Roaming Profiles With
Samba
(aka How to Set Up Roaming Profiles
on Novell Clients Without Having
to Purchase ZENworks)
|
10/5/2010 First of all, you will need to install Samba. I used a Ubuntu 10.04 Workstation for the Samba server and installed the samba and system-config-samba packages (the latter being a GUI for administration purposes). Create a profile directory. This should not be user's home directories. I created a directory /samba/profiles and then assigned it the following permissions: chmod 1757 /samba/profiles (I also made the owner root:sambashare, because that's what the default (/var/lib/samba/usershares) is. The 'everyone' permissions of 7 is what allows the user account to create their own profiles directory upon first login. The sticky bit means that they can delete files/directories in their own profiles directory, but nobody else can, since they are not the owner. In actuality, I'm going to put the "create mask = 0600" and "directory mask = 0700" options under the [profiles] section of smb.conf, which will make the sticky bit completely moot, but I'll keep that bit set anyhow. The /samba directory, above the profile directory, is root:root 755). Next, Samba must be configured to act as a domain controller. The following
options should be set in smb.conf:
Now in order to allow roaming profiles, the following should also be set in smb.conf:
If I wanted to distinguish between OS types (different versions of
Windows, actually), I would use the following line for logon path
instead (this is, in fact, what I did):
I then created the profiles share by adding the following to smb.conf:
Next, you must set up the netlogon directory (required
for Domain Logins, since this is a PDC). This appeare to be used for
automatically-run login scripts (and possibly policies?), but nothing
else. I created this directory as /samba/netlogon and set the
permissions to root:domusers (a group I will create, of which all users
in the domain are members) mode 750. I then made sure that the following
section was in smb.conf:
If I wanted to create a different default profile for each version of windows, I would make the path line read "path = /samba/netlogon/%a". This specifies that Samba should map the netlogon directory according to what version of Windows a user is authenticating from. Then, I would create directories under /samba/netlogon for each version of Windows (such as /samba/netlogon/WinXP). I would then need to copy a different default profile for each version of Windows. I may do this later. Note also that starting with Windows Vista, the "Default User" directory is simply called "Default"
Then I set up the [homes] section, which tells Samba how to map user's home directories (each share being created on-the-fly upon logon). In the [global] section of smb.conf, define the following:
Then, set up the actual [homes] share section:
The path has the /%S on the end in order to append the user's Samba username to the base path. The "valid users = %s" specifies that only a particular user can connect to their own share. "browseable = no" specifies that a user cannot browse to see other users' shares (which probably does not actually matter in my case, since my path ends in /%S anyhow). If "guest ok = no" was set to yes, it would mean that users could browse the home share (again, without the /%S on the path) without authenticating first. If this was the case, you should set "read only" to yes. Note that even if a home directory is not defined in your smb.conf, however, Samba will still look for an existing directory at the default location of /var/lib/samba/usershares/username when the user logs in. If it exists, it will map it. If it doesn't exist, it will see if the user's home directory in Linux exists. Again, if it exists, it will map it. If neither of these searches turns up an existing directory, Samba will not create the user's temporary home share. If you do use home directories, it will set the user's HOMEDRIVE variable in Windows to that specified by the logon drive directive in smb.conf; it will set the HOMESHARE attribute to the value of logon home in the smb.conf, which of course will be a temporary share created upon login and mapped to a directory named according to the user's account name. If a path is specified in the [homes] share section, it will use that (without appending anything, such as the user's name, to the end (unless you specify that)); otherwise, it will use the user's Linux home directory. I created the /samba/homes directory and changed the owner to root:domusers with permissions 750.
NTConfig.POL and logon scripts in netlogon dir?
Each machine that wishes to become a part of the domain must have a
Machine Trust Account in Samba. When the machine goes
to join the domain, Windows will prompt you for that username and password.
The easiest way to administer this is to have Samba create the Machine
Trust Account, and the corresponding Linux user account, on-the-fly
(more
detailed information here). To do so, I uncommented the following
line in the smb.conf file (note that this line may be
different if the machine is not Ubuntu):
Note that the machines group must exist for this to work!
