~zulcss/samba/server-dailies-3.4

<div class="figure"><a name="samba2-CHP-4-FIG-1"/><img src="figs/sam2_0401.gif"/></div><h4 class="head4">Figure 4-1. Configuring a Windows 95/98 client for domain logons</h4>

558

<a name="samba2-CHP-4-NOTE-105"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>

559

<p>If <a name="INDEX-54"/>Windows complains that you are already

560

logged into the domain, you probably have an active connection to a

561

share in the workgroup (such as a mapped network drive). Simply

562

disconnect the resource temporarily by right-clicking its icon and

563

choosing the Disconnect pop-up menu item.</p>

564

</blockquote>

565

566

<p>When Windows reboots, you should see the standard logon dialog with

567

an addition: a field for a domain. The domain name should already be

568

filled in, so simply enter your password and click the OK button. At

569

this point, Windows should consult the primary domain controller

570

(Samba) to see if the password is correct. (You can check the log

571

files if you want to see this in action.) If it worked,

572

congratulations! You have properly configured Samba to act as a

573

domain controller for Windows 95/98/Me machines, and your client is

574

successfully connected.</p>

575

576

577

</div>

578

579

580

581

582

<h3 class="head2">User-Level Security for Windows 95/98/Me</h3>

583

584

<p><a name="INDEX-55"/><a name="INDEX-56"/><a name="INDEX-57"/>Now that you have a primary domain

585

controller to authenticate users, you can implement much better

586

security for shares that reside on Windows 95/98/Me

587

systems.<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a> To enable this functionality, open the

588

Control Panel, double-click the Network icon, and click the Access

589

Control tab in the dialog box. The window should now look like <a href="ch04.html#samba2-CHP-4-FIG-2">Figure 4-2</a>.</p>

590

591

<div class="figure"><a name="samba2-CHP-4-FIG-2"/><img src="figs/sam2_0402.gif"/></div><h4 class="head4">Figure 4-2. Setting user-level access control</h4>

592

593

<p>Click the User-level access control radio button, and type in the

594

name of your domain in the text area. Click the OK button. If you get

595

the dialog box shown in <a href="ch04.html#samba2-CHP-4-FIG-3">Figure 4-3</a>, it means that

596

shares are already on the system.</p>

597

598

<div class="figure"><a name="samba2-CHP-4-FIG-3"/><img src="figs/sam2_0403.gif"/></div><h4 class="head4">Figure 4-3. Error dialog while changing to user-level access control</h4>

599

600

<p>In that case, you might want to cancel the operation and make a

601

record of each of the computer's shares, making it

602

easier to re-create them, and then redo this part. (To get a list of

603

shares, open an MS-DOS prompt window and run the

604

605

<tt class="literal">\\</tt><em class="replaceable">computer_name</em>

606

command.) Otherwise, you will get a message asking you to reboot to

607

put the change in configuration into effect.</p>

608

609

<p>After rebooting, you can create shares with user-level access

610

control. To do this, right-click the folder you wish to share, and

611

select Sharing.... This will bring up the Shared Properties dialog

612

box, shown in <a href="ch04.html#samba2-CHP-4-FIG-4">Figure 4-4</a>.</p>

613

614

<div class="figure"><a name="samba2-CHP-4-FIG-4"/><img src="figs/sam2_0404.gif"/></div><h4 class="head4">Figure 4-4. The Shared Properties dialog</h4>

615

616

<p>Click the Shared As: radio button, and give the share a name and

617

comment. Then click the Add... button, and you will see the Add Users

618

dialog box, shown in <a href="ch04.html#samba2-CHP-4-FIG-5">Figure 4-5</a>.</p>

619

620

<div class="figure"><a name="samba2-CHP-4-FIG-5"/><img src="figs/sam2_0405.gif"/></div><h4 class="head4">Figure 4-5. The Add Users dialog</h4>

621

622

<p>What has happened is that Windows has contacted the primary domain

623

controller (in this case, Samba) and requested a list of domain users

624

and groups. You can now select a user or group and add it to one or

625

more of the three lists on the righthand side of the window—for

626

Read Only, Full Access, or Custom Control—by clicking the

627

buttons in the middle of the window. When you are done, click the OK

628

button. If you added any users or groups to the Custom Control list,

629

you will be presented with the Change Access Rights dialog box, shown

630

in <a href="ch04.html#samba2-CHP-4-FIG-6">Figure 4-6</a>, in which you can specify the rights

631

you wish to allow. Then click the OK button to close the dialog box.</p>

632

633

<div class="figure"><a name="samba2-CHP-4-FIG-6"/><img src="figs/sam2_0406.gif"/></div><h4 class="head4">Figure 4-6. The Change Access Rights dialog</h4>

634

635

<p>You are now returned to the Shared Properties dialog box, where you

636

will see the Name: and Access Rights: columns filled in with the

637

permissions that you just created. Click the OK button to finalize

638

the process. Remember, you will have to perform these actions on any

639

folders that you had previously shared using share-level security.

640

641

642

643

</div>

644

645

646

647

648

<h3 class="head2">Windows NT 4.0</h3>

649

650

<p><a name="INDEX-60"/><a name="INDEX-61"/>To

651

configure Windows NT for domain logons, log in to the computer as

652

Administrator or another user in the Administrators group, open the

653

Control Panel, and double-click the Network icon. If it

654

isn't already selected, click on the Network

655

Identification tab.</p>

656

657

<p>Click the Change... button, and you should see the dialog box shown

658

in <a href="ch04.html#samba2-CHP-4-FIG-7">Figure 4-7</a>. In this dialog box, you can choose

659

to have the Windows NT client become a member of the domain by

660

clicking the checkbox marked Domain: in the Member of box. Then type

661

in the name of the domain to which you wish the client to log on; it

662

should be the same as the one you specified using the

663

<tt class="literal">workgroup</tt> parameter in the Samba configuration

664

file. Click the checkbox marked Create a Computer Account in the

665

Domain, and fill in "root" for the

666

text area labeled User Name:. In the Password: text area, fill in the

667

root password you gave <em class="emphasis">smbpasswd</em> for creating

668

computer accounts.</p>

669

670

<div class="figure"><a name="samba2-CHP-4-FIG-7"/><img src="figs/sam2_0407.gif"/></div><h4 class="head4">Figure 4-7. Configuring a Windows NT client for domain logons</h4>

671

<a name="samba2-CHP-4-NOTE-106"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>

672

<p>If Windows complains that you are already logged in, you probably

673

have an active connection to a share in the workgroup (such as a

674

mapped network drive). Disconnect the resource temporarily by

675

right-clicking its icon and choosing the Disconnect pop-up menu item.</p>

676

</blockquote>

677

678

<p>After you press the OK button, Windows should present you with a

679

small dialog box welcoming you to the domain. Click the Close button

680

in the Network dialog box, and reboot the computer as requested. When

681

the system comes up again, the machine will automatically present you

682

with a logon screen similar to the one for Windows 95/98/Me clients,

683

except that the domain text area has a drop-down menu so that you can

684

opt to log on to either the local system or the domain. Make sure

685

your domain is selected, and log on to the domain using any

686

Samba-enabled user account on the Samba server.</p>

687

<a name="samba2-CHP-4-NOTE-107"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>

688

<p>Be sure to select the correct domain in the Windows NT logon dialog

689

box. Once it is selected, it might take a moment for Windows NT to

690

build the list of available domains.</p>

691

</blockquote>

692

693

<p>After you enter the password, Windows NT should consult the primary

694

domain controller (Samba) to see if the password is correct. Again,

695

you can check the log files if you want to see this in action. If it

696

worked, you have successfully configured Samba to act as a domain

697

controller for Windows NT machines. <a name="INDEX-62"/><a name="INDEX-63"/></p>

698

699

700

</div>

701

702

703

704

705

<h3 class="head2">Windows 2000</h3>

706

707

<p><a name="INDEX-64"/><a name="INDEX-65"/>To

708

configure Windows 2000 for domain logons, log in to the computer as

709

Administrator or another user in the Administrators group, open the

710

Control Panel, and double-click the System icon to open the System

711

Properties dialog box. Click the Network Identification tab, and then

712

click the Properties button. You should now see the Identification

713

Changes dialog box shown in <a href="ch04.html#samba2-CHP-4-FIG-8">Figure 4-8</a>.</p>

714

715

<div class="figure"><a name="samba2-CHP-4-FIG-8"/><img src="figs/sam2_0408.gif"/></div><h4 class="head4">Figure 4-8. The Identification Changes dialog</h4>

716

717

<p>Click the radio button labeled

718

"Domain:" and fill in the name of

719

your domain in the text-entry area. Then click the OK button. This

720

will bring up the Domain Username and Password dialog box. Enter

721

"root" for the username. For the

722

password, use the password that you gave to

723

<em class="emphasis">smbpasswd</em> for the root account.</p>

724

<a name="samba2-CHP-4-NOTE-108"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>

725

<p>If Windows complains that you are already logged in, you probably

726

have an active connection to a share in the workgroup (such as a

727

mapped network drive). Disconnect the resource temporarily by

728

right-clicking its icon and choosing the Disconnect pop-up menu item.</p>

729

</blockquote>

730

731

<p>After you press the OK button, Windows should present you with a

732

small dialog box welcoming you to the domain. When you click the OK

733

button in this dialog box, you will be told that you need to reboot

734

the computer. Click the OK button in the System Properties dialog

735

box, and reboot the computer as requested. When the system comes up

736

again, the machine will automatically present you with a Log On to

737

Windows dialog box similar to the one shown in <a href="ch04.html#samba2-CHP-4-FIG-9">Figure 4-9</a>.</p>

738

739

<div class="figure"><a name="samba2-CHP-4-FIG-9"/><img src="figs/sam2_0409.gif"/></div><h4 class="head4">Figure 4-9. The Windows 2000 logon window</h4>

740

741

<p>If you do not see the Log on to: drop-down menu, click the Options

742

<< button and it will appear. Select your domain, rather than

743

the local computer, from the menu.</p>

744

<a name="samba2-CHP-4-NOTE-109"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>

745

<p>Be sure to select the correct domain in the logon dialog box. Once it

746

is selected, it might take a moment for Windows to build the list of

747

available domains.</p>

748

</blockquote>

749

750

<p>Enter the username and password of any Samba-enabled user in the User

751

name: and Password: fields, and either press the Enter key or click

752

the OK button. If it worked, your Windows session will start up with

753

no error dialogs. <a name="INDEX-66"/><a name="INDEX-67"/></p>

754

755

756

</div>

757

758

759

760

761

<h3 class="head2">Windows XP Home</h3>

762

763

<p><a name="INDEX-68"/>You have our

764

condolences if you are trying to use the Home edition of Windows XP

765

in a domain environment! Microsoft has omitted support for Windows NT

766

domains from Windows XP Home, resulting in a product that is

767

ill-suited for use in a domain-based network.</p>

768

769

<p>On the client side, Windows XP Home users cannot log on to a Windows

770

NT domain. Although it is still possible to access domain resources,

771

a username and password must be supplied each time the user connects

772

to a resource, rather than the "single

773

signon" of a domain logon. Domain features such as

774

logon scripts and roaming profiles are not supported.</p>

775

776

<p>As a server, Windows XP Home cannot join a Windows NT domain as a

777

domain member server. It can serve files and printers, but only using

778

share-mode ("workgroup") security.

