From a2e3ba6e1281a7d3693173679ec7fb28898df319 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 12 Aug 2003 17:36:25 +0000 Subject: Merge over book changes into 3_0 CVS (This used to be commit d8fe4a81fb0d4972b2331b3d5fc4890244b44c33) --- docs/docbook/projdoc/ProfileMgmt.xml | 291 +++++++++++++++++------------------ 1 file changed, 145 insertions(+), 146 deletions(-) (limited to 'docs/docbook/projdoc/ProfileMgmt.xml') diff --git a/docs/docbook/projdoc/ProfileMgmt.xml b/docs/docbook/projdoc/ProfileMgmt.xml index 58c6f34030..83d8b9907f 100644 --- a/docs/docbook/projdoc/ProfileMgmt.xml +++ b/docs/docbook/projdoc/ProfileMgmt.xml @@ -73,15 +73,15 @@ following (for example): - - logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath - + +logon path\\profileserver\profileshare\profilepath\%U\moreprofilepath + This is typically implemented like: - - logon path = \\%L\Profiles\%u - + +logon path\\%L\Profiles\%u + where %L translates to the name of the Samba server and %u translates to the user name @@ -97,7 +97,7 @@ semantics of %L and %N, as well as %U and %u. MS Windows NT/2K clients at times do not disconnect a connection to a server -between logons. It is recommended to NOT use the homes +between logons. It is recommended to NOT use the homes meta-service name as part of the profile share path. @@ -107,7 +107,7 @@ meta-service name as part of the profile share path. Windows 9x / Me User Profiles - To support Windows 9x / Me clients, you must use the logon home parameter. Samba has + To support Windows 9x / Me clients, you must use the logon home parameter. Samba has now been fixed so that net use /home now works as well, and it, too, relies on the logon home parameter. @@ -115,11 +115,11 @@ on the logon home parameter. By using the logon home parameter, you are restricted to putting Win9x / Me profiles in the user's home directory. But wait! There is a trick you -can use. If you set the following in the [global] section of your &smb.conf; file: +can use. If you set the following in the [global] section of your &smb.conf; file: - - logon home = \\%L\%U\.profiles - + +logon home\\%L\%U\.profiles + then your Windows 9x / Me clients will dutifully put their clients in a subdirectory @@ -130,7 +130,7 @@ of your home directory called .profiles (thus making them h Not only that, but net use /home will also work, because of a feature in Windows 9x / Me. It removes any directory stuff off the end of the home directory area and only uses the server and share portion. That is, it looks like you -specified \\%L\%U for logon home. +specified \\%L\%U for logon home. @@ -139,13 +139,13 @@ specified \\%L\%U for logon home. You can support profiles for both Win9X and WinNT clients by setting both the -logon home and logon path parameters. For example: +logon home and logon path parameters. For example: - - logon home = \\%L\%u\.profiles - logon path = \\%L\profiles\%u - + +logon home\\%L\%u\.profiles +logon path\\%L\profiles\%u + @@ -166,10 +166,10 @@ There are three ways of doing this: Affect the following settings and ALL clients will be forced to use a local profile: - - logon home = - logon path = - + + logon home + logon path + @@ -178,6 +178,7 @@ There are three ways of doing this: By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This of course modifies registry settings. The full path to the option is: + Local Computer Policy\ Computer Configuration\ @@ -228,9 +229,9 @@ as are folders Start Menu, Desktop, Programs and Nethood. These directories and their contents will be merged with the local versions stored in c:\windows\profiles\username on subsequent logins, -taking the most recent from each. You will need to use the [global] -options preserve case = yes, short preserve case = yes and -case sensitive = no in order to maintain capital letters in shortcuts +taking the most recent from each. You will need to use the [global] +options preserve caseyes, short preserve caseyes and +case sensitiveno in order to maintain capital letters in shortcuts in any of the profile folders. @@ -281,13 +282,13 @@ supports it), user name and user's password. Once the user has been successfully validated, the Windows 9x / Me machine -will inform you that The user has not logged on before' and asks you - if you wish to save the user's preferences? Select yes. +will inform you that The user has not logged on before and asks you +Do you wish to save the user's preferences?. Select yes. Once the Windows 9x / Me client comes up with the desktop, you should be able -to examine the contents of the directory specified in the logon path +to examine the contents of the directory specified in the logon path on the samba server and verify that the Desktop, Start Menu, Programs and Nethood folders have been created. @@ -305,7 +306,7 @@ the newest folders and short-cuts from each set. If you have made the folders / files read-only on the samba server, then you will get errors from the Windows 9x / Me machine on logon and logout, as it attempts to merge the local and the remote profile. Basically, if -you have any errors reported by the Windows 9x / Me machine, check the Unix file +you have any errors reported by the Windows 9x / Me machine, check the UNIX file permissions and ownership rights on the profile directory contents, on the samba server. @@ -374,7 +375,7 @@ they will be told that they are logging in "for the first time". - check the contents of the profile path (see logon path described + check the contents of the profile path (see logon path described above), and delete the user.DAT or user.MAN file for the user, making a backup if