[Samba] Roaming profiles

On 8/22/2008, L.P.H. van Belle (belle@bazuin.nl) wrote:
> yes, turn off Pofile acls,

This is the second time you have said this, but never answered my
request for WHY would you suggest this, when the samba devs say it is
REQUIRED?

Please, either provide an answer/rationale for why you are telling
someone to try something non-standard, or stop pulling things out of the
air.

--

Best regards,

Charles
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

First, read the man smb.conf
there you will see DEFAULT profile acls = no

second if you setup your rights correctly, like
for example how i have it.
/home/samba/profiles ( 777)
and remember to set /home/samba at least 755 ( the last 5 is needed !! )

autocreated bij user at logoff /home/samba/profiles/USERNAME (700)
if a profile exist in test enviroment, logon, set everything in windows.
delete the profile from the server and logoff the profile is new
created again with correct rights.

when used force user = %U
its always the user.
but dont forget !!
create mask = 0600
directory mask = 0700

when profiles are setup this way its just how xp sp1 and higher
checks its rights. with this setup you dont have to change
any thing in xp policies for the profiles.

this is how i have my profles in smb.conf
[profiles]
path = /home/samba/profiles
comment = Profile enviroment.
read only = no
create mask = 0600
directory mask = 0700
browseable = Yes
guest ok = Yes
csc policy = disable
force user = %U
valid users = %U @"Domain Admins"


Sorry if i didnt reply your message, i didnt see that.

Louis


>-----Oorspronkelijk bericht-----
>Van: Charles Marcus [mailto:CMarcus@media-brokers.com]
>Verzonden: vrijdag 22 augustus 2008 16:53
>Aan: L.P.H. van Belle
>CC: samba@lists.samba.org
>Onderwerp: Re: [Samba] Roaming profiles
>
>On 8/22/2008, L.P.H. van Belle (belle@bazuin.nl) wrote:
>> yes, turn off Pofile acls,
>
>This is the second time you have said this, but never answered my
>request for WHY would you suggest this, when the samba devs say it is
>REQUIRED?
>
>Please, either provide an answer/rationale for why you are telling
>someone to try something non-standard, or stop pulling things
>out of the
>air.
>
>--
>
>Best regards,
>
>Charles
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Let me ask this again though it seems off the point.

Are we supposed to add more lines to the *smb.conf* file even though the
distribution installed does come with them defined. Samba 3.0.x has at most
5 lines in the *profiles* section. No mask, force user, ..etc.
Adding them does not break Samba and testparm outputs them, but do they add
anything or you are better off looking for configuration problems elsewhere?

Mike E, sorry I didn't get back at you over your question. Couldn't think of
a solution and I'm very new to samba. Hope you got sorted though.

Martin.

On Fri, Aug 22, 2008 at 6:02 PM, L.P.H. van Belle <belle@bazuin.nl> wrote:

> First, read the man smb.conf
> there you will see DEFAULT profile acls = no
>
> second if you setup your rights correctly, like
> for example how i have it.
> /home/samba/profiles ( 777)
> and remember to set /home/samba at least 755 ( the last 5 is needed !! )
>
> autocreated bij user at logoff /home/samba/profiles/USERNAME (700)
> if a profile exist in test enviroment, logon, set everything in windows.
> delete the profile from the server and logoff the profile is new
> created again with correct rights.
>
> when used force user = %U
> its always the user.
> but dont forget !!
> create mask = 0600
> directory mask = 0700
>
> when profiles are setup this way its just how xp sp1 and higher
> checks its rights. with this setup you dont have to change
> any thing in xp policies for the profiles.
>
> this is how i have my profles in smb.conf
> [profiles]
> path = /home/samba/profiles
> comment = Profile enviroment.
> read only = no
> create mask = 0600
> directory mask = 0700
> browseable = Yes
> guest ok = Yes
> csc policy = disable
> force user = %U
> valid users = %U @"Domain Admins"
>
>
> Sorry if i didnt reply your message, i didnt see that.
>
> Louis
>
>
> >-----Oorspronkelijk bericht-----
> >Van: Charles Marcus [mailto:CMarcus@media-brokers.com]
> >Verzonden: vrijdag 22 augustus 2008 16:53
> >Aan: L.P.H. van Belle
> >CC: samba@lists.samba.org
> >Onderwerp: Re: [Samba] Roaming profiles
> >
> >On 8/22/2008, L.P.H. van Belle (belle@bazuin.nl) wrote:
> >> yes, turn off Pofile acls,
> >
> >This is the second time you have said this, but never answered my
> >request for WHY would you suggest this, when the samba devs say it is
> >REQUIRED?
> >
> >Please, either provide an answer/rationale for why you are telling
> >someone to try something non-standard, or stop pulling things
> >out of the
> >air.
> >
> >--
> >
> >Best regards,
> >
> >Charles
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

On Saturday 23 August 2008 06:04:50 Mugo Martin wrote:
> Let me ask this again though it seems off the point.
>
> Are we supposed to add more lines to the *smb.conf* file even though the
> distribution installed does come with them defined. Samba 3.0.x has at
> most 5 lines in the *profiles* section. No mask, force user, ..etc.
> Adding them does not break Samba and testparm outputs them, but do they add
> anything or you are better off looking for configuration problems
> elsewhere?