779

It can't even use user-mode security, as Windows

780

95/98/Me can.</p>

781

782

<p>Considering these limitations, we do not recommend Windows XP Home

783

for any kind of local area network computing.</p>

784

785

786

</div>

787

788

789

790

791

<h3 class="head2">Windows XP Professional</h3>

792

793

<p><a name="INDEX-69"/><a name="INDEX-70"/>To configure Windows XP

794

Professional for domain logons, log in to the computer as

795

Administrator or another user in the Administrators group, open the

796

Control Panel in Classic View, and double-click the System icon to

797

open the System Properties dialog box. Click the Computer Name tab

798

and then click the Change... button. You should now see the Computer

799

Name Changes dialog box shown in <a href="ch04.html#samba2-CHP-4-FIG-10">Figure 4-10</a>.</p>

800

801

<div class="figure"><a name="samba2-CHP-4-FIG-10"/><img src="figs/sam2_0410.gif"/></div><h4 class="head4">Figure 4-10. The Computer Name Changes dialog</h4>

802

803

<p>Click the radio button labeled

804

"Domain:", and fill in the name of

805

your domain in the text-entry area. Then click the OK button. This

806

will bring up the Domain Username and Password dialog box. Enter

807

"root" for the username. For the

808

password, use the password that you gave to

809

<em class="emphasis">smbpasswd</em> for the root account.</p>

810

<a name="samba2-CHP-4-NOTE-110"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>

811

<p>If Windows complains that you are already logged in, you probably

812

have an active connection to a share in the workgroup (such as a

813

mapped network drive). Disconnect the resource temporarily by

814

right-clicking its icon and choosing the Disconnect pop-up menu item.</p>

815

</blockquote>

816

817

<p>After you press the OK button, Windows should present you with a

818

small dialog box welcoming you to the domain. When you click the OK

819

button in this dialog box, you will be told that you need to reboot

820

the computer to put the changes into effect. Click the OK buttons in

821

the dialog boxes to close them, and reboot the computer as requested.

822

When the system comes up again, the machine will automatically

823

present you with a Log On to Windows dialog box similar to the one

824

shown in <a href="ch04.html#samba2-CHP-4-FIG-11">Figure 4-11</a>.</p>

825

826

<div class="figure"><a name="samba2-CHP-4-FIG-11"/><img src="figs/sam2_0411.gif"/></div><h4 class="head4">Figure 4-11. The Windows XP logon window</h4>

827

828

<p>If you get a dialog box at this point that tells you the domain

829

controller cannot be found, the solution is to change a registry

830

setting as follows.</p>

831

832

<p>Open the Start Menu and click the Run... menu item. In the text area

833

in the dialog box that opens, type in

834

"regedit" and click the OK button

835

to start the Registry Editor. You will be editing the registry, so

836

follow the rest of the directions very carefully. Click the

837

"<tt class="literal">+</tt>" button next

838

to the HKEY_LOCAL_MACHINE folder, and in the contents that open up,

839

click the "<tt class="literal">+</tt>"

840

button next to the SYSTEM folder. Continue in the same manner to open

841

CurrentControlSet, then Services, then Netlogon. (You will have to

842

scroll down many times to find Netlogon in the list of services.)

843

Then click the Parameters folder, and you will see items appear in

844

the right side of the window. Double-click

845

"requiresignorseal", and a dialog

846

box will open. In the Value data: text area, change the

847

"1" to a

848

"0" (zero), and click the OK

849

button, which modifies the registry both in memory and on disk. Now

850

close the Registry Editor and log off and back on again.</p>

851

852

<p>If you do not see the Log on to: drop-down menu, click the Options

853

<< button and it will appear. Select your domain from the menu,

854

rather than the local computer.</p>

855

<a name="samba2-CHP-4-NOTE-111"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>

856

<p>Be sure to select the correct domain in the logon dialog box. Once it

857

is selected, it might take a moment for Windows to build the list of

858

available domains.</p>

859

</blockquote>

860

861

<p>Enter the username and password of any Samba-enabled user in the User

862

name: and Password: fields, and either press the Enter key or click

863

the OK button. If it worked, your Windows session will start up with

864

no error dialogs. <a name="INDEX-71"/> <a name="INDEX-72"/><a name="INDEX-73"/></p>

865

866

867

</div>

868

869

870

</div>

871

872

873

874

875

876

<h2 class="head1">Logon Scripts</h2>

877

878

<p><a name="INDEX-74"/>After a Windows client connects with a

879

domain controller (either to authenticate a user, in the case of

880

Windows 95/98/Me, or to log on to the domain, in the case of Windows

881

NT/2000/XP), the client downloads an MS-DOS batch file to run. The

882

domain controller supplies the file assuming one has been made

883

available for it. This batch file is the logon script and is useful

884

in setting up an initial environment for the user.</p>

885

886

<p>In a Unix environment, the ability to run such a script might lead to

887

a very complex initialization and deep customization. However, the

888

Windows environment is mainly oriented to the GUI, and the

889

command-line functions are more limited. Most commonly, the logon

890

script is used to run a <em class="emphasis">net</em> command, such as

891

<em class="emphasis">net use</em><a name="INDEX-75"/>, to connect a network drive letter,

892

like this:</p>

893

894

<blockquote><pre class="code">net use T: \\toltec\test</pre></blockquote>

895

896

<p>This command will make our <tt class="literal">[test]</tt> share (from

897

<a href="ch02.html">Chapter 2</a>) show up as the T: drive in My Computer.

898

This will happen automatically, and T: will be available to the user

899

at the beginning of her session, instead of requiring her to run the

900

<em class="emphasis">net use</em> command or connect the T: drive using

901

the Map Network Drive function of Windows Explorer.</p>

902

903

<p>Another useful command is:</p>

904

905

906

907

<p>which <a name="INDEX-76"/><a name="INDEX-77"/>connects the

908

user's home directory to a drive letter (which can

909

be H:, as shown here, or some other letter, as defined by

910

<tt class="literal">logon</tt> <tt class="literal">drive</tt>). For this to work,

911

you must have a <tt class="literal">[homes]</tt> share defined in your

912

913

914

<p>If you are using <a name="INDEX-78"/><a name="INDEX-79"/>roaming profiles, you should definitely

915

have:</p>

916

917

<a name="INDEX-80"/><blockquote><pre class="code">net time \\<em class="replaceable">toltec</em> /set /yes</pre></blockquote>

918

919

<p>in your logon script. (As usual, replace

920

"toltec" with the name of your

921

Samba PDC.) This will make sure the clocks of the Windows clients are

922

synchronized with the PDC, which is important for roaming profiles to

923

work correctly.</p>

924

925

926

927

928

<h3 class="head2">Creating a Logon Script</h3>

929

930

<p><a name="INDEX-81"/>In our

931

932

933

<a name="INDEX-82"/><blockquote><pre class="code">logon script = logon.bat</pre></blockquote>

934

935

<p>This defines the location and name of the logon script batch file on

936

the Samba server. The path is relative to the

937

<tt class="literal">[netlogon]</tt><a name="INDEX-83"/> share, defined later in the

938

file like this:</p>

939

940

<blockquote><pre class="code">[netlogon]

941

path = /usr/local/samba/lib/netlogon

942

writable = no

943

browsable = no</pre></blockquote>

944

945

<p>With this example, the logon script is

946

<em class="filename">/user/local/samba/lib/netlogon/logon.bat</em>. We

947

include the directives <tt class="literal">writable</tt>

948

<tt class="literal">=</tt> <tt class="literal">no</tt>, to make sure network

949

clients cannot change anything in the <tt class="literal">[netlogon]</tt>

950

share, and also <tt class="literal">browsable</tt> <tt class="literal">=</tt>

951

<tt class="literal">no</tt>, which keeps them from even seeing the share

952

when they browse the contents of the server. Nothing in

953

<tt class="literal">[netlogon]</tt> should ever be modified by

954

nonadministrative users. Also, the permissions on the directory for

955

<tt class="literal">[netlogon]</tt> should be set appropriately (no write

956

permissions for "other" users), as

957

we showed you earlier in this chapter.</p>

958

959

<p>Notice also that the extension of our logon script is

960

<em class="filename">.bat</em><a name="INDEX-84"/>. Be careful about this—an extension

961

of <em class="filename">.cmd</em><a name="INDEX-85"/> will work for Windows NT/2000/XP clients,

962

but will result in errors for Windows 95/98/Me clients, which do not

963

recognize <em class="filename">.cmd</em> as an extension for batch files.</p>

964

965

<p>Because the logon script will be executed on a Windows system, it

966

must be in MS-DOS text-file format, with the end of line composed of

967

a carriage return followed by a linefeed. The Unix convention is a

968

newline, which is simply a linefeed character, so if you use a Unix

969

text editor to create your logon script, you must somehow make it use

970

the appropriate characters. With

971

<em class="emphasis">vim</em><a name="INDEX-86"/><a name="INDEX-87"/> (a clone of the <em class="emphasis">vi</em>

972

editor that is distributed with Red Hat Linux), the method is to

973

create a new file and use the command:</p>

974

975

976

977

<p>to set the file format to MS-DOS style before typing in any text.

978

With <em class="emphasis">emacs</em><a name="INDEX-88"/>, the same can be done using the command:</p>

979

980

<blockquote><pre class="code">^X <em class="replaceable">Enter</em> f dos <em class="replaceable">Enter</em></pre></blockquote>

981

982

<p>where <tt class="literal">^X</tt> is a Control-X character and

983

<tt class="literal">Enter</tt> is a press of the Enter key. Another method

984

is to create a Unix-format file in any text editor and then convert

985

it to MS-DOS format using the

986

<em class="emphasis">unix2dos</em><a name="INDEX-89"/> program:</p>

987

988

<blockquote><pre class="code">$ <tt class="userinput"><b>unix2dos unix_file >logon.bat</b></tt></pre></blockquote>

989

990

<p>If your system does not have <em class="emphasis">unix2dos</em>,

991

don't worry. You can implement it yourself with the

992

following two-line Perl script:</p>

993

994

<blockquote><pre class="code">#!/usr/bin/perl

995

open FILE, $ARGV[0];

996

while (<FILE>) { s/$/\r/; print }</pre></blockquote>

997

998

<p>Or, you can use Notepad on a Windows system to write your script and

999

then drag the logon script over to a folder on the Samba server. In

1000

any case, you can <a name="INDEX-90"/>check the format of your script using

1001

the <em class="emphasis">od</em><a name="INDEX-91"/> command, like this:</p>

1002

1003

<blockquote><pre class="code">$ <tt class="userinput"><b>od -c logon.bat</b></tt></pre></blockquote>

1004

1005

<p>You should see output resembling this:</p>

1006

1007

<blockquote><pre class="code">0000000 n e t u s e T : \ \ t o l

1008

0000020 t e c \ t e s t \r \n

1009

0000032</pre></blockquote>

1010

1011

<p>The important detail here is that at the end of each line is a

1012

<tt class="literal">\r</tt> <tt class="literal">\n</tt>, which is a carriage

1013

return followed by a linefeed.</p>

1014

1015

<p>Our example logon script, containing a single <em class="emphasis">net

1016

use</em> command, was created and set up in a way that allows

1017

it to be run successfully on any Windows client, regardless of which

1018

Windows version is installed on the client and which user is

1019

authenticating or logging on to the domain. But what if we need to

1020

have different users, computers, or Windows versions running

1021

different logon scripts?</p>

1022

1023

<p>One method is to use variables inside the <a name="INDEX-92"/>logon script that cause commands to be

1024

conditionally executed. For details on how to do this, you can

1025

consult a reference on batch-file programming for MS-DOS and Windows

1026

NT command language. One such reference is <em class="citetitle">Windows NT

1027

System Administration</em>, published by

1028

O'Reilly.</p>

1029

1030

<p>Windows batch-command language is very limited in functionality.

