From c5ae3a64863842960f42589a5ddc07755b4f6316 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Wed, 29 Jun 2005 06:37:37 +0000 Subject: Updating TOSHARG files (This used to be commit 2ada75f02f4ba7de548a56a14f1bb0281029e063) --- docs/Samba3-HOWTO/TOSHARG-ProfileMgmt.xml | 135 ++++++++++++++++++++++++------ 1 file changed, 109 insertions(+), 26 deletions(-) (limited to 'docs/Samba3-HOWTO/TOSHARG-ProfileMgmt.xml') diff --git a/docs/Samba3-HOWTO/TOSHARG-ProfileMgmt.xml b/docs/Samba3-HOWTO/TOSHARG-ProfileMgmt.xml index 6cdf87b54f..d5cc6e93aa 100644 --- a/docs/Samba3-HOWTO/TOSHARG-ProfileMgmt.xml +++ b/docs/Samba3-HOWTO/TOSHARG-ProfileMgmt.xml @@ -12,17 +12,20 @@ Features and Benefits +roaming profiles Roaming profiles are feared by some, hated by a few, loved by many, and a godsend for some administrators. +manage roaming profiles Roaming profiles allow an administrator to make available a consistent user desktop as the user moves from one machine to another. This chapter provides much information regarding how to configure and manage roaming profiles. +local profiles While roaming profiles might sound like nirvana to some, they are a real and tangible problem to others. In particular, users of mobile computing tools, where often there may not be a sustained network connection, are often better served by purely local profiles. @@ -47,6 +50,7 @@ Windows 9x/Me and Windows NT4/200x clients implement these features. +NetUserGetInfo Windows 9x/Me clients send a NetUserGetInfo request to the server to get the user's profiles location. However, the response does not have room for a separate profiles location field, only the user's home share. This means that Windows 9x/Me @@ -55,6 +59,8 @@ profiles are restricted to being stored in the user's home directory. +NetSAMLogon +RPC Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields including a separate field for the location of the user's profiles. @@ -94,6 +100,8 @@ semantics of %L and %N, as well as %U +logons +disconnect a connection MS Windows NT/200x clients at times do not disconnect a connection to a server between logons. It is recommended to not use the metaservice name as part of the profile share path. @@ -103,26 +111,29 @@ to not use the metaservice name as part of the pr Windows 9x/Me User Profiles +net use /home +logon home To support Windows 9x/Me clients, you must use the parameter. Samba has been fixed so net use /home now works as well and it, too, relies -on the logon home parameter. +on the logon home parameter. -By using the logon home parameter, you are restricted to putting Windows 9x/Me profiles in the user's home -directory. But wait! There is a trick you can use. If you set the following in the +logon home +\\%L\%U\.profiles +.profiles +By using the logon home parameter, you are restricted to putting Windows 9x/Me profiles +in the user's home directory. But wait! There is a trick you can use. If you set the following in the section of your &smb.conf; file: - - + \\%L\%U\.profiles - - - + then your Windows 9x/Me clients will dutifully put their clients in a subdirectory of your home directory called .profiles (making them hidden). +net use /home Not only that, but net use /home will also work because of a feature in Windows 9x/Me. It removes any directory stuff off the end of the home directory area and only uses the server and share portion. That is, it looks like you @@ -139,11 +150,12 @@ You can support profiles for Windows 9x and Windows NT clients by setting both t -\\%L\%u\.profiles -\\%L\profiles\%u +\\%L\%U\.profiles +\\%L\profiles\%U +mixed profile Windows 9x/Me and NT4 and later profiles should not be stored in the same location because Windows NT4 and later will experience problems with mixed profile environments. @@ -153,6 +165,7 @@ Windows NT4 and later will experience problems with mixed profile environments. Disabling Roaming Profile Support +disable roaming profiles The question often asked is, How may I enforce use of local profiles? or How do I disable roaming profiles? @@ -160,9 +173,10 @@ The question often asked is, How may I enforce use of local profiles? roaming profiles There are three ways of doing this: -windows registry settingsroaming profiles +windows registry settingsroaming profiles + In &smb.conf;: @@ -180,7 +194,9 @@ There are three ways of doing this: MS Windows Registry: - Use the Microsoft Management Console (MMC) gpedit.msc to instruct your MS Windows XP +MMC +local profile + Use the Microsoft Management Console (MMC) gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This, of course, modifies registry settings. The full path to the option is: @@ -193,11 +209,12 @@ Local Computer Policy\ Disable: Only Allow Local User Profiles Disable: Prevent Roaming Profile Change from Propagating to the Server - + Change of Profile Type: +Profile Type From the start menu right-click on the My Computer icon, select Properties, click on the User Profiles tab, select the profile you wish to change from @@ -213,6 +230,7 @@ about which registry keys to change to enforce use of only local user