Mixing Roaming and Local Profiles in Samba 3
Mixed Profiles
Samba can be configured to be a
Primary Domain Controller for Windows Networks. This is extremely useful
for scalability. Out of the box, however, Samba's configuration file, the
infamous
smb.conf
only supports global profile types. This
means that
all authenticated accounts will be local profiles or
roaming profiles.
There are benefits to both types of profiles. Additionally, it's
perfectly normal to expect both kinds on the same domain at a given
time. Configuring this to simply work, however, is not so
simple.
Configuration, Includes, Mailing Lists, and Rage
To potentially overcome this problem, Samba's configuration allows the
use of "include" files in its configuration. This means that it will
read some of its configuration from another file. Combined with
Samba's macro expander, this should have solved the problem. The macro
expander can replace parts of text with user-specified text on the fly.
For example, it replaces %U with the username of the current
session. If we were to specify include = smb.%U.conf
,
we should be able to override settings on a per-user basis.
For some people, this apparently works. If so, congratulations!
Unfortunately for us, this seemingly simple configuration had no useful
effect. From log output, we could see where it would parse the file,
but we could never get it to correctly reassign configuration
parameters. We also discovered a few arrangements that get Samba's
config parser confused.
Looking for more help, we joined the Samba mailing list. We posted. We
searched the archives. We discovered that most, if not all, questions
regarding mixed profile usage go completely unaddressed. At this point,
anger began to take charge.
pdbedit - The Solution
Looking at what we had to work with, a small tool,
pdbedit
was observed. It comes with Samba. Combined with a
tdb password database, we
discovered that Samba also keeps some configuration settings in its
password database. This only applies for
tdbsam
though,
not for
passdb
, and probably not for
ldapsam
.
One of the configuration settings kept in
tdbsam
's
database was the user's profile path. This, of course, is the
configuration setting required to make a profile local, or roaming.
Using pdbedit to Fix Profiles
To see what is stored about a user in the password database, use
pdbedit -L -v [username]
You'll see a lot of information: username, NT username, SID stuff, Domain
setting stuff, and also Profile Path. This is set if the profile is
roaming. it is blank if the profile is local. Leaving Profile Path
unspecified in
smb.conf
, and allowing
tdbsam
to
override it here is probably the best option.
pdbedit
can be given some commands to override the user's
profile path. To set the user's Profile Path with
pdbedit
, use this:
pdbedit -p=[profile path] [username]
If you want to clear the profile path, just use
-p=
with
nothing after the equal sign.
Results
This method of solving the mixed-profile problem seems to have come
without a hitch. It seems too simple too. It's a wonder that most of
those mailing list people don't get replied to. This got us out of a
bind, and hopefully it will help someone else out too.
Samba can, in fact, do what you want it to. Sometimes you just have to
trick it into doing it :)