1031

Fortunately, Samba also supports a means by which customization can

1032

be handled. The

1033

<em class="filename">smb.conf</em><a name="INDEX-93"/><a name="INDEX-94"/> file contains variables that can be

1034

used to insert (at runtime) the name of the server

1035

(<tt class="literal">%L</tt><a name="INDEX-95"/>), the username of the person who is

1036

accessing the server's resources

1037

(<tt class="literal">%u</tt><a name="INDEX-96"/>), or the computer name of the client

1038

system (<tt class="literal">%m</tt><a name="INDEX-97"/>). To give an example, if we set up the

1039

path to the logon script as:</p>

1040

1041

<blockquote><pre class="code">logon script = %u/logon.bat</pre></blockquote>

1042

1043

<p>we would then put a directory for each user in the

1044

<tt class="literal">[netlogon]</tt> share, with each directory named the

1045

same as the user's username, and in each directory

1046

we would put a customized <em class="filename">logon.bat</em> file. Then

1047

each user would have his own custom logon script. We will give you a

1048

better example of how to do this kind of thing in the next section,

1049

<a href="ch04.html#samba2-CHP-4-SECT-5">Section 4.5</a>.</p>

1050

1051

1052

<p>For more information on Samba configuration file variables, such as

1053

the <tt class="literal">%L</tt>, <tt class="literal">%u</tt>, and

1054

<tt class="literal">%m</tt> variables we just used, see <a href="ch06.html">Chapter 6</a> and <a href="appb.html">Appendix B</a>.</p>

1055

</blockquote>

1056

1057

<p>When modifying and testing your logon script, don't

1058

just log off of your Windows session and log back on to make your

1059

script run. Instead, restart (reboot) your system before logging back

1060

on. Because Windows often keeps the <tt class="literal">[netlogon]</tt>

1061

share open across logon sessions, the reboot ensures that Windows and

1062

Samba have completely released and reconnected the

1063

<tt class="literal">[netlogon]</tt> share, and the new version of the logon

1064

script is being run while logging on.</p>

1065

1066

<p>More information regarding <a name="INDEX-98"/>logon scripts can be found in the

1067

O'Reilly book, <em class="emphasis">Managing Windows NT

1068

Logons</em>. <a name="INDEX-99"/> <a name="INDEX-100"/><a name="INDEX-101"/></p>

1069

1070

1071

</div>

1072

1073

1074

</div>

1075

1076

1077

1078

1079

1080

<h2 class="head1">Roaming Profiles</h2>

1081

1082

<p><a name="INDEX-102"/>One benefit of the centralized

1083

authentication of Windows NT domains is that a user

1084

<a name="INDEX-103"/>can log on from more than just one

1085

computer. To help users feel more "at

1086

home" when logged on at a computer other than their

1087

usual one, Microsoft has added the ability for

1088

users' personal settings to

1089

"roam" from one computer to

1090

another.</p>

1091

1092

<p>All Windows versions can be configured individually for each user of

1093

the computer. Windows NT/2000/XP supports the ability to handle

1094

multiple user accounts, and Windows 95/98/Me can be configured for

1095

use by multiple users, keeping the configuration settings for each

1096

user separate. Each user can configure the

1097

computer's settings to her liking, and the system

1098

saves these settings as the user's

1099

<em class="firstterm">profile</em>, such that upon logging on to the

1100

system, the user is presented with her familiar desktop.</p>

1101

1102

<p>Some of the settings, such as folder options or the image used for

1103

the desktop background, are held in the registry. Others, including

1104

the documents and folders appearing on the desktop and the contents

1105

of the Start menu, are stored as folders and files in the filesystem.</p>

1106

1107

<p>When the profile is stored on the local system, it is called a

1108

<em class="firstterm">local profile</em><a name="INDEX-104"/>. On Windows NT, local profiles are

1109

stored in <em class="filename">C:\winnt\profiles</em>. On Windows 2000/XP,

1110

they can be found in <em class="filename">C:\Documents and Settings.

1111

</em>On Windows 95/98/Me, when configured for a single user

1112

(the default case), the local profile is scattered in places such as

1113

the registry and directories such as

1114

<em class="filename">C:\Windows\Desktop</em> and

1115

<em class="filename">C:\Windows\Start Menu</em>. When Windows 95/98/Me is

1116

configured for multiple users, the local profile of the preexisting

1117

user is moved to a folder in <em class="filename">C:\Windows\Profiles</em>

1118

that has the same name as the user, and any users that are

1119

subsequently added to the computer have their local profiles created

1120

in that directory as well. You can browse through the local profiles

1121

to see their structure—each has a <a name="INDEX-105"/><a name="INDEX-106"/><a name="INDEX-107"/><a name="INDEX-108"/><a name="INDEX-109"/>registry file

1122

(<em class="filename">USER.DAT</em><a name="INDEX-110"/><a name="INDEX-111"/> for Windows 95/98/Me and

1123

<em class="filename">NTUSER.DAT</em><a name="INDEX-112"/><a name="INDEX-113"/> for Windows NT/2000/XP) and some folders

1124

that contain shortcuts and documents.</p>

1125

1126

<p>A roaming profile is a user profile that is stored on a server and

1127

"follows" its owner around the

1128

network so that when the user logs on to the domain from another

1129

computer, his profile is downloaded from the server and his familiar

1130

desktop appears on that computer as well.</p>

1131

<a name="samba2-CHP-4-NOTE-113"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>

1132

<p><a name="INDEX-114"/>Samba can

1133

support roaming profiles, and it is a fairly simple matter to

1134

configure it for them. However, this is one feature that we recommend

1135

you <em class="emphasis">do not</em> use, at least until you are sure you

1136

understand roaming profiles well and are very confident that you can

1137

implement them with no harm incurred. If you want to (or are required

1138

to) implement roaming profiles for your Windows clients, we suggest

1139

you first set up a small domain with a Samba server and a few Windows

1140

clients exclusively for the purposes of research and testing.

1141

<em class="emphasis">Under no circumstances should you attempt to implement

1142

roaming profiles in a careless or frivolous manner</em>.</p>

1143

</blockquote>

1144

1145

1146

1147

1148

<h3 class="head2">How Roaming Profiles work</h3>

1149

1150

<p><a name="INDEX-115"/>We will start out by explaining to you

1151

how roaming profiles work when set up correctly. You will need a

1152

clear understanding of them to tell the difference between when they

1153

are working as they are designed and when they are not. In addition,

1154

roaming profiles can be a source of confusion for your users in many

1155

ways, and you should know how to detect when a problem with a client

1156

is related to roaming profile function or dysfunction.</p>

1157

1158

1159

<p><a name="INDEX-116"/>A definitive source of

1160

documentation on Windows NT roaming profiles is the Microsoft white

1161

paper <em class="citetitle">Implementing Policies and Profiles for Windows NT

1162

4.0</em><a name="INDEX-117"/>, which can be found at

1163

<a href="http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp">http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp</a>.</p>

1164

</blockquote>

1165

1166

<p>During the domain logon process, the roaming profile is copied from

1167

the domain controller and used as a local profile during the

1168

user's logon session. When the user logs off the

1169

domain, the local profile is copied back to the domain controller and

1170

stored as the new roaming profile. When the local profile is changed,

1171

the server does not receive an update until the user logs off the

1172

domain or shuts down or reboots the client. The client does not send

1173

an update to the server during the logon session, and a client does

1174

not receive an update of a setting changed on another client during a

1175

logon session. When the user does log off, changes in the

1176

configuration settings in the local profile are sent to the server,

1177

and the updates of the roaming profile are available for the next

1178

logon session.</p>

1179

1180

<p>This simple behavior can lead to unexpected results when users are

1181

<a name="INDEX-118"/>logged on to the domain

1182

on more than one client at a time. If a user makes a change to the

1183

configuration settings on one client and then logs off, the settings

1184

can result in the roaming profile being modified accordingly. But the

1185

next client that logs off might cause those changes to be

1186

overwritten, and if so, the settings from the first client will be

1187

lost. The behavior of different Windows versions varies with regard

1188

to this, and we've seen a wide variety of

1189

behaviors—not always in alignment with

1190

Microsoft's documentation or even working the same

1191

way on separate occasions. Sometimes Windows will refuse to overwrite

1192

a profile, perhaps giving an "access

1193

denied" error, and at other times it will seem to

1194

work while producing odd side effects. A common source of confusion

1195

is what happens if a file is added to or deleted from the desktop,

1196

which is by default configured to be part of the profile. A deleted

1197

file might later reappear, and it is even possible for a file to

1198

irrecoverably disappear without warning (on Windows 95/98). Or maybe

1199

a file that is added to the desktop on one client never gets added to

1200

the roaming profile and fails to propagate to other clients. This

1201

behavior is somewhat improved on Windows 2000/XP, which attempts to

1202

merge items into the profile that are added on concurrently logged-on

1203

clients.</p>

1204

1205

<p>One factor that comes into play is that Windows compares the

1206

<a name="INDEX-119"/>timestamps of the local and roaming

1207

profiles and can refuse to overwrite a roaming profile if it is newer

1208

than the local profile on the client, or vice versa. For this reason,

1209

it is important to keep the clocks of the Windows clients and the

1210

Samba PDC synchronized. We have already shown you how to do this,

1211

using the <em class="emphasis">net time

1212

\\</em><em class="replaceable">server</em>

1213

<em class="emphasis">/set</em> <em class="emphasis">/yes</em> command in the

1214

logon script.</p>

1215

1216

<p><a name="INDEX-120"/>Even when the server and clients are

1217

correctly configured, a number of things that can happen make things

1218

seem "broken." The most common

1219

occurrence is that some shortcuts on clients other than the one that

1220

created the roaming profile will not work. These shortcuts can exist

1221

on the desktop or as items in the Start menu. This behavior is a

1222

result of applications or files that exist on one computer but not

1223

others. Windows will display these shortcuts, but if they appear on

1224

the desktop, they will have a generic icon and will bring up an error

1225

message if a user double-clicks them.</p>

1226

1227

1228

<p>Because profiles can and usually do include the contents of the

1229

desktop and other folders, it is possible for the roaming profile to

1230

grow to a huge size due to actions of a user, such as creating new

1231

files on the desktop or copying files there. By default, Internet

1232

Explorer keeps its disk cache in the <em class="filename">Temporary Internet

1233

Files</em><a name="INDEX-121"/><a name="INDEX-122"/> folder in the profile and has been

1234

known to populate this directory with thousands of files. This can

1235

result in a huge roaming profile that causes network congestion and

1236

very large delays while users are logging on to the domain. (A fix

1237

for this can be found in article Q185255 in the Microsoft Knowledge

1238

Base.)</p>

1239

</blockquote>

1240

1241

<p>One behavior we've seen a few times is that if, for

1242

some reason (e.g., a network error or misconfiguration), the roaming

1243

profile is not available during the logon process, Windows will use

1244

the local profile on the client instead. When this happens, the user

1245

might receive an unfamiliar profile, and all the benefits of roaming

1246

profiles are lost for that logon session.</p>

1247

1248

1249

</div>

1250

1251

1252

1253

1254

<h3 class="head2">Configuring Samba for Roaming Profiles</h3>

1255

1256

<p><a name="INDEX-123"/><a name="INDEX-124"/>In an ideal world, different Windows

1257

versions would share the same roaming profile, allowing users to log

1258

on to the domain from any Windows client system, ranging from Windows

1259

95 to Windows XP, and enjoy their familiar settings. It would even be

1260

possible to be logged on concurrently from multiple clients, and a

1261

change made to the profile on any of them would quickly propagate to

1262

all the others. Settings in a roaming profile made on a client that

1263

didn't apply to another would be handled sanely.</p>

1264

1265

<p>Unfortunately, this scenario does not work in reality, and it is

1266

important to maintain separate roaming profiles to prevent different

1267

Windows versions from using or modifying a roaming profile created

1268

by, and/or in use by, another version.</p>

1269

1270

<p>We do this by using configuration file variables to point to

1271

different profile directories. If you look at <a href="appb.html#samba2-APP-B-TABLE-1">Table B-1</a> in <a href="appb.html#samba2-APP-B#samba2-APP-B">Appendix B</a>, which shows

1272

the variables that can be used, you might be tempted to use the

1273

<a name="INDEX-125"/><tt class="literal">%a</tt> variable, which

1274

is replaced by the name of the operating system the client is

1275

running. However, this does not work because all of Windows 95/98/Me

1276

will be seen as the same operating system, and likewise for Windows

1277

2000/XP. So, we use <a name="INDEX-126"/><tt class="literal">%m</tt> to get the

1278

NetBIOS name of the client, and combine that with a symbolic link to

1279

point to the directory containing the profile for the Windows version

1280

that particular client is running.</p>

1281

1282

<p>Our additions to <em class="filename">smb.conf</em> that appeared earlier

1283

in this chapter included the two lines:</p>

1284

1285

<blockquote><pre class="code">logon path = \\%L\profiles\%u\%m

1286

logon home = \\%L\%u\.win_profile\%m</pre></blockquote>

1287

1288

<p>The first line specifies where the roaming profiles for Windows

1289

NT/2000/XP clients are kept, and the second line performs the same

1290

function for Windows 95/98/Me clients. In both cases, the location is

1291

specified as a UNC, but

1292

<tt class="literal">logon</tt><a name="INDEX-127"/> <tt class="literal">path</tt> (for Windows

1293

NT/2000/XP) is specified relative to the

1294

<tt class="literal">[profiles]</tt> share, while

1295

<tt class="literal">logon</tt><a name="INDEX-128"/> <tt class="literal">home</tt> (for Windows

1296

95/98/Me) is specified relative to the user's home

1297

directory. This is done to comply with Samba's

1298

emulation of Windows NT/2000 PDC behavior.</p>

1299

1300

<p>The <tt class="literal">logon</tt> <tt class="literal">home</tt> UNC must begin

1301

by specifying the user's home directory, which in

1302

our previous example would be <tt class="literal">\\%L\%u</tt>. The

1303

variable <tt class="literal">%L</tt><a name="INDEX-129"/> expands to the NetBIOS name of the

1304

server (in this case, toltec), and

1305

<tt class="literal">%u</tt><a name="INDEX-130"/> expands to the name of the user. This

1306

must be done to allow the command:</p>

1307

1308

1309

1310

<p>to function correctly to connect the user's home

1311

directory to drive letter H: on all Windows clients. (The drive

1312

letter used for this purpose is defined by <tt class="literal">logon</tt>

1313

<tt class="literal">drive</tt>.) We add the directory

1314

<em class="filename">.win_profile</em><a name="INDEX-132"/> to the UNC to put the Windows

1315

95/98/Me roaming profile in a subdirectory of the

1316

user's home directory.</p>

1317

<a name="samba2-CHP-4-NOTE-116"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>

1318

<p>Note that in both <tt class="literal">logon path</tt> and <tt class="literal">logon

1319

home</tt>, we absolutely avoid making the profile directory the

1320

same as the user's home directory, and the directory

1321

that contains the profile is not used for any other purpose. This is

1322

because when the roaming profile is updated, all directories and

1323

files in the roaming-profile directory that are not part of the

1324

roaming profile are deleted.</p>

1325

</blockquote>

1326

1327

<p>In the <tt class="literal">logon</tt> <tt class="literal">path</tt> line in

1328

<em class="filename">smb.conf</em>, we use <tt class="literal">%u</tt> to put

1329

the profiles directory in a subdirectory in the

1330

<tt class="literal">[profiles]</tt> share, such that each user gets her own

1331

directory that holds her roaming profiles.</p>

1332

1333

<p>We define the <tt class="literal">[profiles]</tt> share like this:</p>

1334

1335

<blockquote><pre class="code">[profiles]

1336

writable = yes

1337

create mask = 0600

1338

directory mask = 0700

1339

browsable = no

1340

path = /home/samba-ntprof</pre></blockquote>

1341

1342

<p>The first four parameters in the previous share definition specify to

1343

allow roaming profiles to be written with the users'

1344

permissions, to create files with read and write permissions for the

1345

owner, and to create directories with read, write, and search

1346

permissions for the owner and no access allowed for other users. As

1347

with the <tt class="literal">[netlogon]</tt> share, we set

1348

<tt class="literal">browsable</tt> <tt class="literal">=</tt>

1349

<tt class="literal">no</tt> so that the share will not show up on the

1350

clients in Windows Explorer.</p>

1351

1352

<p>We've decided to put our Windows NT/2000/XP profiles

1353

in <em class="filename">/home</em>, the default location of the home

1354

directories on Linux. This will make it simple to include the roaming

1355

profiles in backups of the home directories. You can use another

1356

directory if you like.</p>

1357

1358

<p>Notice that in both <tt class="literal">logon</tt> <tt class="literal">path</tt>

1359

and <tt class="literal">logon</tt> <tt class="literal">home</tt>, the directory

1360

we specify ends in <tt class="literal">%m</tt>, which Samba replaces with

1361

the NetBIOS name of the client. We are using the

1362

client's computer name to identify indirectly which

1363

version of Windows it is running.</p>

1364

1365

<p>Initially, the directories you specify to hold the roaming profiles

1366

will be empty and will become populated as clients log off for the

1367

first time. (Samba will even create the directories if they do not

1368

already exist.) At first, the directories will simply contain

1369

profiles that are identical to the clients' local

1370

profiles, and we highly recommend that you make a backup at this

1371

point before things get complicated. A listing of the roaming profile

1372

directory for user <tt class="literal">iman</tt>, after she has logged off

1373

from Windows 98 clients <tt class="literal">mixtec</tt> and

1374

<tt class="literal">pueblo</tt> and Windows Me clients

1375

<tt class="literal">huastec</tt> and <tt class="literal">navajo</tt>, might look

1376

something like the following:</p>

1377

1378

<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /home/iman/.win_profile</b></tt>

1379

total 4

1380

drwx------ 6 iman iman 4096 Dec 8 18:09 huastec

1381

drwx------ 9 iman iman 4096 Dec 7 03:47 mixtec

1382

drwx------ 11 iman iman 4096 Dec 7 03:05 navajo

1383

drwx------ 11 iman iman 4096 Dec 7 03:05 pueblo</pre></blockquote>

1384

1385

<p>If things were left like this, the clients would not share their

1386

roaming profiles, so next we change from using separate directories

1387

to having symbolic links point to common directories:</p>

1388

1389

<blockquote><pre class="code"># <tt class="userinput"><b>mv mixtec Win98</b></tt>

1390

# <tt class="userinput"><b>mv navajo WinMe</b></tt>

1391

# <tt class="userinput"><b>rm huastec pueblo</b></tt>

1392

# <tt class="userinput"><b>ln -s Win98 pueblo</b></tt>

1393

# <tt class="userinput"><b>ln -s WinMe huastec</b></tt>

1394

# <tt class="userinput"><b>chown iman:iman *</b></tt>

1395

# <tt class="userinput"><b>ls -l /home/iman/.win_profile</b></tt>

1396

total 6

1397

lrwxrwxrwx 1 iman iman 5 Nov 16 01:40 huastec -> WinMe

1398

lrwxrwxrwx 1 iman iman 5 Nov 16 01:40 mixtec -> Win98

1399

lrwxrwxrwx 1 iman iman 5 Nov 21 17:24 navajo -> WinMe

1400

lrwxrwxrwx 1 iman iman 5 Nov 23 01:16 pueblo -> Win98

1401

drwx------ 9 iman iman 4096 Dec 7 03:47 Win98

1402

drwx------ 11 iman iman 4096 Dec 7 03:05 WinMe</pre></blockquote>

1403

1404

<p>Now when <tt class="literal">iman</tt> logs on to the domain from either

1405

Windows 98 system, the client from which she is logging on will get

1406

the profile stored in the <em class="filename">Win98</em> directory (that

1407

started out as her local profile on <tt class="literal">mixtec</tt>). This

1408

works likewise for the Windows Me clients.</p>

1409

1410

<p>To show a more complete example, here is a listing of a fully

1411

operational Windows 95/98/Me profiles directory:</p>

1412

1413

<a name="INDEX-133"/><blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /home/jay/.win_profile</b></tt>

1414

total 12

1415

lrwxrwxrwx 1 jay jay 9 Nov 16 22:14 aztec -> /home/jay

1416

lrwxrwxrwx 1 jay jay 5 Nov 16 01:40 hopi -> Win95

1417

lrwxrwxrwx 1 jay jay 5 Nov 16 01:40 huastec -> WinMe

1418

lrwxrwxrwx 1 jay jay 5 Nov 16 01:38 maya -> Win98

1419

lrwxrwxrwx 1 jay jay 5 Nov 16 01:40 mixtec -> Win98

1420

lrwxrwxrwx 1 jay jay 5 Nov 21 17:24 navajo -> WinMe

1421

lrwxrwxrwx 1 jay jay 5 Nov 23 01:16 pueblo -> Win98

1422

lrwxrwxrwx 1 jay jay 5 Nov 22 02:06 ute -> Win95

1423

drwx------ 6 jay jay 4096 Dec 8 18:09 Win95

1424

drwx------ 9 jay jay 4096 Dec 7 03:47 Win98

1425

drwx------ 11 jay jay 4096 Dec 7 03:05 WinMe

1426

lrwxrwxrwx 1 jay jay 5 Nov 21 22:48 yaqui -> Win98

1427

lrwxrwxrwx 1 jay jay 9 Nov 16 22:14 zuni -> /home/jay</pre></blockquote>

1428

1429

<p>Again, the computer name of each client exists in this directory as a

1430

symbolic link that points to the directory containing the actual

1431

roaming profile. For example, <tt class="literal">maya</tt>, a client that

1432

runs Windows 98, has a symbolic link named <em class="filename">maya</em>

1433

to the <em class="filename">Win98</em> directory. A listing of

1434

<em class="filename">Win98</em> shows:</p>

1435

1436

1437

total 148

1438

drwxr-xr-x 3 jay jay 4096 Nov 23 01:30 Application Data

1439

drwxr-xr-x 2 jay jay 4096 Nov 23 01:30 Cookies

1440

drwxr-xr-x 3 jay jay 4096 Dec 7 03:47 Desktop

1441

drwxr-xr-x 3 jay jay 4096 Nov 23 01:30 History

1442

drwxr-xr-x 2 jay jay 4096 Nov 23 01:30 NetHood

1443

drwxr-xr-x 2 jay jay 4096 Dec 7 03:47 Recent

1444

drwxr-xr-x 3 jay jay 4096 Nov 23 01:30 Start Menu

1445

-rw-r--r-- 1 jay jay 114720 Dec 7 03:46 USER.DAT</pre></blockquote>

1446

1447

<p>The contents of the <em class="filename">Win95</em> and

1448

<em class="filename">WinMe</em> directories appear similar and contain

1449

roaming profiles that work exactly as they should on their respective

1450

operating systems.</p>

1451

1452

<p>Notice in the previous listing that <em class="filename">aztec</em> and

1453

<em class="filename">zuni</em> are symbolic links to

1454

<em class="filename">/home/jay</em>. We've cautioned you

1455

never to configure a roaming profile directory to be a

1456

user's home directory, but this is to handle

1457

something different. The clients <tt class="literal">aztec</tt> and

1458

<tt class="literal">zuni</tt> are Windows XP systems, which handle

1459

<tt class="literal">logon</tt> <tt class="literal">home</tt> differently than

1460

other versions of Windows. We have set <tt class="literal">logon</tt>

1461

1462

1463

<tt class="literal">profile</tt>, and all versions of Windows except for

1464

Windows XP strip off everything after <tt class="literal">\\%L\%u</tt> and

1465

correctly locate the home directory—in this case,

1466

<em class="filename">/home/jay</em>. Windows XP uses the full UNC, so we

1467

simply add a symbolic link to redirect it to the correct directory to

1468

get the <em class="emphasis">net use H: /home</em> command to work as it

1469

should. The roaming profiles for Windows XP systems are not affected

1470

by this and are kept with the other roaming profiles in the Windows

1471

NT/2000/XP family, as shown in this listing:</p>

1472

1473

<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /home/samba-ntprof/jay</b></tt>

