Robert Moskowitz
2015-Sep-07  21:07 UTC
[Samba] User and Group management from Linux plus roaming profiles
Right now, RSAT seems not to be an option for me, as the only Win systems here are XP... None of my PDC users were brought over with classicupdate. Perhaps becuase my users are LINUX user accounts? And the home directories map to /home/user ? So I would think I need to start adding users and put them into groups. How? And I am reading: https://wiki.samba.org/index.php/Implementing_roaming_profiles At the beginning the smb.conf starts with: [profiles] further down in the POSIX ACLs section it is: [Profiles] Are these two different shares? Or since shares are case insensitive it does not matter? Then there is: chgrp „Domain Users“ /srv/samba/profiles and I don't see „Domain Users“ defined. Finally, as this is an AD, not a PDC, I am assuming I need to use 'ADUC' to enable roaming profiles for selected users (that got added how, see above). Is ADUC available on XP? I may have to break down and buy a 'cheap' used notebook on ebay with Win7 OEM preloaded... As I think Marc said I don't use: logon path = \\%L\Profiles\%U for an AD. Lastly a question on home share (and the wiki warns not to use the default homes share, but the home share documented). Can the home share be on a AD Member Server? It would seem so.... thanks. Laboring away here!
Rowland Penny
2015-Sep-08  07:01 UTC
[Samba] User and Group management from Linux plus roaming profiles
On 07/09/15 22:07, Robert Moskowitz wrote:> Right now, RSAT seems not to be an option for me, as the only Win > systems here are XP... > > None of my PDC users were brought over with classicupdate. Perhaps > becuase my users are LINUX user accounts? And the home directories > map to /home/user ?Not having seen your old setup, but if you had a PDC, the users & groups should have been created in AD by classicupgrade, it is the only reason for the upgrade tool existing.> > So I would think I need to start adding users and put them into > groups. How?By using the RSAT tools from windows, or by using samba-tool etc> > And I am reading: > https://wiki.samba.org/index.php/Implementing_roaming_profiles > > At the beginning the smb.conf starts with: > > [profiles] > > further down in the POSIX ACLs section it is: > > [Profiles] > > Are these two different shares? Or since shares are case insensitive > it does not matter? >It doesn't any more, thanks for pointing the anomaly out.> Then there is: > > chgrp „Domain Users“ /srv/samba/profiles > > and I don't see „Domain Users“ defined. >If you have an AD DC, you have "Domain Users", try this: ldbsearch -H /var/lib/samba/private/sam.ldb '(&(objectclass=group)(samaccountname=Domain Users))'> Finally, as this is an AD, not a PDC, I am assuming I need to use > 'ADUC' to enable roaming profiles for selected users (that got added > how, see above). Is ADUC available on XP? I may have to break down > and buy a 'cheap' used notebook on ebay with Win7 OEM preloaded...Yes, you can use ADUC on XP, download it from here: http://www.microsoft.com/en-us/download/details.aspx?id=16770 But, you can do most of what ADUC does with samba-tool.> > As I think Marc said I don't use: > > logon path = \\%L\Profiles\%U > > for an AD. >Correct> Lastly a question on home share (and the wiki warns not to use the > default homes share, but the home share documented). > > Can the home share be on a AD Member Server? It would seem so.... >Yes, you just need to set the users 'homeDirectory' attribute to point to the machine that holds the users home dir i.e. \\thinkpad\rowland The same goes for the users profile, but in this case you would use the 'profilePath' attribute Rowland> thanks. Laboring away here! > > >
Marc Muehlfeld
2015-Sep-08  07:14 UTC
[Samba] User and Group management from Linux plus roaming profiles
Am 07.09.2015 um 23:07 schrieb Robert Moskowitz:> And I am reading: > https://wiki.samba.org/index.php/Implementing_roaming_profiles > > At the beginning the smb.conf starts with: > > [profiles] > > further down in the POSIX ACLs section it is: > > [Profiles] > > Are these two different shares? Or since shares are case insensitive it > does not matter?No. I've changed them all to a uppercase "P" now, to have this consistent with the screenshots. Regards, Marc
