MS has a permission requirement on setting up roaming profiles. The user needs full controll on the folder that is assigned as his/her roaming profile. On Nethserver, this can only be done by granting this on ‘other’ level, thus enabling users to access eachothers homedir, if I understood this topic right.
Sticky, afaik, only prevents rename and delete, and not read or even edit, thus creating quite a security risk given the amount of sensitive information residing in the profile.
If you want to utilize thinclients or use a few machines as walk-in desk, not having roaming profiles will be a pita. This topic was the closest to a solution I ever came, and I just cant use it in good faith, given the security implications.
As soon as I ruled out error on my part, I will be creating a support call detailing what I am missing compared to M$, but I’m pretty sure this will be part of it.
I agree roaming profiles should be in ns!! I currently just make shares for each user and move the desktop, documents, etc to there…but that can get tedious.
If I would have more space on either my drives or in my schedule, I would just try … but have you by any chance looked at this from a security perspective as well ?
Is my assumption correct that using this workaround means that all profiles will be accessible by anybody with a profile path set as long as they know where to look ?
So, what we´ re planning during christmas holidays is a setting, where we´ ll try to put all “My Documents” of Windows and all “Home” Folder to the standard Nethserver share of the specified user.
The approach will be, that on Windows clients we probably use the netlogon.bat and on Linux clients (SUSE- Gnome) I don´ t have a clue yet (e.g. something like https://serverfault.com/questions/504759/heterogeneous-environment-roaming-profiles ).
I´ ll report…and I´ m open for ideas…and will there be ever a out of the box solution by NS?
I created a directory /var/lib/nethserver/profiles and then assigned it the following permissions: chmod 1757 /var/lib/nethserver/profiles The ‘everyone’ permissions of 7 is what allows the user account to create their own profiles directory upon first login. The sticky bit means that they can delete files/directories in their own profiles directory, but nobody else can, since they are not the owner.
TEST and work !
My 2 cent’s:
Would it be possible to setup this scenario:
Two locations with two NS7 servers.
Location no #1: NS7 as SambaAD
Location no #2: NS7 joined to Loc#1 as a “secondary” sambaAD server.
connection with IPsec so servers can see each other.
Users from Location #1 has Roaming profiles setup at main SambaAD server
Users from Location #2 has Roaming profiles setup at server located at secondary NS7 server joined to SambaAD?
For SUSE Linux Clients we found a solution- Mounting the home directory directly at the users home on NS- which is absolutly great- all files and settings are directly stored at the Server and also therefore backuped with the normal backup prozedure- only the network connection must be garanteed. Done on every cllent makes roaming unnecessary.
I am trying to set up roaming profiles and it works now but … with manual configuration. I think I miss something.
I don’t quite understand uliversal’s approach further up here. Too much command line for me, til now. I created then a share “profiles” via the nethserver web interface and changed the path there via RSAT tools just as uliversal did. Upon login in a folder for the user is created, then ‘access denied’ follows and the roaming profil cannot be loaded. I changed the ownership of the newly created folder to the respective user and now roaming profiles work. Before every folder on that share has as owner ‘root’
I would like that to work automatically.
Why is the owner ‘root’ in the first place? Shouldn’t that be the creater or the owner I set in the web interface of the server?
Do I miss something else to get roaming profiles?
I have nethserver 7.4 and Windows 7 Professional, if that’s important.
Thanks for your help!
edit: Is there is difference between ‘server based’ and ‘roaming’ profiles? I understand them to be the same thing.