profiles. +Windows Resource Kit The specifics of how to convert a local profile to a roaming profile, or a roaming profile to a local one, vary according to the version of MS Windows you are running. Consult the Microsoft MS Windows Resource Kit for your version of Windows for specific information. @@ -239,6 +257,8 @@ profile folders. +user.DAT +user.MAN The user.DAT file contains all the user's preferences. If you wish to enforce a set of preferences, rename their user.DAT file to user.MAN, and deny them write access to this file. @@ -261,6 +281,10 @@ rename their user.DAT file to user.MAN +Primary Logon +Client for Novell Networks +Novell +Windows Logon Under Windows 9x/Me, profiles are downloaded from the Primary Logon. If you have the Primary Logon as Client for Novell Networks, then the profiles and logon script will be downloaded from your Novell server. If you have the Primary Logon as Windows Logon, then the profiles will @@ -268,6 +292,7 @@ be loaded from the local machine &smbmdash; a bit against the concept of roaming +domain logon server You will now find that the Microsoft Networks Login box contains [user, password, domain] instead of just [user, password]. Type in the Samba server's domain name (or any other domain known to exist, but bear in mind that the user will be authenticated against this domain and profiles downloaded from it @@ -288,6 +313,9 @@ the Samba server and verify that the Desktop, Sta +cached locally +shortcuts +profile directory These folders will be cached locally on the client and updated when the user logs off (if you haven't made them read-only by then). You will find that if the user creates further folders or shortcuts, the client will merge the profile contents downloaded with the contents of the profile @@ -295,6 +323,10 @@ directory already on the local client, taking the newest folders and shortcut fr +local profile +remote profile +ownership rights +profile directory If you have made the folders/files read-only on the Samba server, then you will get errors from the Windows 9x/Me machine on logon and logout as it attempts to merge the local and remote profile. Basically, if you have any errors reported by the Windows 9x/Me machine, check the UNIX file permissions @@ -302,6 +334,10 @@ and ownership rights on the profile directory contents, on the Samba server. +windows registry settings +profile path +user profiles +desktop cache windows registry settingsprofile path If you have problems creating user profiles, you can reset the user's local desktop cache, as shown below. When this user next logs in, the user will be told that he/she is logging in for the first @@ -348,6 +384,7 @@ time. +ProfilePath Before deleting the contents of the directory listed in the ProfilePath (this is likely to be c:\windows\profiles\username), ask whether the owner has any important files stored on his or her desktop or start menu. Delete the contents of the @@ -361,11 +398,18 @@ in their profile directory, as well as the local desktop, +log level +packet sniffer +ethereal +netmon.exe If all else fails, increase Samba's debug log levels to between 3 and 10, and/or run a packet sniffer program such as ethereal or netmon.exe, and look for error messages. - If you have access to an Windows NT4/200x server, then first set up roaming profiles and/or + +roaming profiles +packet trace +If you have access to an Windows NT4/200x server, then first set up roaming profiles and/or netlogons on the Windows NT4/200x server. Make a packet trace, or examine the example packet traces provided with Windows NT4/200x server, and see what the differences are with the equivalent Samba trace. @@ -387,6 +431,8 @@ the new parameter. +.PDS extension +profile path The entry for the NT4 profile is a directory, not a file. The NT help on profiles mentions that a directory is also created with a .PDS extension. The user, while logging in, must have write permission to create the full profile path (and the folder with the .PDS extension for those situations where it @@ -394,6 +440,7 @@ might be created). +NTuser.DAT In the profile directory, Windows NT4 creates more folders than Windows 9x/Me. It creates Application Data and others, as well as Desktop, Nethood, Start Menu, and Programs. @@ -402,6 +449,8 @@ in the .PDS directory, and its purpose is currently unknown. +NTuser.DAT +NTuser.MAN You can use the System Control Panel to copy a local profile onto a Samba server (see NT help on profiles; it is also capable of firing up the correct location in the System Control Panel for you). The NT help file also mentions that renaming @@ -531,6 +580,8 @@ The UPHClean software package can be downloaded from The Net Command Chapter, Other Miscellaneous Operations for more information. @@ -619,8 +675,10 @@ See The Net Command Chapter, S Policies. - - Under NO circumstances should the profile directory (or its -contents) be made read-only because this may render the profile unusable. -Where it is essential to make a profile read-only within the UNIX file -system, this can be done, but then you absolutely