L.P.H. van Belle
2015-Sep-08  07:18 UTC
[Samba] User and Group management from Linux plus roaming profiles
For policies, RATS etc. a very Handy site. http://trekker.net/archives/group-policy-downloads/ all you need. Greetz, Louis s> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny > Verzonden: dinsdag 8 september 2015 9:02 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] User and Group management from Linux plus roaming > profiles > > On 07/09/15 22:07, Robert Moskowitz wrote: > > Right now, RSAT seems not to be an option for me, as the only Win > > systems here are XP... > > > > None of my PDC users were brought over with classicupdate. Perhaps > > becuase my users are LINUX user accounts? And the home directories > > map to /home/user ? > > Not having seen your old setup, but if you had a PDC, the users & groups > should have been created in AD by classicupgrade, it is the only reason > for the upgrade tool existing. > > > > > So I would think I need to start adding users and put them into > > groups. How? > > By using the RSAT tools from windows, or by using samba-tool etc > > > > > And I am reading: > > https://wiki.samba.org/index.php/Implementing_roaming_profiles > > > > At the beginning the smb.conf starts with: > > > > [profiles] > > > > further down in the POSIX ACLs section it is: > > > > [Profiles] > > > > Are these two different shares? Or since shares are case insensitive > > it does not matter? > > > > It doesn't any more, thanks for pointing the anomaly out. > > > Then there is: > > > > chgrp „Domain Users“ /srv/samba/profiles > > > > and I don't see „Domain Users“ defined. > > > > If you have an AD DC, you have "Domain Users", try this: > > ldbsearch -H /var/lib/samba/private/sam.ldb > '(&(objectclass=group)(samaccountname=Domain Users))' > > > Finally, as this is an AD, not a PDC, I am assuming I need to use > > 'ADUC' to enable roaming profiles for selected users (that got added > > how, see above). Is ADUC available on XP? I may have to break down > > and buy a 'cheap' used notebook on ebay with Win7 OEM preloaded... > > Yes, you can use ADUC on XP, download it from here: > > http://www.microsoft.com/en-us/download/details.aspx?id=16770 > > But, you can do most of what ADUC does with samba-tool. > > > > > As I think Marc said I don't use: > > > > logon path = \\%L\Profiles\%U > > > > for an AD. > > > > Correct > > > Lastly a question on home share (and the wiki warns not to use the > > default homes share, but the home share documented). > > > > Can the home share be on a AD Member Server? It would seem so.... > > > > > Yes, you just need to set the users 'homeDirectory' attribute to point > to the machine that holds the users home dir > > i.e. \\thinkpad\rowland > > The same goes for the users profile, but in this case you would use the > 'profilePath' attribute > > Rowland > > > thanks. Laboring away here! > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2015-Sep-08  07:38 UTC
[Samba] User and Group management from Linux plus roaming profiles
If you did read correct. You choose... OR posix acls setup OR windows acl setup. Do not mix up the both! My advice, use windows ACL setup for profiles, since "normaly" only windows computers use this, and for this, you can set the value: acl_xattr:ignore system acls = yes which makes the share even more windows acl compatible, and saves right hassle. