customized profile to netlogon-share (see 2.) ) whith read-access to authenticated users. But this profile isn't loaded. Again the message is: temporary profile. In my profiles-share only a folder is created (username.v2) but this folder stays empty. Other way, was to just copy a profile to netlogon, but same problem So now my question to you guys is: is there someone, who got this working with samba4, or is it even working in samba4 to get this kind of setup running? Maybe someone has some hints for me, what else I could try. Kind regards Uli
Andrew Bartlett
2012-Aug-29 01:49 UTC
[Samba] Still mandatory profiles, every user same profile
On Tue, 2012-08-28 at 13:10 +0200, Ulrich Schinz wrote:> Hi there, > > again me, again similar question. > > First of all, what is it, what I'd like to have: > > 1.) Every user in my System should use the same profile. In dsa.msc I > gave every user as profile-path \\samba4\profiles\stud > 2.) The users should not be able to change anything in that profile (I > think changing ntuser.dat to ntuser.man should do the job, proposed i > got step one managed ;) )> So now my question to you guys is: is there someone, who got this > working with samba4, or is it even working in samba4 to get this kind of > setup running?I did this with Samba3, years ago. If I recall correctly, I did the ACL change to the NTuser.dat, changed it to to ntuser.man and put in in the netlogon share. Then I wrote the (still included) disgusting hack: the 'fake_perms' VFS module. This is still in the tree - it might even still work! Set: [netlogon] vfs objects = fake_perms read only = yes to try it out. I think the right fix would have been to run: [netlogon] profile acls = true read only = yes so try that as well. Make sure you are using s3fs (the new default file server). I've suggested read only = yes because I can't vouch for the security implications of using my old module (it pretends the current user always owns the file). If either of these help, then please let me know so we can work out the right way to support this long term. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org