summaryrefslogtreecommitdiff
path: root/docs/docbook/projdoc/ProfileMgmt.xml
diff options
context:
space:
mode:
authorJelmer Vernooij <jelmer@samba.org>2003-08-12 17:36:25 +0000
committerJelmer Vernooij <jelmer@samba.org>2003-08-12 17:36:25 +0000
commita2e3ba6e1281a7d3693173679ec7fb28898df319 (patch)
treeccf9305e453bb08eb01813b4ea4e314f8f869e6a /docs/docbook/projdoc/ProfileMgmt.xml
parent3b8485d047492788925b530e9e622a61c66f2dbd (diff)
downloadsamba-a2e3ba6e1281a7d3693173679ec7fb28898df319.tar.gz
samba-a2e3ba6e1281a7d3693173679ec7fb28898df319.tar.bz2
samba-a2e3ba6e1281a7d3693173679ec7fb28898df319.zip
Merge over book changes into 3_0 CVS
(This used to be commit d8fe4a81fb0d4972b2331b3d5fc4890244b44c33)
Diffstat (limited to 'docs/docbook/projdoc/ProfileMgmt.xml')
-rw-r--r--docs/docbook/projdoc/ProfileMgmt.xml291
1 files changed, 145 insertions, 146 deletions
diff --git a/docs/docbook/projdoc/ProfileMgmt.xml b/docs/docbook/projdoc/ProfileMgmt.xml
index 58c6f34030..83d8b9907f 100644
--- a/docs/docbook/projdoc/ProfileMgmt.xml
+++ b/docs/docbook/projdoc/ProfileMgmt.xml
@@ -73,15 +73,15 @@ following (for example):
</para>
<para>
-<programlisting>
- logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath
-</programlisting>
+<smbconfblock>
+<smbconfoption><name>logon path</name><value>\\profileserver\profileshare\profilepath\%U\moreprofilepath</value></smbconfoption>
+</smbconfblock>
This is typically implemented like:
-<programlisting>
- logon path = \\%L\Profiles\%u
-</programlisting>
+<smbconfblock>
+<smbconfoption><name>logon path</name><value>\\%L\Profiles\%u</value></smbconfoption>
+</smbconfblock>
where %L translates to the name of the Samba server and %u translates to the user name
</para>
@@ -97,7 +97,7 @@ semantics of %L and %N, as well as %U and %u.
<note>
<para>
MS Windows NT/2K clients at times do not disconnect a connection to a server
-between logons. It is recommended to NOT use the <parameter>homes</parameter>
+between logons. It is recommended to NOT use the <smbconfsection>homes</smbconfsection>
meta-service name as part of the profile share path.
</para>
</note>
@@ -107,7 +107,7 @@ meta-service name as part of the profile share path.
<title>Windows 9x / Me User Profiles</title>
<para>
- To support Windows 9x / Me clients, you must use the <parameter>logon home</parameter> parameter. Samba has
+ To support Windows 9x / Me clients, you must use the <smbconfoption><name>logon home</name></smbconfoption> parameter. Samba has
now been fixed so that <userinput>net use /home</userinput> now works as well, and it, too, relies
on the <command>logon home</command> parameter.
</para>
@@ -115,11 +115,11 @@ on the <command>logon home</command> parameter.
<para>
By using the logon home parameter, you are restricted to putting Win9x / Me
profiles in the user's home directory. But wait! There is a trick you
-can use. If you set the following in the <parameter>[global]</parameter> section of your &smb.conf; file:
+can use. If you set the following in the <smbconfsection>[global]</smbconfsection> section of your &smb.conf; file:
</para>
-<para><programlisting>
- logon home = \\%L\%U\.profiles
-</programlisting></para>
+<para><smbconfblock>
+<smbconfoption><name>logon home</name><value>\\%L\%U\.profiles</value></smbconfoption>
+</smbconfblock></para>
<para>
then your Windows 9x / Me clients will dutifully put their clients in a subdirectory
@@ -130,7 +130,7 @@ of your home directory called <filename>.profiles</filename> (thus making them h
Not only that, but <userinput>net use /home</userinput> will also work, because of a feature in
Windows 9x / Me. It removes any directory stuff off the end of the home directory area
and only uses the server and share portion. That is, it looks like you
-specified <filename>\\%L\%U</filename> for <parameter>logon home</parameter>.