I created that group with the following command:
You must also have a Samba account that has either A) Root privileges
on the server or B) has been granted the SeMachineAccountPrivilege
privilege. I opted to create an account mapped to root,
with a different username and Samba password (You should always
use a different password for security reasons. A username of your choosing
is probably a good idea too). I did this with the system-config-samba
GUI, which was nice and quick and easy (and also means that I have no
idea how to do it from the command line). You must have the
following option set in smb.conf in order to map root
to a differently-named Samba account:
Ok, I lied. If you want to do this manually, simply put the following
line in the /etc/samba/smbusers file (which is owned by root:root
mode 644):
Now, add that user to Samba by typing smbpasswd -a root. Notice that I did not use the alias name as the username there; I used the user that it is mapped to. That's all there is to it!
The security=user option in smb.conf requires
a Linux account for each Samba user. To test, I quickly created a user
account in Linux, and added that user to Samba, using the following
commands:
To join the domain, right-click on My Computer and select properties, then click on Network ID from the Computer Name tab. Select "This computer is part of a business network..." and then "My company uses a network with a domain." It will then prompt you for a username/password from the domain along with the name of the domain itself. At the next screen, it will prompt you for the local computer name and its domain (in which I typed the domain that I was trying to join). When you click Next, it will ask for the username/password with permission to join the domain, as well as the name of the domain once again. Here, I typed the username that I had mapped to root. If all that works, it will ask if you want to add a domain account to the local computer (and, by default, it will fill in the username that you specified at the first prompt in the process). I in fact chose to have it add that user (I selected Standard User even though I had already added that user to the Domain Administrators group). To create and add users to the Domain Admins
group, first create this group on the Linux server (groupadd
domadmins). Map the Linux group to the domain group by issuing the
following command:
Note that the rid would normally start at 1000 and must not overlap with any rid assigned to a user. Now, to add users to that group, either use your Linux Group Editor
GUI or add the users to the end of the domadmins line in /etc/group
such as follows:
This group will automatically be added to the local Administrators group when the computer joins the domain, and of course then any of its members will become administrators when they log into the workstation. I then followed the same procedure to allow a group of domain users
to log on with Remote Desktop (a
list of well-known default RID's can be found here (I simply picked
something that was not in that list):
Then I added this group to the Remote Desktop Users local group on each workstation that was a domain member and should allow people to log on with Remote Desktop. Voila! To make users' home directories automatically created upon first login,
create the Domain Users group, add all users to it, and make it the
group owner of the homes directory (specified in smb.conf, otherwise
/var/lib/samba/usershares):
*** This may not actually create home directories automatically. I thought I had it working at one point, but now it is not. See my note above about home directory mapping.
Folder redirection in combination with Roaming Profiles (for performance) In order to get maximum performance, the "Application Data" and "My Documents" folders should be redirected to the user's share rather than leaving them in the user's roaming profile. This way they are transferred to/from the server in real-time, rather than downloaded when the user logs in and uploaded back when the user logs out (which can take quite some time when the user saves large files in their profile). First, log into a domain workstation with the local administrator
account. Follow this
procedure to change some folder redirections. Specifically, run
regedt32 and load the NTUSER.DAT hive from the "C:\Documents
and Settings\Default User" folder (which is a hidden folder).