1474

total 16

1475

lrwxrwxrwx 1 jay jay 5 Nov 20 03:45 apache -> Win2K

1476

lrwxrwxrwx 1 jay jay 5 Nov 13 12:35 aztec -> WinXP

1477

lrwxrwxrwx 1 jay jay 5 Nov 13 12:34 dine -> WinNT

1478

lrwxrwxrwx 1 jay jay 5 Nov 24 03:44 inca -> Win2K

1479

lrwxrwxrwx 1 jay jay 5 Nov 13 12:34 pima -> Win2K

1480

drwx------ 13 jay jay 4096 Dec 3 15:24 qero

1481

drwx------ 13 jay jay 4096 Dec 1 20:31 Win2K

1482

drwx------ 12 jay jay 4096 Nov 30 17:04 WinNT

1483

drwx------ 13 jay jay 4096 Nov 20 01:23 WinXP

1484

lrwxrwxrwx 1 jay jay 5 Nov 20 06:09 yavapai -> WinXP

1485

lrwxrwxrwx 1 jay jay 5 Nov 13 12:34 zapotec -> Win2K

1486

lrwxrwxrwx 1 jay jay 5 Nov 13 12:35 zuni -> WinXP</pre></blockquote>

1487

1488

<p>As you can see, we are using a similar method for the Windows

1489

NT/2000/XP roaming profiles. In the listing,

1490

<em class="filename">qero</em> is not a symbolic link, but rather a

1491

directory that holds the roaming profile for <tt class="literal">qero</tt>,

1492

a Windows 2000 client that has recently been added. We had not

1493

created a symbolic link called <em class="filename">qero</em> before

1494

installing Windows 2000, so when jay logged off for the first time,

1495

Samba created a directory named <em class="filename">qero</em> and copied

1496

the roaming profile received from the client to the new directory.

1497

Because this is a separate directory from <em class="filename">Win2K</em>,

1498

which all other Windows 2000 clients are using to share their roaming

1499

profiles, the roaming profile for <tt class="literal">qero</tt> works like

1500

a local profile, except that it is stored on the primary domain

1501

controller.</p>

1502

1503

<p>This might seem like an odd thing to do, but it has some purpose.

1504

Sometimes you might wish to isolate a client in this manner,

1505

especially while the operating system is being installed and

1506

initially configured. Remember, if that client, with its default

1507

local profile, is logged off the domain, the local profile will be

1508

written to the roaming profile directory. If the client were using

1509

the shared roaming profile directory, the effect could be

1510

undesirable, to say the least. Using our method, the

1511

<em class="filename">qero</em> directory can later be renamed to make it

1512

into an archival backup, or it can just be deleted. Then a new

1513

symlink named <em class="filename">qero</em> can be created to point to

1514

the <em class="filename">Win2K</em> directory, and <tt class="literal">qero</tt>

1515

will share the roaming profile in <em class="filename">Win2K</em> with the

1516

other Windows 2000 clients.</p>

1517

1518

<p>An alternative method is simply to create the

1519

<a name="INDEX-134"/>symbolic

1520

links before the clients are added to the network. After you become

1521

more comfortable with the way roaming profiles work, you might find

1522

this method to be simpler and quicker.</p>

1523

1524

<p>Again, we urge you to be careful about letting different versions of

1525

Windows share the same roaming profile. The method of configuring

1526

roaming profiles we've shown you here allows you to

1527

test a configuration for a few clients at a time without affecting

1528

your whole network of clients. For example, we could install a small

1529

number of Windows 2000 and Windows XP systems in the domain for

1530

testing purposes and then create symlinks for them that point to a

1531

directory called <em class="filename">Win2KXP</em> to find out if sharing

1532

roaming profiles between our Windows 2000 and Windows XP systems

1533

meets our expectations. The <em class="filename">Win2KXP</em> directory

1534

could be created as an empty directory, in which case it would have a

1535

roaming profile written to it by the first of the clients to log off.

1536

Or, <em class="filename">Win2KXP</em> could simply be a renamed roaming

1537

profile directory that was created by one of the clients when it was

1538

added to the domain. <a name="INDEX-135"/><a name="INDEX-136"/></p>

1539

1540

1541

</div>

1542

1543

1544

1545

1546

<h3 class="head2">Configuring Windows 95/98/Me for Roaming Profiles</h3>

1547

1548

<p><a name="INDEX-137"/><a name="INDEX-138"/>For roaming profiles to work on

1549

Windows 95/98/Me clients, all you need to do is change one setting to

1550

allow each user to have a separate local profile. This has the side

1551

effect of enabling roaming profiles as well.</p>

1552

1553

<p>Open the Control Panel and double-click the Passwords icon to open

1554

the Passwords Properties dialog box. Click the User Profiles tab, and

1555

the dialog box will appear as shown in <a href="ch04.html#samba2-CHP-4-FIG-12">Figure 4-12</a>.</p>

1556

1557

<div class="figure"><a name="samba2-CHP-4-FIG-12"/><img src="figs/sam2_0412.gif"/></div><h4 class="head4">Figure 4-12. The Windows 98 Passwords Properties dialog</h4>

1558

1559

<p>Click the button labeled "Users can customize their

1560

preferences and desktop settings." In the User

1561

profile settings box, you can check the options you prefer. When

1562

done, click the OK button and reboot as requested. During this first

1563

reboot, Windows will copy the local profile data to

1564

<em class="filename">C:\windows\profiles</em> but will not attempt to copy

1565

the roaming profile from the server. The next time the system is shut

1566

down, the local profile will be copied to the server, and when

1567

Windows reboots, it will copy the roaming profile from the server.</p>

1568

1569

1570

</div>

1571

1572

1573

1574

1575

<h3 class="head2">Configuring Windows NT/2000/XP for Roaming Profiles</h3>

1576

1577

<p><a name="INDEX-139"/><a name="INDEX-140"/><a name="INDEX-141"/><a name="INDEX-142"/>Roaming profiles are enabled by

1578

default on Windows NT/2000/XP. In case you would like to check or

1579

modify your settings, follow these directions.</p>

1580

1581

<p>Make sure you are logged in to the local system as Administrator or

1582

another user in the Administrators group. Open the Control Panel and

1583

double-click the System icon. On Windows NT/2000, click the User

1584

Profiles tab, or on Windows XP, click the Advanced tab and then the

1585

Settings button in the User Profiles box. You should see the dialog

1586

box in <a href="ch04.html#samba2-CHP-4-FIG-13">Figure 4-13</a>.</p>

1587

1588

<div class="figure"><a name="samba2-CHP-4-FIG-13"/><img src="figs/sam2_0413.gif"/></div><h4 class="head4">Figure 4-13. The Windows 2000 System Properties, User Profiles tab</h4>

1589

1590

<p>Notice in the figure that there are two entries for the username

1591

<tt class="literal">jay</tt>. The entry ZAPOTEC\jay refers to the account

1592

on the local system, and METRAN\jay refers to the domain account.

1593

Recall that when a user logs on, a drop-down menu in the dialog box

1594

allows him to log on to a domain or log in to the local system. When

1595

<tt class="literal">jay</tt> logs in to the local machine, only the local

1596

profile is used. When logged on to the domain, the configuration

1597

shown will use the roaming profile. To switch a

1598

user's profile type for a domain logon account,

1599

click the account name to select it, then click the Change Type...

1600

button near the bottom of the dialog box. The Change Profile Type

1601

dialog box will appear. Click the radio button for either roaming or

1602

local profile, and then click the OK buttons for each dialog box.</p>

1603

1604

1605

</div>

1606

1607

1608

1609

1610

<h3 class="head2">Mandatory Profiles</h3>

1611

1612

<p><a name="INDEX-143"/>With a simple

1613

modification, a <a name="INDEX-144"/>roaming profile can be made into a

1614

<a name="INDEX-145"/>mandatory

1615

profile, which has the quality of being unmodifiable by its owner.

1616

Mandatory profiles are used in some computing environments to

1617

simplify administration. The theory is that if users cannot modify

1618

their profiles, less can go wrong, and it is also possible to use the

1619

same standardized profile for all users.</p>

1620

1621

<p>In practice, some issues come up. Because the users can still modify

1622

the configuration settings in their local profile during their logon

1623

session, confusion can result the next time they log on to the domain

1624

and discover their changes have been

1625

"lost." If the user of a client

1626

reinstalls an application in a different place, the shortcuts to the

1627

program on the desktop, in the Start menu, or in a Quick Launch bar

1628

cannot be permanently deleted. They will reappear every time the user

1629

logs back on to the domain. Essentially, a mandatory profile is a

1630

roaming profile that always fails to update to the server upon

1631

logging off!</p>

1632

1633

<p>Another complication is that different versions of Windows behave

1634

differently with mandatory profiles. If a user who has a mandatory

1635

profile creates a new file on her desktop, the file might be missing

1636

the next time the user logs off and on again or reboots. Some Windows

1637

versions preserve desktop files in the local profile (even if the

1638

file does not exist in the mandatory profile), whereas others do not.</p>

1639

1640

<p>To change a <a name="INDEX-146"/><a name="INDEX-147"/>roaming profile to a mandatory

1641

profile, all you have to do is rename the

1642

<em class="filename">.dat</em><a name="INDEX-148"/><a name="INDEX-149"/> file in the roaming profile directory

1643

on the server to have a <em class="filename">.man</em> extension instead.

1644

For a Windows 95/98/Me roaming profile, you would rename

1645

<em class="filename">USER.DAT</em> to <em class="filename">USER.MAN</em>, and

1646

for a Windows NT/2000/XP roaming profile, you would rename

1647

<em class="filename">NTUSER.DAT</em> to <em class="filename">NTUSER.MAN</em>.

1648

Also, you might want to make the roaming-profile directory and its

1649

contents read-only, to make sure that a user can't

1650

change it by logging into his Unix user account on the Samba host

1651

system.</p>

1652

1653

<p>If you want to have all your users share a mandatory profile, you can

1654

change the definitions of <tt class="literal">logon</tt>

1655

<tt class="literal">path</tt> and <tt class="literal">logon</tt>

1656

<tt class="literal">home</tt> in your <em class="filename">smb.conf</em> file to

1657

point to a shared mandatory profile on the server and adjust your

1658

directory structure and symbolic links accordingly. For example,

1659

<tt class="literal">logon</tt> <tt class="literal">path</tt> and

1660

<tt class="literal">logon</tt> <tt class="literal">home</tt> might be defined

1661

like this:</p>

1662

1663

<blockquote><pre class="code">logon path = \\%L\profiles\%m

1664

logon home = \\%L\%u\.win_profile\%m</pre></blockquote>

1665

1666

<p>Notice that we've removed the <tt class="literal">%u</tt>

1667

part of the path for <tt class="literal">logon</tt>

1668

<tt class="literal">path</tt>, and we would also change the directory

1669

structure on the server to do away with the separation of the

1670

profiles by username and have just one profile for each Windows

1671

NT/2000/XP version.</p>

1672

1673

<p>We cannot use the same treatment for <tt class="literal">logon</tt>

1674

<tt class="literal">home</tt> because it is also used to specify the home

1675

directory. In this case, we would change the symbolic links in each

1676

user's <em class="filename">.win_profile</em> directory

1677

to point to a common mandatory profile directory containing the

1678

mandatory profiles for each of Windows 95/98/Me. Again, check the

1679

ownership and permissions on the files in the directory, and modify

1680

them if necessary to make sure a user can't modify

1681

any files by logging into her Unix account on the Samba host system.</p>

1682

1683

1684

</div>

1685

1686

1687

1688

1689

<h3 class="head2">Logon Script and Roaming-Profile Options</h3>

1690

1691

<p><a href="ch04.html#samba2-CHP-4-TABLE-1">Table 4-1</a> summarizes the options commonly used in

1692

association with Windows NT domain <a name="INDEX-150"/><a name="INDEX-151"/>logon

1693

scripts and roaming profiles.</p>

1694

1695

<a name="samba2-CHP-4-TABLE-1"/><h4 class="head4">Table 4-1. Logon-script options</h4><table border="1">

1696

1697

1698

1699

1700

1701

1702

<tr>

1703

<th>

1704

<p>Option</p>

1705

</th>

1706

<th>

1707

<p>Parameters</p>

1708

</th>

1709

<th>

1710

<p>Function</p>

1711

</th>

1712

<th>

1713

<p>Default</p>

1714

</th>

1715

<th>

1716

<p>Scope</p>

1717

</th>

1718

</tr>

1719

1720

1721

<tr>

1722

<td>

1723

<p><tt class="literal">logon</tt> <tt class="literal">script</tt></p>

1724

</td>

1725

<td>

1726

<p>string (MS-DOS path)</p>

1727

</td>

1728

<td>

1729

<p>Name of logon script batch file</p>

1730

</td>

1731

<td>

1732

1733

</td>

1734

<td>

1735

<p>Global</p>

1736

</td>

1737

</tr>

1738

<tr>

1739

<td>

1740

<p><tt class="literal">logon</tt> <tt class="literal">path</tt></p>

1741

</td>

1742

<td>

1743

<p>string (UNC server and share name)</p>

1744

</td>

1745

<td>

1746

<p>Location of roaming profile</p>

1747

</td>

1748

<td>

1749

<p><tt class="literal">\\%N\%U\profile</tt></p>

1750

</td>

1751

<td>

1752

<p>Global</p>

1753

</td>

1754

</tr>

1755

<tr>

1756

<td>

1757

<p><tt class="literal">logon</tt> <tt class="literal">drive</tt></p>

1758

</td>

1759

<td>

1760

<p>string (drive letter)</p>

1761

</td>

1762

<td>

1763

<p>Specifies the logon drive for a home directory</p>

1764

</td>

1765

<td>

1766

1767

</td>

1768

<td>

1769

<p>Global</p>

1770

</td>

1771

</tr>

1772

<tr>

1773

<td>

1774

<p><tt class="literal">logon</tt> <tt class="literal">home</tt></p>

1775

</td>

1776

<td>

1777

<p>string (UNC server and share name)</p>

1778

</td>

1779

<td>

1780

<p>Specifies a location for home directories for clients logging on to

1781

the domain</p>

1782

</td>

1783

<td>

1784

1785

</td>

1786

<td>

1787

<p>Global</p>

1788

</td>

1789

</tr>

1790

1791

</table>

1792

1793

1794

1795

1796

<a name="INDEX-152"/><h3 class="head3">logon script</h3>

1797

1798

<p>This option specifies a Windows batch file that will be executed on

1799

the client after a user has logged on to the domain. Each logon

1800

script should be stored in the root directory of the

1801

<tt class="literal">[netlogon]</tt> share or a subdirectory. This option

1802

frequently uses the <tt class="literal">%U</tt> or <tt class="literal">%m</tt>

1803

variables (user or NetBIOS name) to point to an individual script.

1804

For example:</p>

1805

1806

<blockquote><pre class="code">[global]

1807

logon script = %U.bat</pre></blockquote>

1808

1809

<p>will execute a script based on the username. If the user who is

1810

connecting is <tt class="literal">fred</tt> and the path of the

1811

<tt class="literal">[netlogon]</tt> share maps to the directory

1812

<em class="filename">/export/samba/netlogon</em>, the script should be

1813

<em class="filename">/export/samba/netlogon/fred.bat</em>. Because these

1814

scripts are downloaded to the client and executed on the Windows

1815

side, they must have MS-DOS-style newline characters rather than Unix

1816

newlines.</p>

1817

1818

1819

</div>

1820

1821

1822

1823

1824

1825

<a name="INDEX-153"/><h3 class="head3">logon path</h3>

1826

1827

<p>This option specifies the location where roaming profiles are kept.

1828

When the user logs on, a roaming profile will be downloaded from the

1829

server to the client and used as the local profile during the logon

1830

session. When the user logs off, the contents of the local profile

1831

will be uploaded back to the server until the next time the user

1832

connects.</p>

1833

1834

<p>It is often more secure to create a separate share exclusively for

1835

storing user profiles:</p>

1836

1837

<blockquote><pre class="code">[global]

1838

logon path = \\hydra\profile\%U</pre></blockquote>

1839

1840

<p>For more information on this option, see <a href="ch04.html#samba2-CHP-4-SECT-5">Section 4.5</a> earlier in this chapter.</p>

1841

1842

1843

</div>

1844

1845

1846

1847

1848

1849

<a name="INDEX-154"/><h3 class="head3">logon drive</h3>

1850

1851

<p>This option specifies the drive letter on a Windows NT/2000/XP client

1852

to which the home directory specified with the

1853

<tt class="literal">logon</tt> <tt class="literal">home</tt> option will be

1854

mapped. Note that this option will work with Windows NT/2000/XP

1855

clients only. For example:</p>

1856

1857

<blockquote><pre class="code">[global]

1858

logon drive = I:</pre></blockquote>

1859

1860

<p>You should always use drive letters that will not conflict with fixed

1861

drives on the client machine. The default is Z:, which is a good

1862

choice because it is as far away from A:, C:, and D: as possible.</p>

1863

1864

1865

</div>

1866

1867

1868

1869

1870

1871

<a name="INDEX-155"/><h3 class="head3">logon home</h3>

1872

1873

<p>This option specifies the location of a user's home

1874

directory for use by the MS-DOS <em class="emphasis">net</em> commands.

1875

For example, to specify a home directory as a share on a Samba

1876

server, use the following:</p>

1877

1878

<blockquote><pre class="code">[global]

1879

logon home = \\hydra\%U</pre></blockquote>

1880

1881

<p>Note that this works nicely with the <tt class="literal">[homes]</tt>

1882

service, although you can specify any directory you wish. Home

1883

directories can be mapped with a logon script using the following

1884

command:</p>

1885

1886

1887

1888

1889

</div>

1890

1891

1892

</div>

1893

1894

1895

</div>

1896

1897

1898

1899

1900

1901

<h2 class="head1">System Policies</h2>

1902

1903

<p>A <a name="INDEX-157"/>system policy can be used in a Windows

1904

NT domain as a remote administration tool for implementing a similar

1905

computing environment on all clients and limiting the abilities of

1906

users to change configuration settings on their systems or allowing

1907

them to run only a limited set of programs. One application of system

1908

policies is to use them along with mandatory profiles to implement a

1909

collection of computers for public use, such as in a library, school,

1910

or Internet cafe.</p>

1911

1912

<p>A system policy is a collection of registry settings that is stored

1913

in a file on the PDC and is automatically downloaded to the clients

1914

when users log on to the domain. The file containing the settings is

1915

created on a Windows system using the <a name="INDEX-158"/>System Policy Editor. Because the format

1916

of the registry is different between Windows 95/98/Me and Windows

1917

NT/2000/XP, it is necessary to make sure that the file that is

1918

created is in the proper format. This is a very simple matter because

1919

when the System Policy Editor runs on Windows 95/98/Me, it will

1920

create a file in the format for Windows 95/98/Me, and if it is run on

1921

Windows NT/2000/XP, it will use the format needed by those versions.

1922

After the policy file is created with the System Policy Editor, it is

1923

stored on the primary domain controller and is automatically

1924

downloaded by the clients during the logon process, and the policies

1925

are applied to the client system.</p>

1926

1927

<p>On Windows NT 4.0 Server, you can run the System Policy Editor by

1928

logging in to the system as Administrator or another user in the

1929

Administrators group, opening the Start menu, and selecting Programs,

1930

then Administrative Tools, then System Policy Editor. On Windows 2000

1931

Advanced Server, open the Start menu and click Run . . . . In the

1932

dialog box that comes up, type in

1933

<tt class="literal">C:\winnt\poledit.exe</tt>, and click the OK button.</p>

1934

1935

<p>If you are using a Windows version other than NT Server or Windows

1936

2000 Advanced Server, you must install the System Policy Editor, and

1937

getting a copy of it can be a little tricky. If you are running

1938

Windows NT 4.0 Workstation or Windows 2000 Professional and have a

1939

Windows NT 4.0 Server installation CD-ROM, you can run the file

1940

<em class="filename">\Clients\Svrtools\Winnt\Setup.bat</em> from that CD

1941

to install the Client-based Network Administration Tools, which

1942

includes <em class="emphasis">poledit.exe</em>. Then open the Start menu,

1943

click Run..., type <tt class="literal">C:\winnt\system32\poledit.exe</tt>

1944

into the text area, and click the OK button.</p>

1945

1946

<p>If you are using Windows 95/98, insert a Windows 95 or Windows 98

1947

distribution CD-ROM<a name="FNPTR-4"/><a href="#FOOTNOTE-4">[4]</a> into your CD-ROM drive,

1948

then open the Control Panel and double-click the Add/Remove Programs

1949

button.</p>

1950

1951

<p>Click the Windows Setup tab, and then click the Have Disk...

1952

button. In the new dialog box that appears, click the Browse...

1953

button, then select the CD-ROM drive from the Drives drop-down menu.

