Roaming profiles in ns7 Active Directory

Axel · July 2, 2017, 9:51pm

yes thats true
was my falt copy an paste error
better try
chmod 1770 /var/lib/nethserver/profiles

planet_jeroen · August 30, 2017, 11:24am

For full blown adoption of Nethserver as a replacement for MS SBS which no longer exists, this would be a requirement and a showstopper, yes. It is not doable to use virtualisation in even a small environment, without them, unless you do not mind telling users to redo their settings every day.

alefattorini · August 30, 2017, 3:49pm

Thanks for your thoughts, what are we still missing? Feel free to open a new topic
I’d like to achieve this goal as soon as possible

planet_jeroen · August 31, 2017, 12:25am

MS has a permission requirement on setting up roaming profiles. The user needs full controll on the folder that is assigned as his/her roaming profile. On Nethserver, this can only be done by granting this on ‘other’ level, thus enabling users to access eachothers homedir, if I understood this topic right.

Sticky, afaik, only prevents rename and delete, and not read or even edit, thus creating quite a security risk given the amount of sensitive information residing in the profile.

If you want to utilize thinclients or use a few machines as walk-in desk, not having roaming profiles will be a pita. This topic was the closest to a solution I ever came, and I just cant use it in good faith, given the security implications.

As soon as I ruled out error on my part, I will be creating a support call detailing what I am missing compared to M$, but I’m pretty sure this will be part of it.

alefattorini · August 31, 2017, 2:44pm

Thanks for the clarifying your point. A new topic about the above comparison would be useful indeed.

netbix · November 10, 2017, 9:19pm

I followed the guide and it works well …
I made the modification to the permissions as described here:

https://wiki.samba.org/index.php?title=Roaming_Windows_User_Profiles&_Windows_Profiles=

chgrp -R “Domain Users” /var/lib/nethserver/profiles/
chmod 1757 /var/lib/nethserver/profiles/

It is to be inserted absolutely in the next versions !!!

I have edit DOMAIN with Remote Server Administration Tools (RSAT)

Jclendineng · November 14, 2017, 2:52pm

I agree roaming profiles should be in ns!! I currently just make shares for each user and move the desktop, documents, etc to there…but that can get tedious.

planet_jeroen · November 14, 2017, 10:59pm

If I would have more space on either my drives or in my schedule, I would just try … but have you by any chance looked at this from a security perspective as well ?

Is my assumption correct that using this workaround means that all profiles will be accessible by anybody with a profile path set as long as they know where to look ?

fausp · November 15, 2017, 3:22pm

Isn’t it possible to use the user-home-folder ?

planet_jeroen · November 15, 2017, 3:38pm

That quickly becomes a mess with storage requirements or profile issues. If users can easily find it, they can easily break it

fausp · November 15, 2017, 4:27pm

Maybe we can/should use a more modern way like UE-V ?
User Experience Virtualization overview

planet_jeroen · November 15, 2017, 7:49pm

Afaik that needs to store settings in the user profile, so gets me nothing … ?

iglqut · November 16, 2017, 7:19pm

So, what we´ re planning during christmas holidays is a setting, where we´ ll try to put all “My Documents” of Windows and all “Home” Folder to the standard Nethserver share of the specified user.
The approach will be, that on Windows clients we probably use the netlogon.bat and on Linux clients (SUSE- Gnome) I don´ t have a clue yet (e.g. something like https://serverfault.com/questions/504759/heterogeneous-environment-roaming-profiles ).
I´ ll report…and I´ m open for ideas…and will there be ever a out of the box solution by NS?

davidep · November 16, 2017, 8:50pm

I’d like to expand the AD GPO support for both Linux (sssd) and Windows (native) clients.

As said during the NethServer Conference, we could develop some esmith templates for GPOs, covering basic use cases. For instance,

home dirs (windows, linux)
roaming profiles (windows)
host based shell access (Linux)
…

iglqut · November 16, 2017, 9:30pm

And would that be implementable with a switch in the NS GUI?

netbix · November 18, 2017, 8:21am

I have correct my post:

I created a directory /var/lib/nethserver/profiles and then assigned it the following permissions: chmod 1757 /var/lib/nethserver/profiles The ‘everyone’ permissions of 7 is what allows the user account to create their own profiles directory upon first login. The sticky bit means that they can delete files/directories in their own profiles directory, but nobody else can, since they are not the owner.
TEST and work !

des · November 20, 2017, 8:11am

My 2 cent’s:
Would it be possible to setup this scenario:
Two locations with two NS7 servers.
Location no #1: NS7 as SambaAD
Location no #2: NS7 joined to Loc#1 as a “secondary” sambaAD server.
connection with IPsec so servers can see each other.

Users from Location #1 has Roaming profiles setup at main SambaAD server
Users from Location #2 has Roaming profiles setup at server located at secondary NS7 server joined to SambaAD?

Would it be possible to setup ?

Armin · April 17, 2018, 1:26pm

so far that is nowhere implemented in NS, right?

alefattorini · April 18, 2018, 10:53pm

Not yet, unfortunately

iglqut · April 20, 2018, 2:22pm

For SUSE Linux Clients we found a solution- Mounting the home directory directly at the users home on NS- which is absolutly great- all files and settings are directly stored at the Server and also therefore backuped with the normal backup prozedure- only the network connection must be garanteed. Done on every cllent makes roaming unnecessary.