Mixing Roaming and Local Profiles in Samba 3

Mixed Profiles

Samba can be configured to be a Primary Domain Controller for Windows Networks. This is extremely useful for scalability. Out of the box, however, Samba's configuration file, the infamous smb.conf only supports global profile types. This means that all authenticated accounts will be local profiles or roaming profiles.

There are benefits to both types of profiles. Additionally, it's perfectly normal to expect both kinds on the same domain at a given time. Configuring this to simply work, however, is not so simple.

Configuration, Includes, Mailing Lists, and Rage

To potentially overcome this problem, Samba's configuration allows the use of "include" files in its configuration. This means that it will read some of its configuration from another file. Combined with Samba's macro expander, this should have solved the problem. The macro expander can replace parts of text with user-specified text on the fly. For example, it replaces %U with the username of the current session. If we were to specify include = smb.%U.conf, we should be able to override settings on a per-user basis.

For some people, this apparently works. If so, congratulations! Unfortunately for us, this seemingly simple configuration had no useful effect. From log output, we could see where it would parse the file, but we could never get it to correctly reassign configuration parameters. We also discovered a few arrangements that get Samba's config parser confused.

Looking for more help, we joined the Samba mailing list. We posted. We searched the archives. We discovered that most, if not all, questions regarding mixed profile usage go completely unaddressed. At this point, anger began to take charge.

pdbedit - The Solution

Looking at what we had to work with, a small tool, pdbedit was observed. It comes with Samba. Combined with a tdb password database, we discovered that Samba also keeps some configuration settings in its password database. This only applies for tdbsam though, not for passdb, and probably not for ldapsam.

One of the configuration settings kept in tdbsam's database was the user's profile path. This, of course, is the configuration setting required to make a profile local, or roaming.

Using pdbedit to Fix Profiles

To see what is stored about a user in the password database, use
pdbedit -L -v [username]

You'll see a lot of information: username, NT username, SID stuff, Domain setting stuff, and also Profile Path. This is set if the profile is roaming. it is blank if the profile is local. Leaving Profile Path unspecified in smb.conf, and allowing tdbsam to override it here is probably the best option.

pdbedit can be given some commands to override the user's profile path. To set the user's Profile Path with pdbedit, use this:
pdbedit -p=[profile path] [username]

If you want to clear the profile path, just use -p= with nothing after the equal sign.


This method of solving the mixed-profile problem seems to have come without a hitch. It seems too simple too. It's a wonder that most of those mailing list people don't get replied to. This got us out of a bind, and hopefully it will help someone else out too.

Samba can, in fact, do what you want it to. Sometimes you just have to trick it into doing it :)
Styles: Default · Green · Sianse