There is often the problem of the wisdom of the ages as against the wisdom of
the sages. In other words, there are the opinions of the unwashed masses
compared with the opinion of the experts.

In respect of Roaming Profiles (also called Roving Profiles by some) opinions
are not hard to find - just google a bit and you will see what I mean.

Instead of offering yet another divergent opinion, let me offer two profile
share stanzas from fully working sites.

Example 1:
---------------
From my own Samba 3.2.2 server. This works perfectly fine. It has done since I
wrote the Samba3-ByExample book.

[profiles]
comment = Profile Share
path = /data/samba/profiles
read only = No
profile acls = Yes

Example 2:
---------------
This one is in use at a site that has 4200 users, all of them rather happy,
except when one of our bugs causes a few of them a little pain. But so far
as profile handling is concerned, the stanza definition has not ever caused
them a problem.

So why the extra lines? Simple, they are required to assure absolute
confidentiality of user data under various national laws. That is why, as a
paranoia move, they added the masks and set browseable to No. The "store DOS
attributes" parameter is not needed, but they will not change the stanza
unless there is a compelling reason to do so. Since this works, there is not
basis for change.

[profiles]
comment = Network Profiles Service
path = /var/lib/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
store dos attributes = Yes
browseable = No

I hope this helps a few of you to see that the excited discussions regarding
Samab profile share stanza definitions can be entirely over-rated.

When I update the HOWTO chapter on Windows system profile management I will
simplify the content radically. Profiles are not rocket science - though
from this mailing list one can be excused for thinking it is!

Cheers,
John T.

PS: The remainder of this email is left intact to preserve the whole story for
the benefit of search engine users.

> Mike E, sorry I didn't get back at you over your question. Couldn't think
> of a solution and I'm very new to samba. Hope you got sorted though.
>
> Martin.
>
> On Fri, Aug 22, 2008 at 6:02 PM, L.P.H. van Belle <belle@bazuin.nl> wrote:
> > First, read the man smb.conf
> > there you will see DEFAULT profile acls = no
> >
> > second if you setup your rights correctly, like
> > for example how i have it.
> > /home/samba/profiles ( 777)
> > and remember to set /home/samba at least 755 ( the last 5 is needed !! )
> >
> > autocreated bij user at logoff /home/samba/profiles/USERNAME (700)
> > if a profile exist in test enviroment, logon, set everything in windows.
> > delete the profile from the server and logoff the profile is new
> > created again with correct rights.
> >
> > when used force user = %U
> > its always the user.
> > but dont forget !!
> > create mask = 0600
> > directory mask = 0700
> >
> > when profiles are setup this way its just how xp sp1 and higher
> > checks its rights. with this setup you dont have to change
> > any thing in xp policies for the profiles.
> >
> > this is how i have my profles in smb.conf
> > [profiles]
> > path = /home/samba/profiles
> > comment = Profile enviroment.
> > read only = no
> > create mask = 0600
> > directory mask = 0700
> > browseable = Yes
> > guest ok = Yes
> > csc policy = disable
> > force user = %U
> > valid users = %U @"Domain Admins"
> >
> >
> > Sorry if i didnt reply your message, i didnt see that.
> >
> > Louis
> >
> > >-----Oorspronkelijk bericht-----
> > >Van: Charles Marcus [mailto:CMarcus@media-brokers.com]
> > >Verzonden: vrijdag 22 augustus 2008 16:53
> > >Aan: L.P.H. van Belle
> > >CC: samba@lists.samba.org
> > >Onderwerp: Re: [Samba] Roaming profiles
> > >
> > >On 8/22/2008, L.P.H. van Belle (belle@bazuin.nl) wrote:
> > >> yes, turn off Pofile acls,
> > >
> > >This is the second time you have said this, but never answered my
> > >request for WHY would you suggest this, when the samba devs say it is
> > >REQUIRED?
> > >
> > >Please, either provide an answer/rationale for why you are telling
> > >someone to try something non-standard, or stop pulling things
> > >out of the
> > >air.
> > >
> > >--
> > >
> > >Best regards,
> > >
> > >Charles
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/listinfo/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba