Roaming profiles in ns7 Active Directory

v7

(Jeroen Visser) #21

MS has a permission requirement on setting up roaming profiles. The user needs full controll on the folder that is assigned as his/her roaming profile. On Nethserver, this can only be done by granting this on ‘other’ level, thus enabling users to access eachothers homedir, if I understood this topic right.

Sticky, afaik, only prevents rename and delete, and not read or even edit, thus creating quite a security risk given the amount of sensitive information residing in the profile.

If you want to utilize thinclients or use a few machines as walk-in desk, not having roaming profiles will be a pita. This topic was the closest to a solution I ever came, and I just cant use it in good faith, given the security implications.

As soon as I ruled out error on my part, I will be creating a support call detailing what I am missing compared to M$, but I’m pretty sure this will be part of it.


(Alessio Fattorini) #22

Thanks for the clarifying your point. A new topic about the above comparison would be useful indeed.


(Antonio) #23

I followed the guide and it works well …
I made the modification to the permissions as described here:

https://wiki.samba.org/index.php?title=Roaming_Windows_User_Profiles&_Windows_Profiles=

chgrp -R “Domain Users” /var/lib/nethserver/profiles/
chmod 1757 /var/lib/nethserver/profiles/

It is to be inserted absolutely in the next versions !!!

I have edit DOMAIN with Remote Server Administration Tools (RSAT)


Setting up a PDC on armhfp
(Joel Clendineng) #24

I agree roaming profiles should be in ns!! I currently just make shares for each user and move the desktop, documents, etc to there…but that can get tedious.


(Jeroen Visser) #25

If I would have more space on either my drives or in my schedule, I would just try … but have you by any chance looked at this from a security perspective as well ?

Is my assumption correct that using this workaround means that all profiles will be accessible by anybody with a profile path set as long as they know where to look ?


(fpausp) #26

Isn’t it possible to use the user-home-folder ?


(Jeroen Visser) #27

That quickly becomes a mess with storage requirements or profile issues. If users can easily find it, they can easily break it :wink:


(fpausp) #28

Maybe we can/should use a more modern way like UE-V ?
User Experience Virtualization overview


(Jeroen Visser) #29

Afaik that needs to store settings in the user profile, so gets me nothing … ?


(Dr Thomas Quinton) #30

So, what we´ re planning during christmas holidays is a setting, where we´ ll try to put all “My Documents” of Windows and all “Home” Folder to the standard Nethserver share of the specified user.
The approach will be, that on Windows clients we probably use the netlogon.bat and on Linux clients (SUSE- Gnome) I don´ t have a clue yet (e.g. something like https://serverfault.com/questions/504759/heterogeneous-environment-roaming-profiles ).
I´ ll report…and I´ m open for ideas…and will there be ever a out of the box solution by NS?


(Davide Principi) #31

I’d like to expand the AD GPO support for both Linux (sssd) and Windows (native) clients.

As said during the NethServer Conference, we could develop some esmith templates for GPOs, covering basic use cases. For instance,

  • home dirs (windows, linux)
  • roaming profiles (windows)
  • host based shell access (Linux)

(Dr Thomas Quinton) #32

And would that be implementable with a switch in the NS GUI?


(Antonio) #33

I have correct my post:

I created a directory /var/lib/nethserver/profiles and then assigned it the following permissions: chmod 1757 /var/lib/nethserver/profiles The ‘everyone’ permissions of 7 is what allows the user account to create their own profiles directory upon first login. The sticky bit means that they can delete files/directories in their own profiles directory, but nobody else can, since they are not the owner.
TEST and work !


(Dominik) #34

My 2 cent’s:
Would it be possible to setup this scenario:
Two locations with two NS7 servers.
Location no #1: NS7 as SambaAD
Location no #2: NS7 joined to Loc#1 as a “secondary” sambaAD server.
connection with IPsec so servers can see each other.

Users from Location #1 has Roaming profiles setup at main SambaAD server
Users from Location #2 has Roaming profiles setup at server located at secondary NS7 server joined to SambaAD?

Would it be possible to setup ?


(Armin) #35

so far that is nowhere implemented in NS, right?


(Alessio Fattorini) #36

Not yet, unfortunately


(Dr Thomas Quinton) #37

For SUSE Linux Clients we found a solution- Mounting the home directory directly at the users home on NS- which is absolutly great- all files and settings are directly stored at the Server and also therefore backuped with the normal backup prozedure- only the network connection must be garanteed. Done on every cllent makes roaming unnecessary.


(Armin) #38

Hi everybody,

I am trying to set up roaming profiles and it works now but … with manual configuration. I think I miss something.

I don’t quite understand uliversal’s approach further up here. Too much command line for me, til now. I created then a share “profiles” via the nethserver web interface and changed the path there via RSAT tools just as uliversal did. Upon login in a folder for the user is created, then ‘access denied’ follows and the roaming profil cannot be loaded. I changed the ownership of the newly created folder to the respective user and now roaming profiles work. Before every folder on that share has as owner ‘root’

I would like that to work automatically.

Why is the owner ‘root’ in the first place? Shouldn’t that be the creater or the owner I set in the web interface of the server?

Do I miss something else to get roaming profiles?

I have nethserver 7.4 and Windows 7 Professional, if that’s important.

Thanks for your help!

edit: Is there is difference between ‘server based’ and ‘roaming’ profiles? I understand them to be the same thing.


(Davide Principi) #39

Did you try to change this setting in Windows file server page? (Applies to new dirs only)


(Armin) #40

That was missing. Roaming profiles are operatinal now!

Thank you for the great support here! and great product!