+specified <filename>\\%L\%U</filename> for <smbconfoption><name>logon home</name></smbconfoption>.
</para>
</sect3>
@@ -139,13 +139,13 @@ specified <filename>\\%L\%U</filename> for <parameter>logon home</parameter>.
<para>
You can support profiles for both Win9X and WinNT clients by setting both the
-<parameter>logon home</parameter> and <parameter>logon path</parameter> parameters. For example:
+<smbconfoption><name>logon home</name></smbconfoption> and <smbconfoption><name>logon path</name></smbconfoption> parameters. For example:
</para>
-<para><programlisting>
- logon home = \\%L\%u\.profiles
- logon path = \\%L\profiles\%u
-</programlisting></para>
+<para><smbconfblock>
+<smbconfoption><name>logon home</name><value>\\%L\%u\.profiles</value></smbconfoption>
+<smbconfoption><name>logon path</name><value>\\%L\profiles\%u</value></smbconfoption>
+</smbconfblock></para>
</sect3>
<sect3>
@@ -166,10 +166,10 @@ There are three ways of doing this:
<listitem><para>
Affect the following settings and ALL clients
will be forced to use a local profile:
- <programlisting>
- logon home =
- logon path =
- </programlisting>
+ <smbconfblock>
+ <smbconfoption><name>logon home</name></smbconfoption>
+ <smbconfoption><name>logon path</name></smbconfoption>
+ </smbconfblock>
</para></listitem>
</varlistentry>
@@ -178,6 +178,7 @@ There are three ways of doing this:
<listitem><para>
By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This of course modifies registry settings. The full path to the option is:
<!-- FIXME: Diagram for this ? -->
+ <!-- FIXME: Yes, a diagram will help - JHT -->
<programlisting>
Local Computer Policy\
Computer Configuration\
@@ -228,9 +229,9 @@ as are folders <filename>Start Menu</filename>, <filename>Desktop</filename>,
<filename>Programs</filename> and <filename>Nethood</filename>.
These directories and their contents will be merged with the local
versions stored in <filename>c:\windows\profiles\username</filename> on subsequent logins,
-taking the most recent from each. You will need to use the <parameter>[global]</parameter>
-options <parameter>preserve case = yes</parameter>, <parameter>short preserve case = yes</parameter> and
-<parameter>case sensitive = no</parameter> in order to maintain capital letters in shortcuts
+taking the most recent from each. You will need to use the <smbconfsection>[global]</smbconfsection>
+options <smbconfoption><name>preserve case</name><value>yes</value></smbconfoption>, <smbconfoption><name>short preserve case</name><value>yes</value></smbconfoption> and
+<smbconfoption><name>case sensitive</name><value>no</value></smbconfoption> in order to maintain capital letters in shortcuts
in any of the profile folders.
</para>
@@ -281,13 +282,13 @@ supports it), user name and user's password.
<para>
Once the user has been successfully validated, the Windows 9x / Me machine
-will inform you that <computeroutput>The user has not logged on before' and asks you
- if you wish to save the user's preferences?</computeroutput> Select <guibutton>yes</guibutton>.
+will inform you that <computeroutput>The user has not logged on before</computeroutput> and asks you
+<computeroutput>Do you wish to save the user's preferences?</computeroutput>. Select <guibutton>yes</guibutton>.
</para>
<para>
Once the Windows 9x / Me client comes up with the desktop, you should be able
-to examine the contents of the directory specified in the <parameter>logon path</parameter>
+to examine the contents of the directory specified in the <smbconfoption><name>logon path</name></smbconfoption>
on the samba server and verify that the <filename>Desktop</filename>, <filename>Start Menu</filename>,
<filename>Programs</filename> and <filename>Nethood</filename> folders have been created.
</para>
@@ -305,7 +306,7 @@ the newest folders and short-cuts from each set.
If you have made the folders / files read-only on the samba server,
then you will get errors from the Windows 9x / Me machine on logon and logout, as
it attempts to merge the local and the remote profile. Basically, if
-you have any errors reported by the Windows 9x / Me machine, check the Unix file
+you have any errors reported by the Windows 9x / Me machine, check the UNIX file
permissions and ownership rights on the profile directory contents,
on the samba server.
</para>
@@ -374,7 +375,7 @@ they will be told that they are logging in "for the first time".
<listitem>
<para>
- check the contents of the profile path (see <parameter>logon path</parameter> described
+ check the contents of the profile path (see <smbconfoption><name>logon path</name></smbconfoption> described
above), and delete the <filename>user.DAT</filename> or <filename>user.MAN</filename> file for the user,
making a backup if required.
</para>
@@ -403,13 +404,13 @@ differences are with the equivalent samba trace.
<para>
When a user first logs in to a Windows NT Workstation, the profile
NTuser.DAT is created. The profile location can be now specified
-through the <parameter>logon path</parameter> parameter.
+through the <smbconfoption><name>logon path</name></smbconfoption> parameter.
</para>
<para>
There is a parameter that is now available for use with NT Profiles:
-<parameter>logon drive</parameter>. This should be set to <filename>H:</filename> or any other drive, and
-should be used in conjunction with the new "logon home" parameter.
+<smbconfoption><name>logon drive</name></smbconfoption>. This should be set to <filename>H:</filename> or any other drive, and
+should be used in conjunction with the new <smbconfoption><name>logon home</name></smbconfoption> parameter.
</para>
<para>
@@ -481,8 +482,7 @@ profile on the MS Windows workstation as follows:
profile must be accessible.
</para>
- <note><para>You will need to log on if a logon box opens up. Eg: In the connect
- as: <replaceable>MIDEARTH</replaceable>\root, password: <replaceable>mypassword</replaceable>.</para></note>
+ <note><para>You will need to log on if a logon box opens up. Eg: In the connect as: <replaceable>DOMAIN</replaceable>\root, password: <replaceable>mypassword</replaceable>.</para></note>
</step>
<step><para>
@@ -500,7 +500,7 @@ profile on the MS Windows workstation as follows:
</procedure>
<para>
-Done. You now have a profile that can be edited using the samba-3.0.0
+Done. You now have a profile that can be edited using the samba
<command>profiles</command> tool.
</para>
@@ -511,8 +511,8 @@ storage of mail data. That keeps desktop profiles usable.
</para>
</note>
-<note>
<procedure>
+ <title>Windows XP Service Pack 1</title>
<step><para>
This is a security check new to Windows XP (or maybe only
Windows XP service pack 1). It can be disabled via a group policy in
@@ -562,7 +562,6 @@ On the XP workstation log in with an Administrator account.
<step><para>Reboot</para></step>
</procedure>
-</note>
</sect3>
</sect2>
@@ -582,9 +581,9 @@ on again with the newer version of MS Windows.
<para>
If you then want to share the same Start Menu / Desktop with W9x/Me, you will
-need to specify a common location for the profiles. The smb.conf parameters
-that need to be common are <parameter>logon path</parameter> and
-<parameter>logon home</parameter>.
+need to specify a common location for the profiles. The &smb.conf; parameters
+that need to be common are <smbconfoption><name>logon path</name></smbconfoption> and
+<smbconfoption><name>logon home</name></smbconfoption>.
</para>
<para>
@@ -659,12 +658,6 @@ Follow the above for every profile you need to migrate.