required. @@ -403,13 +404,13 @@ differences are with the equivalent samba trace. When a user first logs in to a Windows NT Workstation, the profile NTuser.DAT is created. The profile location can be now specified -through the logon path parameter. +through the logon path parameter. There is a parameter that is now available for use with NT Profiles: -logon drive. This should be set to H: or any other drive, and -should be used in conjunction with the new "logon home" parameter. +logon drive. This should be set to H: or any other drive, and +should be used in conjunction with the new logon home parameter. @@ -481,8 +482,7 @@ profile on the MS Windows workstation as follows: profile must be accessible. - You will need to log on if a logon box opens up. Eg: In the connect - as: MIDEARTH\root, password: mypassword. + You will need to log on if a logon box opens up. Eg: In the connect as: DOMAIN\root, password: mypassword. @@ -500,7 +500,7 @@ profile on the MS Windows workstation as follows: -Done. You now have a profile that can be edited using the samba-3.0.0 +Done. You now have a profile that can be edited using the samba profiles tool. @@ -511,8 +511,8 @@ storage of mail data. That keeps desktop profiles usable. - + Windows XP Service Pack 1 This is a security check new to Windows XP (or maybe only Windows XP service pack 1). It can be disabled via a group policy in @@ -562,7 +562,6 @@ On the XP workstation log in with an Administrator account. Reboot - @@ -582,9 +581,9 @@ on again with the newer version of MS Windows. If you then want to share the same Start Menu / Desktop with W9x/Me, you will -need to specify a common location for the profiles. The smb.conf parameters -that need to be common are logon path and -logon home. +need to specify a common location for the profiles. The &smb.conf; parameters +that need to be common are logon path and +logon home. @@ -659,12 +658,6 @@ Follow the above for every profile you need to migrate. You should obtain the SID of your NT4 domain. You can use smbpasswd to do this. Read the man page. - -With Samba-3.0.0 alpha code you can import all you NT4 domain accounts -using the net samsync method. This way you can retain your profile -settings as well as all your users. - - @@ -844,10 +837,10 @@ customisable per user depending on the profile settings chosen/created. When a new user first logs onto an MS Windows NT4 machine a new profile is created from: - - All Users settings - Default User settings (contains the default NTUser.DAT file) - + + All Users settings + Default User settings (contains the default NTUser.DAT file) + When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain @@ -903,8 +896,8 @@ also remain stored in the same way, unless the following registry key is created - HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\ - "DeleteRoamingCache"=dword:00000001 +HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\ +winlogon\"DeleteRoamingCache"=dword:00000001 In which case, the local copy (in %SystemRoot%\Profiles\%USERNAME%) will be @@ -1013,7 +1006,7 @@ login name of the user. - This path translates, in Samba parlance, to the &smb.conf; [NETLOGON] share. The directory + This path translates, in Samba parlance, to the &smb.conf; [NETLOGON] share. The directory should be created at the root of this share and must be called Default Profile. @@ -1124,7 +1117,7 @@ You could also use: in which case the default folders will be stored in the server named SambaServer in the share called FolderShare under a directory that has the name of the MS Windows -user as seen by the Linux/Unix file system. +user as seen by the Linux/UNIX file system. @@ -1137,7 +1130,10 @@ MS Windows 200x/XP profiles may be Local or Roami A roaming profile will be cached locally unless the following registry key is created: -HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\"DeleteRoamingCache"=dword:00000001 + + +HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\ + winlogon\"DeleteRoamingCache"=dword:00000001 In which case, the local cache copy will be deleted on logout. @@ -1153,7 +1149,7 @@ The following are some typical errors/problems/questions that have been asked. -How does one set up roaming profiles for just one (or a few) user/s or group/s? +Setting up roaming profiles for just a few user's or group's? With samba-2.2.x the choice you have is to enable or disable roaming @@ -1171,8 +1167,8 @@ machine. -With samba-3.0.0 (soon to be released) you can have a global profile -setting in smb.conf _AND_ you can over-ride this by per-user settings +With samba-3 you can have a global profile +setting in &smb.conf; _AND_ you can over-ride this by per-user settings using the Domain User Manager (as with MS Windows NT4/ Win 2Kx). @@ -1181,11 +1177,11 @@ In any case, you can configure only one profile per user. That profile can be either: - - A profile unique to that user - A mandatory profile (one the user can not change) - A group profile (really should be mandatory ie:unchangable) - + + A profile unique to that user + A mandatory profile (one the user can not change) + A group profile (really should be mandatory ie:unchangable) + @@ -1193,66 +1189,69 @@ be either: Can NOT use Roaming Profiles +A user requested the following: - I dont want Roaming profile to be implemented, I just want to give users - local profiles only. -... - Please help me I am totally lost with this error from past two days I tried - everything and googled around quite a bit but of no help. Please help me. +I do not want Roaming profiles to be implemented. I want to give users a local profile alone. ... +Please help me I