Roaming profiles in ns7 Active Directory

4 posts were split to a new topic: NTP time synchronization with Samba DC

Are the roaming profiles so essential? Don’t know :slight_smile: so I’d like to know your thoughts about it

Well, It´s handy because, some of our users are switching their workstations regularly and and like to have their files and settings on all stations equal.

4 Likes

Indeed, sometimes they are handy

1 Like

As a Windows admin, we do use roaming profiles and folder redirection. For our setup (not using NS here), its essential, but for others (some companies I previously worked), not. Our users can log into any workstation, not that they do but easier to swap out computers for repair and login to a their newly issued unit with all their files and configurations in-tact.

Its a nice to have feature as it will come in handy when needed.

5 Likes

Just configured roaming profiles with Nethserver:

Login as root into SSH, enter following command (substitute with your domain):

mkdir /var/lib/nethserver/profiles
chown "administrator@<domain>" /var/lib/nethserver/profiles
chgrp "domain admins@<domain>" /var/lib/nethserver/profiles
chmod 777 /var/lib/nethserver/profiles

(I don’t like giving full access to “others”, but it does not work without this. If anyony knows how this could be avoided, please tell me so)

mkdir -p /etc/e-smith/templates-custom/etc/samba/smb.conf
vi /etc/e-smith/templates-custom/etc/samba/smb.conf/71profiles

Put this in the new file:


[profiles]
comment = Profiles directory
browsable = no
path = /var/lib/nethserver/profiles
read only = no
store dos attributes = Yes
create mask = 0600
directory mask = 0700
profile acls = yes
csc policy = disable

Do a samba update

signal-event nethserver-samba-update

Now set the profile path (separate for each user or for many users at the same time) via Microsoft RSAT-Tools in the “Active Directory Users and Computers > Profile > User Profile > Profile Path” to

\\<hostname>\profiles\%USERNAME%

Don’t forget to substitute with the host name of the server.
Or set the profile path as a group policy (via Microsoft RSAT-Tools, group policy editor) "Computer Configuration > Policies > Administrative Templates > System > User Profiles > “Set roaming profile path for all users…” to

\\<hostname>\profiles\%USERNAME%

But this is done for all users on the computer. Even the local users (not domain users). Don’t forget to update policy before testing (gpupdate /force in DOS box).

Now roaming profiles are working.

Maybe the NethServer part can be configured via the web interface in the future (I’m not yet so deep inside NethServer to do this).

8 Likes

well, think about a windows terminal server joined to the NS domain and roaming profiles… on windows you’ve no data but some sw… i.e. you don’t have to backup it (a VM clone is enough) and can easily move to another server when/if needed
the “roaming” profile is used also in linux, using LTSP or other terminalization tecniques (like X2GO)… you’ve your auth server, a desktop distro that exports the DE, but all the data is in your server…

the sad thing is that windows change roaming profiles each 3x2 (maybe only italian guys will understand :slight_smile: )
and each time you’ve got a new version, all the data is copied again…

3 Likes

hello uliversal

chmod 777 /var/lib/nethserver/profiles
is nice but better you use
chmod 1777 /var/lib/nethserver/profiles
with the sticky bit it is a lill bit save

777 is bad and should not be used anywhere

1 Like

yes thats true
was my falt copy an paste error
better try
chmod 1770 /var/lib/nethserver/profiles

For full blown adoption of Nethserver as a replacement for MS SBS which no longer exists, this would be a requirement and a showstopper, yes. It is not doable to use virtualisation in even a small environment, without them, unless you do not mind telling users to redo their settings every day.

1 Like

Thanks for your thoughts, what are we still missing? Feel free to open a new topic
I’d like to achieve this goal as soon as possible :slight_smile:

MS has a permission requirement on setting up roaming profiles. The user needs full controll on the folder that is assigned as his/her roaming profile. On Nethserver, this can only be done by granting this on ‘other’ level, thus enabling users to access eachothers homedir, if I understood this topic right.

Sticky, afaik, only prevents rename and delete, and not read or even edit, thus creating quite a security risk given the amount of sensitive information residing in the profile.

If you want to utilize thinclients or use a few machines as walk-in desk, not having roaming profiles will be a pita. This topic was the closest to a solution I ever came, and I just cant use it in good faith, given the security implications.

As soon as I ruled out error on my part, I will be creating a support call detailing what I am missing compared to M$, but I’m pretty sure this will be part of it.

3 Likes

Thanks for the clarifying your point. A new topic about the above comparison would be useful indeed.

I followed the guide and it works well …
I made the modification to the permissions as described here:

https://wiki.samba.org/index.php?title=Roaming_Windows_User_Profiles&_Windows_Profiles=

chgrp -R “Domain Users” /var/lib/nethserver/profiles/
chmod 1757 /var/lib/nethserver/profiles/

It is to be inserted absolutely in the next versions !!!

I have edit DOMAIN with Remote Server Administration Tools (RSAT)

9 Likes

I agree roaming profiles should be in ns!! I currently just make shares for each user and move the desktop, documents, etc to there…but that can get tedious.

1 Like

If I would have more space on either my drives or in my schedule, I would just try … but have you by any chance looked at this from a security perspective as well ?

Is my assumption correct that using this workaround means that all profiles will be accessible by anybody with a profile path set as long as they know where to look ?

Isn’t it possible to use the user-home-folder ?

That quickly becomes a mess with storage requirements or profile issues. If users can easily find it, they can easily break it :wink:

1 Like

Maybe we can/should use a more modern way like UE-V ?
User Experience Virtualization overview