You should obtain the SID of your NT4 domain. You can use smbpasswd to do
this. Read the man page.</para>
-<para>
-With Samba-3.0.0 alpha code you can import all you NT4 domain accounts
-using the net samsync method. This way you can retain your profile
-settings as well as all your users.
-</para>
-
</sect3>
<sect3>
@@ -844,10 +837,10 @@ customisable per user depending on the profile settings chosen/created.
When a new user first logs onto an MS Windows NT4 machine a new profile is created from:
</para>
-<simplelist>
- <member>All Users settings</member>
- <member>Default User settings (contains the default NTUser.DAT file)</member>
-</simplelist>
+<itemizedlist>
+ <listitem>All Users settings</listitem>
+ <listitem>Default User settings (contains the default NTUser.DAT file)</listitem>
+</itemizedlist>
<para>
When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain
@@ -903,8 +896,8 @@ also remain stored in the same way, unless the following registry key is created
<para>
<programlisting>
- HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\
- "DeleteRoamingCache"=dword:00000001
+HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\
+winlogon\"DeleteRoamingCache"=dword:00000001
</programlisting>
In which case, the local copy (in <filename>%SystemRoot%\Profiles\%USERNAME%</filename>) will be
@@ -1013,7 +1006,7 @@ login name of the user.
<note>
<para>
- This path translates, in Samba parlance, to the &smb.conf; <parameter>[NETLOGON]</parameter> share. The directory
+ This path translates, in Samba parlance, to the &smb.conf; <smbconfsection>[NETLOGON]</smbconfsection> share. The directory
should be created at the root of this share and must be called <filename>Default Profile</filename>.
</para>
</note>
@@ -1124,7 +1117,7 @@ You could also use:
<para>
in which case the default folders will be stored in the server named <replaceable>SambaServer</replaceable>
in the share called <replaceable>FolderShare</replaceable> under a directory that has the name of the MS Windows
-user as seen by the Linux/Unix file system.
+user as seen by the Linux/UNIX file system.
</para>
<para>
@@ -1137,7 +1130,10 @@ MS Windows 200x/XP profiles may be <emphasis>Local</emphasis> or <emphasis>Roami
A roaming profile will be cached locally unless the following registry key is created:
</para>
-<para><filename>HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\"DeleteRoamingCache"=dword:00000001</filename></para>
+<para>
+<programlisting>
+HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\
+ winlogon\"DeleteRoamingCache"=dword:00000001</programlisting></para>
<para>
In which case, the local cache copy will be deleted on logout.
@@ -1153,7 +1149,7 @@ The following are some typical errors/problems/questions that have been asked.
</para>
<sect2>
-<title>How does one set up roaming profiles for just one (or a few) user/s or group/s?</title>
+<title>Setting up roaming profiles for just a few user's or group's?</title>
<para>
With samba-2.2.x the choice you have is to enable or disable roaming
@@ -1171,8 +1167,8 @@ machine.
</para>
<para>
-With samba-3.0.0 (soon to be released) you can have a global profile
-setting in smb.conf _AND_ you can over-ride this by per-user settings
+With samba-3 you can have a global profile
+setting in &smb.conf; _AND_ you can over-ride this by per-user settings
using the Domain User Manager (as with MS Windows NT4/ Win 2Kx).
</para>
@@ -1181,11 +1177,11 @@ In any case, you can configure only one profile per user. That profile can
be either:
</para>
-<simplelist>
- <member>A profile unique to that user</member>
- <member>A mandatory profile (one the user can not change)</member>
- <member>A group profile (really should be mandatory ie:unchangable)</member>
-</simplelist>
+<itemizedlist>
+ <listitem>A profile unique to that user</listitem>
+ <listitem>A mandatory profile (one the user can not change)</listitem>
+ <listitem>A group profile (really should be mandatory ie:unchangable)</listitem>
+</itemizedlist>
</sect2>
@@ -1193,66 +1189,69 @@ be either:
<title>Can NOT use Roaming Profiles</title>
<para>
+A user requested the following:
<quote>
- I dont want Roaming profile to be implemented, I just want to give users
- local profiles only.