must use the -fake-permissions VFS module to instruct MS Windows -NT/200x/XP clients that the Profile has write permission for the user. -See fake_perms VFS module. + +fake-permissions module +VFS module +fake_perms +Under NO circumstances should the profile directory (or its contents) be made read-only because this may +render the profile unusable. Where it is essential to make a profile read-only within the UNIX file system, +this can be done, but then you absolutely must use the fake-permissions VFS module to +instruct MS Windows NT/200x/XP clients that the Profile has write permission for the user. See fake_perms VFS module. +NTUser.MAN +NTUser.DAT For MS Windows NT4/200x/XP, the procedure shown in Profile Migration from Windows NT4/200x Server to Samba can also be used to create mandatory profiles. To convert a group profile into a mandatory profile, simply locate the NTUser.DAT file in the copied profile and rename @@ -683,6 +745,7 @@ it to NTUser.MAN. +User.MAN For MS Windows 9x/Me, it is the User.DAT file that must be renamed to User.MAN to effect a mandatory profile. @@ -694,6 +757,9 @@ For MS Windows 9x/Me, it is the User.DAT file that must be group profiles +template +profile migration tool +profile access rights Most organizations are arranged into departments. There is a nice benefit in this fact, since usually most users in a department require the same desktop applications and the same desktop layout. MS Windows NT4/200x/XP will allow the use of group profiles. A group profile is a profile that is created @@ -702,6 +768,7 @@ assigned access rights for the user group that needs to be given access to the g +User Manager The next step is rather important. Instead of assigning a group profile to users (Using User Manager) on a per-user basis, the group itself is assigned the now modified profile. @@ -718,6 +785,7 @@ profile, then the result will be a fusion (merge) of the two. default profile +registry keys MS Windows 9x/Me and NT4/200x/XP will use a default profile for any user for whom a profile does not already exist. Armed with a knowledge of where the default profile is located on the Windows workstation, and knowing which registry keys affect the path from which the default profile is created, @@ -729,6 +797,8 @@ significant administrative advantages. MS Windows 9x/Me +System Policy Editor +registry To enable default per-use profiles in Windows 9x/Me, you can either use the Windows 98 System Policy Editor or change the registry directly. @@ -742,6 +812,7 @@ changes. +regedit.exe To modify the registry directly, launch the Registry Editor (regedit.exe) and select the hive HKEY_LOCAL_MACHINE\Network\Logon. Now add a DWORD type key with the name User Profiles. To enable user profiles to set the value @@ -822,7 +893,13 @@ the following steps are followed for profile handling: exist, then a new profile is created in the %SystemRoot%\Profiles\%USERNAME% directory from reading the Default User profile. - If the NETLOGON share on the authenticating server (logon server) contains + +NTConfig.POL +NETLOGON +authenticating server +logon server +HKEY_CURRENT_USER + If the NETLOGON share on the authenticating server (logon server) contains a policy file (NTConfig.POL), then its contents are applied to the NTUser.DAT, which is applied to the HKEY_CURRENT_USER part of the registry. @@ -850,6 +927,7 @@ on logout. +regedt32 Under MS Windows NT4, default locations for common resources like My Documents may be redirected to a network share by modifying the following registry keys. These changes may be made via use of the System Policy Editor. To do so may require that you create your own template @@ -932,6 +1010,9 @@ The default entries are shown in Defaults of Profile Set GPOs +Windows XP Home Edition +ADS +domain security MS Windows XP Home Edition does use default per-user profiles, but cannot participate in domain security, cannot log onto an NT/ADS-style domain, and thus can obtain the profile only from itself. While there are benefits in doing this, the beauty of those MS Windows clients that @@ -940,6 +1021,7 @@ profile and enforce it through the use of Group Policy Objects (GPOs). +Default User When a new user first logs onto an MS Windows 200x/XP machine, the default profile is obtained from C:\Documents and Settings\Default User. The administrator can modify or change the contents of this location, and MS Windows 200x/XP will gladly use it. This is far from the optimum arrangement, @@ -947,9 +1029,10 @@ since it will involve copying a new default profile to every MS Windows 200x/XP +NETLOGON When MS Windows 200x/XP participates in a domain security context, and if the default user profile is not found, then the client will search for a default profile in the NETLOGON share of the authenticating server. -In MS Windows parlance, it is %LOGONSERVER%\NETLOGON\Default User, +In MS Windows parlance, it is %LOGONSERVER%\NETLOGON\Default User, and if one exists there, it will copy this to the workstation in the C:\Documents and Settings\ under the Windows login name of the use. -- cgit