1954

Then:</p>

1955

1956

1957

<p>If you are using a Windows 95 installation CD-ROM, double-click the

1958

admin, then apptools, then poledit folder icons.</p>

1959

</li><li>

1960

<p>If you are using a Windows 98 installation CD-ROM, double-click the

1961

tools, then reskit, then netadmin, then poledit folder icons.</p>

1962

</li></ul>

1963

<p>You should see "<a name="INDEX-159"/>grouppol.inf" appear in

1964

the File name: text area on the left of the dialog box. Click the OK

1965

buttons in two dialog boxes, and you will be presented with a dialog

1966

box in which you should select both the Group Policies and System

1967

Policy Editor checkboxes. Then click the Install button. Close the

1968

remaining dialog box, and you can now run the System Policy Editor by

1969

opening the Start menu and selecting Programs, then Accessories, then

1970

System Tools, then System Policy Editor. Or click the Run... item in

1971

the Start Menu, and enter <tt class="literal">C:\Windows\Poledit</tt>.</p>

1972

1973

<p>When the System Policy Editor starts up, select New Policy from the

1974

File menu, and you will see a window similar to that in <a href="ch04.html#samba2-CHP-4-FIG-14">Figure 4-14</a>.</p>

1975

1976

<div class="figure"><a name="samba2-CHP-4-FIG-14"/><img src="figs/sam2_0414.gif"/></div><h4 class="head4">Figure 4-14. The System Policy Editor window</h4>

1977

1978

<p>The next step is to make a selection from the File menu to add

1979

policies for users, groups, and computers. For each item you add, you

1980

will be asked for the username, or name of the group or computer, and

1981

a new icon will appear in the window. Double-clicking one of the

1982

icons will bring up the Properties dialog box, such as the one shown

1983

in <a href="ch04.html#samba2-CHP-4-FIG-15">Figure 4-15</a>.</p>

1984

1985

<div class="figure"><a name="samba2-CHP-4-FIG-15"/><img src="figs/sam2_0415.gif"/></div><h4 class="head4">Figure 4-15. The Properties dialog of System Policy Editor</h4>

1986

1987

<p>The upper window in the dialog shows the registry settings that can

1988

be modified as part of the system policy, and the lower window shows

1989

descriptive information or more settings pertaining to the one

1990

selected in the upper window. Notice in the figure that there are

1991

three checkboxes and that they are all in different states:</p>

1992

1993

<dl>

1994

<dt><b>Checked</b></dt>

1995

<dd>

1996

<p>Meaning that the registry setting is enabled in the policy</p>

1997

</dd>

1998

1999

2000

2001

<dt><b>White (unchecked)</b></dt>

2002

<dd>

2003

<p>Which clears the registry setting</p>

2004

</dd>

2005

2006

2007

2008

2009

<dd>

2010

<p>Which causes the registry setting on the client to be unmodified</p>

2011

</dd>

2012

2013

</dl>

2014

2015

<p>Basically, if all the items are left gray (the default), the system

2016

policy will have no effect. The registry of the logged-on client will

2017

not be modified. However, if any of the items are either checked or

2018

unchecked (white), the registry on the client will be modified to

2019

enable the setting or clear it.</p>

2020

<a name="samba2-CHP-4-NOTE-117"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>

2021

<p>In this section, we are giving you enough information on using the

2022

System Policy Editor to get you started—or, should we say,

2023

enough rope with which to hang yourself. Remember that a system

2024

policy, once put into action, will be modifying the registries of all

2025

clients who log on to the domain. The usual warnings about editing a

2026

Windows registry apply here with even greater importance. Consider

2027

how difficult (or even impossible) it will be for you to restore the

2028

registries on all those clients if anything happens to go wrong.

2029

<em class="emphasis">As with roaming profiles, casual or careless implementation

2030

of system policies can easily lead to domain-wide

2031

disaster</em>.</p>

2032

2033

<p>Creating a good system policy file is a complex topic, which we

2034

cannot cover in detail here. It would take a whole book, and yes,

2035

there happens to be an O'Reilly book on the subject,

2036

<em class="citetitle">Windows System Policy Editor</em>. Another

2037

definitive source of documentation on Windows NT system policies and

2038

the System Policy Editor is the Microsoft white paper

2039

<em class="citetitle">Implementing Policies and Profiles for Windows NT

2040

4.0</em>, which can be found at <a href="http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp">http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp</a>.</p>

2041

</blockquote>

2042

2043

<p>Once you have created a policy, click the OK button and use the Save

2044

As... item from the File menu to save it. Use the filename

2045

<em class="filename">config.pol</em><a name="INDEX-160"/> for a Windows 95/98 system policy and

2046

<em class="filename">ntconfig.pol</em><a name="INDEX-161"/> for a policy that will be used on Windows

2047

NT/2000/XP clients. Finally, copy the <em class="filename">.pol</em> file

2048

to the directory used for the <tt class="literal">[netlogon]</tt> share on

2049

the Samba PDC. The <em class="filename">config.pol</em> and

2050

<em class="filename">ntconfig.pol</em> files must go in this

2051

directory—unlike roaming profiles and logon scripts, there is

2052

no way to specify the location of the system policy files in

2053

<em class="filename">smb.conf</em>. If you want to have different system

2054

policies for different users or computers, you must perform that part

2055

of the configuration within the System Policy Editor.</p>

2056

2057

2058

<p>If you have, or will have, any <a name="INDEX-162"/><a name="INDEX-163"/>Windows Me clients on your network,

2059

be careful. Microsoft has stated that Windows Me does not support

2060

system policies. The odd thing about this is that it will download

2061

the policy from a <em class="filename">config.pol</em> file on the PDC,

2062

but there is no guarantee that the results will be what was intended.

2063

Check the effect of your system policy carefully on your Windows Me

2064

clients to make sure it is working how you want.</p>

2065

</blockquote>

2066

2067

<p>When a user logs on to the domain, her Windows client will download

2068

the <em class="filename">.pol</em> file from the server, and the settings

2069

in it (that is, the items either checked or cleared in the System

2070

Policy Editor) will override the client's settings.</p>

2071

2072

<p>If things "should work" but

2073

don't, try shutting down the Windows client and

2074

restarting, rather than just logging off and on again. Windows

2075

sometimes will hold the <tt class="literal">[netlogon]</tt> share open

2076

across logon sessions, and this can prevent the client from getting

2077

the updated <em class="filename">.pol</em> file from the server.

2078

2079

2080

2081

2082

</div>

2083

2084

2085

2086

2087

2088

<h2 class="head1">Samba as a Domain Member Server</h2>

2089

2090

<p><a name="INDEX-166"/>Up to now,

2091

we've focused on configuring and using Samba as the

2092

primary domain controller. If you already have a domain controller on

2093

your network, either a Windows NT/2000 Server system or a Samba PDC,

2094

you can add a Samba server to the domain as a domain member server.

2095

This involves setting up the Samba server to have a computer account

2096

with the primary domain controller, in a similar way that Windows

2097

NT/2000/XP clients can have computer accounts on a Samba PDC. When a

2098

client accesses shares on the Samba domain member server, Samba will

2099

pass off the authentication to the domain controller rather than

2100

performing the task on the local system. If the PDC is a Windows

2101

server, any number of Windows BDCs might exist that can handle the

2102

authentication instead of the PDC.</p>

2103

2104

<p>The first step is to add the Samba server to the domain by creating a

2105

computer account for it on the primary domain controller. You can do

2106

this using the <em class="emphasis">smbpasswd</em> command, as follows:</p>

2107

2108

<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j <em class="replaceable">DOMAIN</em> -r <em class="replaceable">PDCNAME</em> -U<em class="replaceable">admin_acct</em>%<em class="replaceable">password</em></b></tt></pre></blockquote>

2109

2110

<p>In this command, <em class="replaceable">DOMAIN</em> is replaced by the

2111

name of the domain the Samba host is joining,

2112

<em class="replaceable">PDCNAME</em> is replaced by the computer name

2113

of the primary domain controller,

2114

<em class="replaceable">admin_acct</em> is replaced by the username of

2115

an administrative account on the domain controller (either

2116

Administrator—or another user in the Administrators

2117

group—on Windows NT/2000, and root on Samba), and

2118

<em class="replaceable">password</em> is replaced with the password of

2119

that user. To give a more concrete example, on our domain that has a

2120

Windows NT 4 Server primary domain controller or a Windows 2000

2121

Active Directory domain controller named <tt class="literal">SINAGUA</tt>,

2122

the command would be:</p>

2123

2124

<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j METRAN -r SINAGUA -UAdministrator%hup8ter</b></tt></pre></blockquote>

2125

2126

<p>and if the PDC is a Samba system, we would use the command:</p>

2127

2128

<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j METRAN -r toltec -Uroot%jwun83jb</b></tt></pre></blockquote>

2129

2130

<p>where <tt class="literal">jwun83jb</tt> is the password for the root user

2131

that is contained in the<em class="filename"> smbpasswd</em> file, as we

2132

explained earlier in this chapter.</p>

2133

2134

<p>If you did it right, <em class="emphasis">smbpasswd</em> will respond with

2135

a message saying the domain has been joined. The security

2136

identifier<a name="FNPTR-5"/><a href="#FOOTNOTE-5">[5]</a> returned to Samba from the PDC is kept in

2137

the file <em class="filename">/usr/local/samba/private/secrets.tdb</em>.

2138

The information in

2139

<em class="filename">secrets.tdb</em><a name="INDEX-167"/> is security-sensitive, so make sure to

2140

protect <em class="filename">secrets.tdb</em> in the same way you would

2141

treat Samba's password file.</p>

2142

2143

<p>The next step is to modify the

2144

<em class="filename">smb.conf</em><a name="INDEX-168"/> file. Assuming you are starting with a

2145

valid <em class="filename">smb.conf</em> file that correctly configures

2146

Samba to function in a workgroup, such as the one we used in <a href="ch02.html">Chapter 2</a>, it is simply a matter of adding the following

2147

three lines to the <tt class="literal">[global]</tt> section:</p>

2148

2149

<blockquote><pre class="code">workgroup = METRAN

2150

security = domain

2151

password server = *</pre></blockquote>

2152

2153

<p>The first line establishes the name of the domain (even though it

2154

says "workgroup"). Instead of

2155

METRAN, use the name of the domain you are joining. Setting security

2156

to "domain" causes Samba to hand

2157

off authentication to a domain controller, and the

2158

<tt class="literal">password</tt> <tt class="literal">server</tt>

2159

<tt class="literal">=</tt> <tt class="literal">*</tt> line tells Samba to find

2160

the domain controller for authentication (which could be the primary

2161

domain controller or a backup domain controller) by querying the WINS

2162

server or using broadcast packets if a WINS server is not available.</p>

2163

2164

<p>At this point, it would be prudent to run

2165

<em class="emphasis">testparm</em> to check that your

2166

<em class="filename">smb.conf</em> is free of errors. Then restart the

2167

Samba daemons.</p>

2168

2169

<p>If the PDC is a Windows NT system, you can use Server Manager to

2170

check that the Samba server has been added successfully. Open the

2171

Start menu, then select Programs, then Administrative Tools (Common),

2172

and then Server Manager. Server Manager starts up with a window that

2173

looks like <a href="ch04.html#samba2-CHP-4-FIG-16">Figure 4-16</a>.</p>

2174

2175

<div class="figure"><a name="samba2-CHP-4-FIG-16"/><img src="figs/sam2_0416.gif"/></div><h4 class="head4">Figure 4-16. The Windows NT Server Manager window</h4>

2176

2177

<p>As you can see, we've added both

2178

<tt class="literal">toltec</tt> and <tt class="literal">mixtec</tt> to a domain

2179

for which the Windows NT 4.0 Server system,

2180

<tt class="literal">sinagua</tt>, is the primary domain controller.</p>

2181

2182

<p>You can check your setup on Windows 2000 Advanced Server by opening

2183

the Start menu and selecting Programs, then Administrative Tools,

2184

then Active Directory Users and Computers. The window that opens up

2185

will look like <a href="ch04.html#samba2-CHP-4-FIG-17">Figure 4-17</a>.</p>

2186

2187

<div class="figure"><a name="samba2-CHP-4-FIG-17"/><img src="figs/sam2_0417.gif"/></div><h4 class="head4">Figure 4-17. The Windows 2000 Active Directory Users and Computers window</h4>

2188

2189

<p>Click Computers in the left side of the window with the Tree tab. You

2190

should see your Samba system listed in the right pane of the window.