-...
- Please help me I am totally lost with this error from past two days I tried
- everything and googled around quite a bit but of no help. Please help me.
+I do not want Roaming profiles to be implemented. I want to give users a local profile alone. ...
+Please help me I am totally lost with this error. For the past two days I tried everything, I googled
+around but found no useful pointers. Please help me.
</quote></para>
<para>
-Your choices are:
-<!-- FIXME: Write to whole sentences -->
+The choices are:
+</para>
<variablelist>
<varlistentry>
- <term>Local profiles</term>
+ <term>Local profiles:</term> <para>-</para>
<listitem><para>
- I know of no registry keys that will allow auto-deletion of LOCAL profiles on log out
+ I know of no registry keys that will allow auto-deletion of LOCAL profiles on log out
</para></listitem>
</varlistentry>
<varlistentry>
- <term>Roaming profiles</term>
+ <term>Roaming profiles:</term> <para>-</para>
<listitem><para>
- <simplelist>
- <member>can use auto-delete on logout option</member>
- <member>requires a registry key change on workstation</member>
- </simplelist>
-
- Your choices are:
-
- <variablelist>
- <varlistentry>
- <term>Personal Roaming profiles</term>
- <listitem><para>
- - should be preserved on a central server
- - workstations 'cache' (store) a local copy
- - used in case the profile can not be downloaded
- at next logon
- </para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term>Group profiles</term>
- <listitem><para>- loaded from a central place</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term>Mandatory profiles</term>
- <listitem><para>
- - can be personal or group
- - can NOT be changed (except by an administrator
- </para></listitem>
- </varlistentry>
- </variablelist>
+ As a user logs onto the network a centrally stored profile is copied to the workstation
+ to form a local profile. This local profile will persist (remain on the workstation disk)
+ unless a registry key is changed that will cause this profile to be automatically deleted
+ on logout.
</para></listitem>
</varlistentry>
</variablelist>
+<para>
+The <emphasis>Roaming Profile</emphasis> choices are:
</para>
+<variablelist>
+ <varlistentry>
+ <term>Personal Roaming profiles</term> <para>-</para>
+ <listitem><para>
+ These are typically stored in a profile share on a central (or conveniently located
+ local) server.
+ </para>
+
+ <para>
+ Workstations 'cache' (store) a local copy of the profile. This cached copy is used when
+ the profile can not be downloaded at next logon.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Group profiles</term> <para>-</para>
+ <listitem><para>These are loaded from a central profile server</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Mandatory profiles</term> <para>-</para>
+ <listitem><para>
+ Mandatory profiles can be created for a user as well as for any group that a user
+ is a member of. Mandatory profiles can NOT be changed by ordinary users. Only the administrator
+ can change or reconfigure a mandatory profile.
+ </para></listitem>
+ </varlistentry>
+</variablelist>
+
<para>
A WinNT4/2K/XP profile can vary in size from 130KB to off the scale.
Outlook PST files are most often part of the profile and can be many GB in
@@ -1271,56 +1270,53 @@ a problem free site.
<para>
Microsoft's answer to the PST problem is to store all email in an MS
-Exchange Server back-end. But this is another story ...!
+Exchange Server back-end. This removes the need for a PST file.
</para>
<para>
-So, having LOCAL profiles means:
-
-<simplelist>
- <member>If lots of users user each machine - lot's of local disk storage needed for local profiles</member>
- <member>Every workstation the user logs into has it's own profile - can be very different from machine to machine</member>
-</simplelist>
-
-On the other hand, having roaming profiles means:
-<simplelist>
- <member>The network administrator can control EVERY aspect of user profiles</member>
- <member>With the use of mandatory profiles - a drastic reduction in network management overheads</member>
- <member>User unhappiness about not being able to change their profiles soon fades as they get used to being able to work reliably</member>
-</simplelist>
-
+LOCAL profiles mean:
</para>
+<itemizedlist>
+ <listitem><para>If each machine is used my many users then much local disk storage is needed for local profiles</para></listitem>
+ <listitem><para>Every workstation the user logs into has it's own profile, these can be very different from machine to machine</para></listitem>
+</itemizedlist>
+
<para>
-I have managed and installed MANY NT/2K networks and have NEVER found one
-where users who move from machine to machine are happy with local
-profiles. In the long run local profiles bite them.
+On the other hand, use of roaming profiles means:
</para>
-</sect2>
+<itemizedlist>
+ <listitem><para>The network administrator can control the desktop environment of all users.</para></listitem>
+ <listitem><para>Use of mandatory profiles drasitcally reduces network management overheads.</para></listitem>
+ <listitem><para>In the long run users will be experience fewer problems.</para></listitem>
+</itemizedlist>
-<!-- FIXME: Everything below this is a mess. I didn't quite understand it - Jelmer -->
+</sect2>
<sect2>
- <title>Changing the default profile</title>
+<title>Changing the default profile</title>
-<para><quote>
-When the client tries to logon to the PDC it looks for a profile to download
-where do I put this default profile.
+<para>
+<emphasis>Question:</emphasis>
+<quote>
+When the client logs onto the domain controller it searches for a profile to download,
+where do I put this default profile?
</quote></para>
<para>
-Firstly, your samba server need to be configured as a domain controller.
+Firstly, the samba server needs to be configured as a domain controller.
+This can be done by setting in &smb.conf;:
</para>
-<programlisting>
- server = user
- os level = 32 (or more)
- domain logons = Yes
-</programlisting>
+<smbconfblock>
+<smbconfoption><name>security</name><value>user</value></smbconfoption>
+<smbconfoption><name>os level</name><value>32 (or more)</value></smbconfoption>
+<smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
+</smbconfblock>
<para>
-Plus you need to have a <parameter>[netlogon]</parameter> share that is world readable.
+There must be an <smbconfsection>[netlogon]</smbconfsection> share that is world readable.
It is a good idea to add a logon script to pre-set printer and
drive connections. There is also a facility for automatically
synchronizing the workstation time clock with that of the logon
@@ -1329,23 +1325,26 @@ server (another good thing to do).
<note><para>
To invoke auto-deletion of roaming profile from the local
-workstation cache (disk storage) you need to use the <application>Group Policy Editor</application>
+workstation cache (disk storage) use the <application>Group Policy Editor</application>
to create a file called <filename>NTConfig.POL</filename> with the appropriate entries. This
-file needs to be located in the <parameter>netlogon</parameter> share root directory.</para></note>
+file needs to be located in the <smbconfsection>netlogon</smbconfsection> share root directory.</para></note>
<para>
-Oh, of course the windows clients need to be members of the domain.
-Workgroup machines do NOT do network logons - so they never see domain
-profiles.
+Windows clients need to be members of the domain. Workgroup machines do NOT use network logons so
+they do not interoperate with domain profiles.
</para>
<para>
-Secondly, for roaming profiles you need:
-
- logon path = \\%N\profiles\%U (with some such path)
- logon drive = H: (Z: is the default)
+For roaming profiles add to &smb.conf;:
+</para>
- Plus you need a PROFILES share that is world writable.
+<para>
+<smbconfblock>
+<smbconfoption><name>logon path</name><value>\\%N\profiles\%U</value></smbconfoption>
+<smbconfcomment>Default logon drive is Z:</smbconfcomment>
+<smbconfoption><name>logon drive</name><value>H:</value></smbconfoption>
+<smbconfcomment>This requires a PROFILES share that is world writable.</smbconfcomment>
+</smbconfblock>
</para>
</sect2>