am totally lost with this error. For the past two days I tried everything, I googled +around but found no useful pointers. Please help me. -Your choices are: - +The choices are: + - Local profiles + Local profiles: - - I know of no registry keys that will allow auto-deletion of LOCAL profiles on log out + I know of no registry keys that will allow auto-deletion of LOCAL profiles on log out - Roaming profiles + Roaming profiles: - - - can use auto-delete on logout option - requires a registry key change on workstation - - - Your choices are: - - - - Personal Roaming profiles - - - should be preserved on a central server - - workstations 'cache' (store) a local copy - - used in case the profile can not be downloaded - at next logon - - - - - Group profiles - - loaded from a central place - - - - Mandatory profiles - - - can be personal or group - - can NOT be changed (except by an administrator - - - + As a user logs onto the network a centrally stored profile is copied to the workstation + to form a local profile. This local profile will persist (remain on the workstation disk) + unless a registry key is changed that will cause this profile to be automatically deleted + on logout. + +The Roaming Profile choices are: + + + Personal Roaming profiles - + + These are typically stored in a profile share on a central (or conveniently located + local) server. + + + + Workstations 'cache' (store) a local copy of the profile. This cached copy is used when + the profile can not be downloaded at next logon. + + + + + Group profiles - + These are loaded from a central profile server + + + + Mandatory profiles - + + Mandatory profiles can be created for a user as well as for any group that a user + is a member of. Mandatory profiles can NOT be changed by ordinary users. Only the administrator + can change or reconfigure a mandatory profile. + + + + A WinNT4/2K/XP profile can vary in size from 130KB to off the scale. Outlook PST files are most often part of the profile and can be many GB in @@ -1271,56 +1270,53 @@ a problem free site. Microsoft's answer to the PST problem is to store all email in an MS -Exchange Server back-end. But this is another story ...! +Exchange Server back-end. This removes the need for a PST file. -So, having LOCAL profiles means: - - - If lots of users user each machine - lot's of local disk storage needed for local profiles - Every workstation the user logs into has it's own profile - can be very different from machine to machine - - -On the other hand, having roaming profiles means: - - The network administrator can control EVERY aspect of user profiles - With the use of mandatory profiles - a drastic reduction in network management overheads - User unhappiness about not being able to change their profiles soon fades as they get used to being able to work reliably - - +LOCAL profiles mean: + + If each machine is used my many users then much local disk storage is needed for local profiles + Every workstation the user logs into has it's own profile, these can be very different from machine to machine + + -I have managed and installed MANY NT/2K networks and have NEVER found one -where users who move from machine to machine are happy with local -profiles. In the long run local profiles bite them. +On the other hand, use of roaming profiles means: - + + The network administrator can control the desktop environment of all users. + Use of mandatory profiles drasitcally reduces network management overheads. + In the long run users will be experience fewer problems. + - + - Changing the default profile +Changing the default profile - -When the client tries to logon to the PDC it looks for a profile to download -where do I put this default profile. + +Question: + +When the client logs onto the domain controller it searches for a profile to download, +where do I put this default profile? -Firstly, your samba server need to be configured as a domain controller. +Firstly, the samba server needs to be configured as a domain controller. +This can be done by setting in &smb.conf;: - - server = user - os level = 32 (or more) - domain logons = Yes - + +securityuser +os level32 (or more) +domain logonsYes + -Plus you need to have a [netlogon] share that is world readable. +There must be an [netlogon] share that is world readable. It is a good idea to add a logon script to pre-set printer and drive connections. There is also a facility for automatically synchronizing the workstation time clock with that of the logon @@ -1329,23 +1325,26 @@ server (another good thing to do). To invoke auto-deletion of roaming profile from the local -workstation cache (disk storage) you need to use the Group Policy Editor +workstation cache (disk storage) use the Group Policy Editor to create a file called NTConfig.POL with the appropriate entries. This -file needs to be located in the netlogon share root directory. +file needs to be located in the netlogon share root directory. -Oh, of course the windows clients need to be members of the domain. -Workgroup machines do NOT do network logons - so they never see domain -profiles. +Windows clients need to be members of the domain. Workgroup machines do NOT use network logons so +they do not interoperate with domain profiles. -Secondly, for roaming profiles you need: - - logon path = \\%N\profiles\%U (with some such path) - logon drive = H: (Z: is the default) +For roaming profiles add to &smb.conf;: + - Plus you need a PROFILES share that is world writable. + + +logon path\\%N\profiles\%U +Default logon drive is Z: +logon driveH: +This requires a PROFILES share that is world writable. + -- cgit