2191

2192

2193

2194

</div>

2195

2196

2197

2198

2199

2200

<h2 class="head1">Windows NT Domain Options</h2>

2201

2202

<p><a href="ch04.html#samba2-CHP-4-TABLE-2">Table 4-2</a> shows the options that are commonly used

2203

in association with Samba on a Windows NT domain.</p>

2204

2205

<a name="samba2-CHP-4-TABLE-2"/><h4 class="head4">Table 4-2. Windows NT domain options</h4><table border="1">

2206

2207

2208

2209

2210

2211

2212

<tr>

2213

<th>

2214

<p>Option</p>

2215

</th>

2216

<th>

2217

<p>Parameters</p>

2218

</th>

2219

<th>

2220

<p>Function</p>

2221

</th>

2222

<th>

2223

<p>Default</p>

2224

</th>

2225

<th>

2226

<p>Scope</p>

2227

</th>

2228

</tr>

2229

2230

2231

<tr>

2232

<td>

2233

<p><tt class="literal">domain logons</tt></p>

2234

</td>

2235

<td>

2236

<p>boolean</p>

2237

</td>

2238

<td>

2239

<p>Indicates whether Windows domain logons are to be used</p>

2240

</td>

2241

<td>

2242

2243

</td>

2244

<td>

2245

<p>Global</p>

2246

</td>

2247

</tr>

2248

<tr>

2249

<td>

2250

<p><tt class="literal">domain master</tt></p>

2251

</td>

2252

<td>

2253

<p>boolean</p>

2254

</td>

2255

<td>

2256

<p>For telling Samba to take the role of domain master browser</p>

2257

</td>

2258

<td>

2259

2260

</td>

2261

<td>

2262

<p>Global</p>

2263

</td>

2264

</tr>

2265

<tr>

2266

<td>

2267

<p><tt class="literal">add user script</tt></p>

2268

</td>

2269

<td>

2270

<p>string (command)</p>

2271

</td>

2272

<td>

2273

<p>Script to run to add a user or computer account</p>

2274

</td>

2275

<td>

2276

2277

</td>

2278

<td>

2279

<p>Global</p>

2280

</td>

2281

</tr>

2282

<tr>

2283

<td>

2284

<p><tt class="literal">delete user</tt> <tt class="literal">script</tt></p>

2285

</td>

2286

<td>

2287

<p>string (command)</p>

2288

</td>

2289

<td>

2290

<p>Script to run to delete a user or computer account</p>

2291

</td>

2292

<td>

2293

2294

</td>

2295

<td>

2296

<p>Global</p>

2297

</td>

2298

</tr>

2299

<tr>

2300

<td>

2301

<p><tt class="literal">domain admin group</tt></p>

2302

</td>

2303

<td>

2304

<p>string (list of users)</p>

2305

</td>

2306

<td>

2307

<p>Users that are in the Domain Admins group</p>

2308

</td>

2309

<td>

2310

2311

</td>

2312

<td>

2313

<p>Global</p>

2314

</td>

2315

</tr>

2316

<tr>

2317

<td>

2318

<p><tt class="literal">domain guest group</tt></p>

2319

</td>

2320

<td>

2321

<p>string (list of users)</p>

2322

</td>

2323

<td>

2324

<p>Users that are in the Domain Guests group</p>

2325

</td>

2326

<td>

2327

2328

</td>

2329

<td>

2330

<p>Global</p>

2331

</td>

2332

</tr>

2333

<tr>

2334

<td>

2335

<p><tt class="literal">password server</tt></p>

2336

</td>

2337

<td>

2338

<p>string (list of computers)</p>

2339

</td>

2340

<td>

2341

<p>List of domain controllers used for authentication when Samba is

2342

running as a domain member server</p>

2343

</td>

2344

<td>

2345

2346

</td>

2347

<td>

2348

<p>Global</p>

2349

</td>

2350

</tr>

2351

<tr>

2352

<td>

2353

<p><tt class="literal">machine password timeout</tt></p>

2354

</td>

2355

<td>

2356

<p>numeric (seconds)</p>

2357

</td>

2358

<td>

2359

<p>Sets the renewal interval for NT domain machine passwords</p>

2360

</td>

2361

<td>

2362

2363

</td>

2364

<td>

2365

<p>Global</p>

2366

</td>

2367

</tr>

2368

2369

</table>

2370

2371

<p>Here are detailed explanations of each <a name="INDEX-170"/>Windows NT domain option listed

2372

in <a href="ch04.html#samba2-CHP-4-TABLE-2">Table 4-2</a>.</p>

2373

2374

2375

2376

2377

<a name="INDEX-171"/><h3 class="head2">domain logons</h3>

2378

2379

<p>This option configures Samba to accept domain logons as a primary

2380

domain controller. When a client successfully logs on to the domain,

2381

Samba will return a special token to the client that allows the

2382

client to access domain shares without consulting the PDC again for

2383

authentication. Note that the Samba machine must employ user-level

2384

security (<tt class="literal">security</tt> <tt class="literal">=</tt>

2385

<tt class="literal">user</tt>) and must be the PDC for this option to

2386

function. In addition, Windows machines will expect a

2387

<tt class="literal">[netlogon]</tt> share to exist on the Samba server.</p>

2388

2389

2390

2391

2392

<a name="INDEX-172"/><h3 class="head3">domain master</h3>

2393

2394

<p>In a Windows network, a local master browser handles browsing within

2395

a subnet. A Windows domain can be made up of a number of subnets,

2396

each of which has its own local master browser. The primary domain

2397

controller serves the function of domain master browser, collecting

2398

the browse lists from the local master browser of each subnet. Each

2399

local master browser queries the domain master browser and adds the

2400

information about other subnets to their own browse lists. When Samba

2401

is configured as a primary domain controller, it automatically sets

2402

<tt class="literal">domain</tt> <tt class="literal">master</tt>

2403

<tt class="literal">=</tt> <tt class="literal">yes</tt>, making itself the domain

2404

master browser.</p>

2405

2406

<p>Because Windows NT PDCs always claim the role of domain master

2407

browser, Samba should never be allowed to be domain master if there

2408

is a Windows PDC in the domain.</p>

2409

2410

2411

</div>

2412

2413

2414

2415

2416

2417

<a name="INDEX-173"/><h3 class="head3">add user script</h3>

2418

2419

<p>There are two ways in which <tt class="literal">add</tt>

2420

<tt class="literal">user</tt> <tt class="literal">script</tt> can be used. When

2421

the Samba server is set up as a primary domain controller, it can be

2422

assigned to a command that will run on the Samba server to add a

2423

Windows NT/2000/XP computer account to Samba's

2424

password database. When the user on the Windows system changes the

2425

computer's settings to join a domain, he is asked

2426

for the username and password of a user who has administrative rights

2427

on the domain controller. Samba authenticates this user and then runs

2428

the <tt class="literal">add</tt> <tt class="literal">user</tt>

2429

<tt class="literal">script</tt> with root permissions.</p>

2430

2431

<p>When Samba is configured as a domain member server, the

2432

2433

<tt class="literal">script</tt> can be assigned to a command to add a user

2434

to the system. This allows Windows clients to add users that can

2435

access shares on the Samba system without requiring an administrator

2436

to create the account manually on the Samba host.</p>

2437

2438

2439

</div>

2440

2441

2442

2443

2444

2445

<a name="INDEX-174"/><h3 class="head3">delete user script</h3>

2446

2447

<p>There are times when users are automatically deleted from the domain,

2448

and the <tt class="literal">delete</tt> <tt class="literal">user</tt>

2449

<tt class="literal">script</tt> can be assigned to a command that removes a

2450

user from the Samba host as a Windows server would do. However, you

2451

might not want this to happen, because the Unix user might need the

2452

account for reasons other than use with Samba. Therefore, we

2453

recommend that you be very careful about using this option.</p>

2454

2455

2456

</div>

2457

2458

2459

2460

2461

2462

<a name="INDEX-175"/><h3 class="head3">domain admin group</h3>

2463

2464

<p>In a domain of Windows systems, it is possible for a server to get a

2465

list of the members of the Domain Admins group from a domain

2466

controller. Samba 2.2 does not have the ability to handle this, and

2467

the <tt class="literal">domain</tt> <tt class="literal">admin</tt>

2468

<tt class="literal">group</tt> parameter exists as a manual means of

2469

informing Samba who is in the group. The list should contain root

2470

(necessary for adding computer accounts) and any users on Windows

2471

NT/2000/XP clients in the domain who are in the Domain Admins group.

2472

These users must be recognized by the primary controller in order for

2473

them to perform some administrative duties such as adding users to

2474

the domain.</p>

2475

2476

2477

</div>

2478

2479

2480

2481

2482

2483

<a name="INDEX-176"/><h3 class="head3">password server</h3>

2484

2485

<p>In a Windows domain in which the domain controllers are a Windows

2486

primary domain controller, along with any number of Windows backup

2487

domain controllers, clients and domain member servers authenticate

2488

users by querying either the PDC or any of the BDCs. When Samba is

2489

configured as a domain member server, the <tt class="literal">password</tt>

2490

<tt class="literal">server</tt> parameter allows some control over how

2491

Samba finds a domain controller. Earlier versions of Samba could not

2492

use the same method that Windows systems use, and it was necessary to

2493

specify a list of systems to try. When you set

2494

<tt class="literal">password</tt> <tt class="literal">server</tt>

2495

<tt class="literal">=</tt> <tt class="literal">*</tt>, Samba 2.2 is able to find

2496

the domain controller in the same manner that Windows does, which

2497

helps to spread the requests over several backup domain controllers,

2498

minimizing the possibility of them becoming overloaded with

2499

authentication requests. We recommend that you use this method.</p>

2500

2501

2502

</div>

2503

2504

2505

2506

2507

2508

<a name="INDEX-177"/><h3 class="head3">machine password timeout</h3>

2509

2510

<p>The <tt class="literal">machine</tt> <tt class="literal">password</tt>

2511

<tt class="literal">timeout</tt> global option sets a retention period for

2512

Windows NT domain machine passwords. The default is currently set to

2513

the same time period that Windows NT 4.0 uses: 604,800 seconds (one

2514

week). Samba will periodically attempt to change the

2515

<em class="firstterm">machine account password</em>, which is a password

2516

used specifically by another server to report changes to it. This

2517

option specifies the number of seconds that Samba should wait before

2518

attempting to change that password. The timeout period can be changed

2519

to a single day by specifying the following:</p>

2520

2521

<blockquote><pre class="code">[global]

2522

machine password timeout = 86400</pre></blockquote>

2523

2524

2525

<p>If you would like more information on how Windows NT uses domain

2526

usernames and groups, we recommend Eric <a name="INDEX-178"/>Pearce's

2527

<em class="citetitle">Windows NT in a Nutshell</em>, published by

2528

O'Reilly. <a name="INDEX-179"/></p>

2529

</blockquote>

2530

2531

2532

</div>

2533

2534

2535

</div>

2536

2537

2538

</div>

2539

2540

<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> When we include

2541

Windows XP in discussions of Windows NT domains in this book, we are

2542

referring to Windows XP Professional and not to the Home edition. The

2543

reason for this is explained in the section on Windows XP later in

2544

this chapter.</p> <a name="FOOTNOTE-2"/> <p><a href="#FNPTR-2">[2]</a> The entry in

2545

<em class="filename">/etc/passwd</em> might not be required in future

2546

Samba versions.</p> <a name="FOOTNOTE-3"/> <p><a href="#FNPTR-3">[3]</a> If you want to follow our example in this

2547

section, and your network doesn't have any Windows

2548

systems offering shares, see <a href="ch05.html">Chapter 5</a> for

2549

directions on how to create one. Make sure you understand how to set

2550

up shares before continuing with the directions presented

2551

here!</p> <a name="FOOTNOTE-4"/> <p><a href="#FNPTR-4">[4]</a> The version of the System Policy

2552

Editor distributed with Windows 98 is an update of the version

2553

shipped with Windows 95. Use the version from the Windows 98

2554

distribution if you can.</p> <a name="FOOTNOTE-5"/> <p><a href="#FNPTR-5">[5]</a> This security identifier (SID) is part of

2555

an access token that allows the PDC to identify and authenticate the

2556

client.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>