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Robert Moskowitz > Verzonden: maandag 7 september 2015 23:07 > Aan: samba at lists.samba.org > Onderwerp: [Samba] User and Group management from Linux plus roaming > profiles > > Right now, RSAT seems not to be an option for me, as the only Win > systems here are XP... > > None of my PDC users were brought over with classicupdate. Perhaps > becuase my users are LINUX user accounts? And the home directories map > to /home/user ? > > So I would think I need to start adding users and put them into groups. > How? > > And I am reading: > https://wiki.samba.org/index.php/Implementing_roaming_profiles > > At the beginning the smb.conf starts with: > > [profiles] > > further down in the POSIX ACLs section it is: > > [Profiles] > > Are these two different shares? Or since shares are case insensitive it > does not matter? > > Then there is: > > chgrp „Domain Users“ /srv/samba/profiles > > and I don't see „Domain Users“ defined. > > Finally, as this is an AD, not a PDC, I am assuming I need to use 'ADUC' > to enable roaming profiles for selected users (that got added how, see > above). Is ADUC available on XP? I may have to break down and buy a > 'cheap' used notebook on ebay with Win7 OEM preloaded... > > As I think Marc said I don't use: > > logon path = \\%L\Profiles\%U > > for an AD. > > Lastly a question on home share (and the wiki warns not to use the > default homes share, but the home share documented). > > Can the home share be on a AD Member Server? It would seem so.... > > thanks. Laboring away here! > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 09/08/2015 03:01 AM, Rowland Penny wrote:> On 07/09/15 22:07, Robert Moskowitz wrote: >> Right now, RSAT seems not to be an option for me, as the only Win >> systems here are XP... >> >> None of my PDC users were brought over with classicupdate. Perhaps >> becuase my users are LINUX user accounts? And the home directories >> map to /home/user ? > > Not having seen your old setup, but if you had a PDC, the users & > groups should have been created in AD by classicupgrade, it is the > only reason for the upgrade tool existing.Well they are not there. # wbinfo -u administrator dns-homebase dhcpduser krbtgt guest The two 'main' users of the PDC are: abba, imma> >> >> So I would think I need to start adding users and put them into >> groups. How? > > By using the RSAT tools from windows, or by using samba-tool etcI did a google search and seems RSAT is available for XP: https://social.technet.microsoft.com/Forums/windowsserver/en-US/bbf2fb6d-24ac-4436-b5cc-20d1009552c9/rsat-on-windows-xp-client?forum=winservergen> >> Then there is: >> >> chgrp „Domain Users“ /srv/samba/profiles >> >> and I don't see „Domain Users“ defined. >> > > If you have an AD DC, you have "Domain Users", try this: > > ldbsearch -H /var/lib/samba/private/sam.ldb > '(&(objectclass=group)(samaccountname=Domain Users))'First I was wondering about the different quoting method than what you commonly see in commands. Wondering if it was done this way to indicate something was to replace this content. # record 1 dn: CN=Domain Users,CN=Users,DC=home,DC=htt objectClass: top objectClass: group cn: Domain Users description: All domain users instanceType: 4 whenCreated: 20150904135233.0Z whenChanged: 20150904135233.0Z uSNCreated: 3541 uSNChanged: 3541 name: Domain Users objectGUID: 40cff32a-a6f2-4610-835a-71ce69706097 objectSid: S-1-5-21-4240919292-2417995422-4236335894-513 sAMAccountName: Domain Users sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=home,DC=htt isCriticalSystemObject: TRUE memberOf: CN=Users,CN=Builtin,DC=home,DC=htt distinguishedName: CN=Domain Users,CN=Users,DC=home,DC=htt # Referral ref: ldap://home.htt/CN=Configuration,DC=home,DC=htt # Referral ref: ldap://home.htt/DC=DomainDnsZones,DC=home,DC=htt # Referral ref: ldap://home.htt/DC=ForestDnsZones,DC=home,DC=htt # returned 4 records # 1 entries # 3 referrals> >> Finally, as this is an AD, not a PDC, I am assuming I need to use >> 'ADUC' to enable roaming profiles for selected users (that got added >> how, see above). Is ADUC available on XP? I may have to break down >> and buy a 'cheap' used notebook on ebay with Win7 OEM preloaded... > > Yes, you can use ADUC on XP, download it from here: > > http://www.microsoft.com/en-us/download/details.aspx?id=16770thanks.> > But, you can do most of what ADUC does with samba-tool.Trying to learn all I can do with samba-tool and not use MS tools. Now here is my original smb.conf, perhaps it will provide a clue what happened to my users not being imported by classicupgrade: [global] # General netbios name = HOMEBASE workgroup = HOME server string = home security = user # Logging syslog = 0 log level = 1 log file = /var/log/samba/%L-%m max log size = 0 utmp = Yes # Network bind interfaces only = No interfaces = lo eth0 smb ports = 139 # Printing printcap name = /etc/printcap load printers = Yes # Security settings guest account = guest #restrict anonymous = 2 # WINS wins support = Yes wins server # PDC/BDC domain logons = Yes add machine script = /usr/sbin/samba-add-machine "%u" logon drive = H: logon script = %U.cmd logon path = \\%L\profiles\%U logon home = \\%L\%U # Winbind idmap config * : backend = ldap idmap config * : range = 20000000-29999999 winbind enum users = Yes winbind enum groups = Yes winbind offline logon = false winbind use default domain = true winbind separator = + template homedir = /home/%U template shell = /sbin/nologin # Other preferred master = Yes domain master = Yes passwd program = /usr/sbin/userpasswd %u passwd chat = *password:* %n\n *password:* %n\n *successfully.* passwd chat timeout = 10 username map = /etc/samba/smbusers wide links = No # LDAP settings include = /etc/samba/smb.ldap.conf # Winbind LDAP settings include = /etc/samba/smb.winbind.conf #============================ Share Definitions ============================= # Flexshare include = /etc/samba/flexshare.conf And the above include just lists all the shares.
Robert Moskowitz
2015-Sep-08  12:54 UTC
[Samba] User and Group management from Linux plus roaming profiles
On 09/08/2015 03:38 AM, L.P.H. van Belle wrote:> If you did read correct. > > You choose... > > OR posix acls setup > OR windows acl setup. > Do not mix up the both!Ah, I was afraid that is what was meant there and that one could only manage acls for windows systems/users via MS tools. But as you can only have one [Profiles], and if you WILL have posix (linux, mac) systems, then you need to have that [Profiles].> My advice, use windows ACL setup for profiles, since "normaly" only windows computers use this, and for this, you can set the value: > > acl_xattr:ignore system acls = yes > > which makes the share even more windows acl compatible, and saves right hassle.Where do I set this? thanks
L.P.H. van Belle
2015-Sep-08  13:09 UTC
[Samba] User and Group management from Linux plus roaming profiles
You can setup 2 profile shares if you want. 
Then you need to change the following. 
( on a member server ) 
    # For Windows ACL support on member file server, enabled globaly
    # For a mixed setup of rights, put this per share.
    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes
and create 2 profile shares. 
For example : 
[msprofiles]
    browseable = yes
    path = /home/samba/msprofiles
    read only = no
    acl_xattr:ignore system acl = yes
[nixprofiles]
    browseable = yes
    path = /home/samba/nixprofiles
    read only = no
and set the correct profiles per user. 
But this only works if your users dont work on both Linux and MS workstations. 
Just define the policy location per user. 
Greetz, 
Louis
> -----Oorspronkelijk bericht-----
> Van: Robert Moskowitz [mailto:rgm at htt-consult.com]
> Verzonden: dinsdag 8 september 2015 14:54
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] User and Group management from Linux plus roaming
> profiles
> 
> 
> 
> On 09/08/2015 03:38 AM, L.P.H. van Belle wrote:
> > If you did read correct.
> >
> > You choose...
> >
> > OR posix acls setup
> > OR windows acl setup.
> > Do not mix up the both!
> 
> Ah,  I was afraid that is what was meant there and that one could only
> manage acls for windows systems/users via MS tools.
> 
> But as you can only have one [Profiles], and if you WILL have posix
> (linux, mac) systems, then you need to have that [Profiles].
> 
> > My advice, use windows ACL setup for profiles, since
"normaly" only
> windows computers use this, and for this, you can set the value:
> >
> > acl_xattr:ignore system acls = yes
> >
> > which makes the share even more windows acl compatible, and saves
right
> hassle.
> 
> Where do I set this?
> 
> thanks