In that loaded hive, browse to "Software\Microsoft\Windows\CurrentVersion\Explorer\User
Shell Folders". I changed My Documents, My Pictures and Recent
to the following values:
Those are the very minimum that should be redirected. Most of what I read really recommends redirecting the Application Data folder as well, but I've also read information saying that it will break some programs if it is not on the local machine (in the profile, which is cached on the local drive). So, beware. I also made some other redirections after doing some further reading:
Also, we should tell Internet Explorer to enable the "Empty Temporary Internet Files folder when browser is closed" option. From that same loaded hive, edit or create the Persistent key (which is a REG_DWORD, but it should already be there) in the "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache" folder, setting it to 0 (0 means Empty the folder on Exit while 1 means Do not empty the folder). Be sure to unload this hive when you're done. Most Samba guides will tell you to redirect Application Data as well, but I did not, for fear of breaking some programs (by not having locally stored App Data (Roaming profile data is still local while it is being used)). Note, also, that I did not need to mess with the "\Shell Folders" folder at all, only "User Shell Folders." The "\Shell Folders" key is actually populated by windows, based off of the settings in "\User Shell Folders," when a user logs in. Note that these redirected directories will be auto-created (by Windows) as it first accesses them; you do not need to create them manually for any user. It turns out that redirecting the Application Data folder really does cause some issues. It seems that some programs (ie., Windows) don't really open the environment variables used to define it all the time. So, After repeatedly deleted a folder called "%HOMESHARE%" that Windows had automatically created under the user's home directory, I moved the Application Data folder back to the user's profile. Now, you should exclude those directories from roaming, using either the registry or the Group Policy Editor. I chose to do this through the default user's HKCU registry hive, since Vista no longer checks/obeys the Group Policy. To do this through a local policy (which means it must be done individually on each machine that joins the domain), run gpedit.msc from that workstation's cmd prompt and browse to User Configuration->Administrative Templates->System->User Profiles. Double-click on the Exclude directories in roaming profile option. Check the Enabled radio button and then enter the following in the text box: "My Documents; Recent; My Documents\My Pictures; Favorites; Desktop" (without the semi-colons, and with the directories that you wish to exclude). Then completely delete these directories from the C:\Documents and Settings\Default User path (deleting these directories may not actually be necessary; Windows doesn't seem to copy the directories that are excluded from roaming to the actual roaming part of the profile anyhow). To do this through the registry, you use the same registry hive that
is used to define which directories are redirected, as described above.
The value that you are interested in is ExcludeProfileDirs under
the HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
key. List the directories, relative to the root of the profile, separated
by semicolons. Mine looks like this:
According to M$, at least in NT4, these two lists will actually be merged and stored in the user's registry when they log off. This was not actually the case when I tested it. This M$ article explains in better detail how to exclude redirected directories using both the registry and a system policy. Now, I mapped a drive to the PDC's netlogon share and used Windows Explorer to copy the C:\Documents and Settings\Default User directory to that drive. Now, it is important to turn Offline Files off on the share to which those folders are directed! Offline files only makes sense for laptops that only sometimes plug into the network; you do not want it for your persistently connected workstations. It would, in fact, completely defeat the purpose of redirecting these directories, since offline files will cause changes in the directories to be cached locally and then synchronized upon logout (which is almost the same behavior as normal roaming profile directories). There are several ways to disable file caching on the share (the user's home share in my case), but I found the easiest (and global) way is to do it in the smb.conf, in the [homes] share section. Add the following option to the [home] section:
To get around this, the easiest (at least if you don't mind doing it on every computer) way is to use a local policy. In Group Policy Editor (gpedit.msc), under Local Computer Policy->User Configuration->Administrative Templates->Network->Offline Files, enable the "Do not automatically make redirected folders available offline" option. There are of course many more options pertaining to offline files here, and in the same folder tree under "Computer Configuration" as well. It is also pretty easy to do this from the "Offline Files" tab under the Tools menu of Windows Explorer.. but of course then it must be done on a per-user basis rather than a per-computer basis. In fact, for some reason that Group Policy does not always get followed, so I had to do it through the tools menu for a particular user on a particular computer anyhow. To completely disable offline files, read this.
"The trust relationship between this workstation and the primary
domain failed" when trying to add a machine to the domain:
According to this
page, try this solution:
*** If you experience slowdowns on a local machine after adding it
to the domain, ensure that Samba is running with wins support and network
buffering by adding the following lines to smb.conf:
*** Make sure that the nmbd service is running, and that you restart it any time you make changes to your domain name! *** Run testparm to verify your smb.conf settings! *** If you get the following error: rlimit_max: rlimit_max (1024)
below minimum Windows limit (16384) when running testparm, add the
following line to /etc/security/limits.conf:
Then, uncomment the following line in /etc/pam.d/su:
Neither of these solutions actually worked for me. Nonetheless, I don't think it actually affects Samba at all (I think it is, in reality, telling you about the shell that you are using. *** Running smbstatus will show you who is connected. *** UPHClean to clean up undeleted profiles? *** Some example samba files here. *** If you repeatedly get the following error in any of the Samba log
files:
Then try restricting Samba to using port 139 (and never 445). Do this
by adding the following line to smb.conf:
*** To add a domain user to the Remote Desktop Users group, use the following procedure: Log into the local computer using a domain account. Then, go to the control panel and click on "Users Accounts." A prompt will pop up telling you that you need to be a member of the local computer's Administrator Group in order to do that, and will prompt you for a local username/password. Type in your Administrator account credentials. Click on "Advanced" from the Advanced tab. Double-click on Local Users and Groups (local) -> Groups, and then double-click on the group that you wish to administer (such as Remote Desktop Users). Click to Add a user. If the domain is selected as the location, it should then prompt you again for your domain credentials. Type that in to authenticate. Then you should be able to click Advanced -> Find Now to find the user that you wish to add. Highlight that user and click ok. Voila, that domain user should now be added to the local group! *** Samba uses ports 137 udp, 138 udp , 139 tcp and 445 tcp *** When the passdb backend = tdbsam option is used, the passwords are stored in /etc/samba/private/passdb.tdb by default. The filename can be changed by specifying it like this: "passdb backend = tdbsam:/etc/samba/private/passdb.tdb") *** net groupmap list will list all samba windows groups and their corresponding Linux groups. *** When a user logs into a computer using a roaming profile, Windows creates a local directory for the user (C:\Documents and Settings\username, at least on XP) and then downloads the profile directory from the Samba server to this local directory. According to Microsoft it only downloads the new profile if the copy of NTUSER.DAT on the server is newer than the local NTUSER.DAT, but when I tested it, this proved not to be the case. It re-downloaded things anyhow (at least the Desktop directory, anyhow!). When the user logs out, it uploads everything back to the server. If you want it do delete the locally cached copy of this directory after uploading it back to the server each time, create and set the following registry key: HKLM\SOFTWARE\Policies\Microsoft\Windows\System\DeleteRoamingCache=1 (this is a DWORD value). *** Problems grabbing Default User directory from netlogon share: Possibly configure the "Don't check owner of server stored profiles" policy under Computer config/Administrative Templates/system/user profiles ? *** According to this
document, if you get a "Automatic certificate enrollment
for local system failed to contact the active directory" event
every 8 hours, you may disable the following policies:
Or, I prefer to do it through the registry:
I also enabled the following options in smb.conf because of
our XP Pro SP3 clients (although I've never actually encountered the
problem described in the man page):
*** Good pdbedit documentation (including policies, account flags) *** Security against brute force:
*** VMWare Tools hgfs.dat not being delted from Application
Data\vmware directory upon logout (and cannot be deleted period):
*** To disable roaming profiles on a given computer, but still use domain logons: Open gpedit.msc and enable the following policy:
Supposedly there is a "Prevent roaming profile changes from propagating to the server" option as well, but for the life of me, I can't find it (at least under W2k). If, under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-ID the CentralProfile option is blank (rather than listing the profiles share for that user on the roaming profile server), then the workstation will use the local profile for that user. ProfileImagePath will be where that local profile is located (if the account were using the roaming copy, ProfileImagePath is where the roaming profile that is specified by the directory contained in the CentralProfile value would be cached while the user is logged on). Apparently there can also be a value called UserPreference (REG_DWORD) under the user's HID. Apparently the allowed values of this key are 0, 1 or 3 where 0=Local Profile, 1=Roaming Profile, and I don't know about 3. If this value does not exist, then local/roaming is determined by the CentralProfile option. Now, if you want a domain logon for a certain domain user to use a certain local profile of a different username, first log on to that computer at least once with the given domain user, in order to establish its profile (SID) in the ProfileList key described above. Then, log in as a local administrator and ensure that given domain user has full rights to the local user's profile (or give that domain user local admin rights if you want to be quick and insecure!). Then, navigate to the domain user's SID key in the ProfileList key. Change the "ProfileImagePath" value to be that of the other user's ProfileImagePath value.
Some useful commands: net (run this from the linux/samba server's command line. A helpful example would be to type net groupmap list) To add a domain group: net group add domainremoteusers winbindd? According to this
post, you can turn on quite a bit of logging in XP by setting
this reg key: The log file is in C:\Windows\Debug\UserMode .. (if memory serves..) gpresult (to show group policies that are applied) gpudate /force (updates the computer's applied group policy. This may only work with AD? I don't know, since I haven't tested it)
Setting up system profiles in Samba with policy editor templates Samba Wiki for Implementing Roaming Profiles Creating a default profile in Windows Detailed info for setting up a Samba server on Debian Implementing System Policies (including where to obtain MS' System Policy Editor) Using the net command to manage groups (Windows/Samba vs. Linux) |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||